|The Vishing Guide : Whitepapers : Home|
||The Vishing Guide
A close look at voice phishing
Many of today’s widespread threats rely heavily on social engineering—techniques used to manipulate people into performing actions or divulging confidential information—to leverage and exploit technology weaknesses. For example, “phishing” is perhaps the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake Web site designed to steal authentication details.
Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences. The following threats are all subcategories of the phishing threat:
“Pharming” is the manipulation of Domain Name Server (DNS) records to redirect victims.
“Spear phishing” consists of highly targeted attacks.
“Smishing” uses Short Message Service (SMS) on mobile phones.
“Vishing” leverages Internet Protocol (IP)-based voice calling.
What is vishing?
Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential information for the purpose of financial reward. The term “vishing” is derived from a combination of “voice” and “phishing.”
The use of landline telephony systems to persuade someone to perform unintended actions has existed since the birth of the telephone. Who didn’t make prank phone calls as a child? However, landline telephony services have traditionally terminated at a physical location known to the telephone company and could therefore be tracked back to a specific bill payer. The recent massive increase in IP telephony has meant that many telephone services can now start or terminate at a computer anywhere in the world. In addition, the cost of making a telephone call has dropped to a negligible amount.
This combination of factors has made it financially practical for Phishers to leverage VoIP in their attacks. Vishing is expected to have a much higher success rate than other phishing vectors because:
Although there are multiple vectors for the phisher to conduct a vishing attack, it is important to understand the types of data that are most easily gained by the attacker leveraging IP telephony services. Typically, numeric information is more easily submitted by the victim when responding to a vishing attack using a mobile handset.
The most valuable information to the phisher is likely to be:
IP telephony opens a number of unique doors to any malicious attacker but lends itself strongly toward phishing attacks because of its social and technological reach. In particular, the characteristics that make IP telephony appealing to a phisher include:
Vishing scams will often use automated systems to harvest victim data. The types of automated technologies available to phishers include the following:
The phisher can initiate a vishing attack using a variety of methods, each of which lends itself to a particular audience and exploit vector. The primary methods for delivering the initial socially engineered message include:
In some attack scenarios, victims receive an e-mail that invites, solicits or provides an incentive to call a phone number owned by the phisher. The e-mails are almost identical to the classic phishing attacks that instruct the message recipient to click on an embedded URL that takes the victim to a fake Web site to steal authentication credentials. However, in this case, the victim dials the number, and an automated voice prompts the caller to provide authentication information.
For example, the potential victim receives an e-mail such as the following:
We’ve noticed that there have been three unsuccessful attempts to access your account at Free Market Bank & Trust.
To secure your accounts and protect your private information. Free Market Bank & Trust has locked your account. We are committed to making sure that your online transactions are secure.
Please call us at 1-805-xxx-xxxx to verify your account and your identity.
Free Market Bank & Trust
Online Customer Service
The socially engineered victim then dials the number. He may hear something such as this: “Thank you for calling Free Market Bank and Trust. Your business is important to us. To help you reach the correct representative and answer your query fully, please press the appropriate number on your handset.” The victim is then presented with the following options:
At this stage, the phone call is dropped and the victim thinks there was something wrong with the service. Alternatively, the vishing attack may redirect the victim to the real customer service line and the victim is never aware that his authentication was appropriated by the phisher.
Mobile text messaging
Related closely to the Internet e-mail initiation vector, the phisher may also use small messages over mobile protocols such as SMS and Multimedia Messaging Service (MMS) to invite, solicit or provide an incentive to the potential victim to either phone a number or respond to the text message using SMS or MMS.
For example, the potential victim receives an SMS message such as the following, which instructs her to dial the phisher’s number:
Automatic credit watch alert! A new line of credit has been established for you at The Big Electronics Store[Well known store]. If this is an unauthorized application, please call 1-800-xxx-xxxx.
Alternatively, potential victims may receive an SMS message that seems to come from their mobile phone provider and instructs them to reply to the message with personal data. See the example below.
You have exceeded your monthly Universal Cell text messaging allotment. Text messages will now be charged at 50 cents per message. Reply to this text message with your online authorization code to send an additional 500 messages for only $2.
Using the MMS message format, the phisher can send a graphical or animated message, with appropriate business logos, to further entice the potential victim.
Whether by making use of classical war-dialing techniques or newer Session Initiation Protocol (SIP) queries, the phisher can quickly cycle through possible phone numbers or telephony end points to enumerate live numbers. Once enumerated, the phisher can easily send a prerecorded message to each phone, typically targeting a user’s voicemail inbox. Voicemail systems are targeted because message delivery scales more easily and requires less technical effort by the phisher.
The recorded nature of the voicemail lends itself toward messages that require immediate actions on behalf of the recipient. For example, the potential victim receives the following voicemail message:
Hello, this is Sharon at The Power Company. I am urgently trying to contact you to discuss your move to Los Angeles and confirm the closing of your account and your scheduled end of service. At the present time, all power to your address will be terminated at 9:00 p.m. tomorrow evening. Please call customer support at 1-800-xxx-xxxx to arrange for final bill payment.
Because the potential victim has no intention of moving and certainly does not wish to have his power turned off, he will call the number, at which time he will be asked to authenticate himself – perhaps using a credit card and PIN.
Left message – primary rate callback
With the “left message” vector, the phisher purposefully aims to reach the voicemail repository of the intended victim to leave a message. The message urges the recipient to phone the number left by the phisher. The number is configured to be a primary rate (or similar) service that, when dialed by the victim, generates charges that are billed to the victim and earn the phisher money.
Left message – exploit payload
Here the phisher purposefully aims to reach the voicemail repository of the intended victim to leave a specially constructed message. Because the technology used to receive and store voicemail messages is likely to be very different from the device an intended victim will use to play back the message, it is probable that specially constructed messages may be left that would exploit weaknesses in the play back technology without adversely affecting the voicemail storage device. Consequently, when the intended victim connects to her voicemail storage system and retrieves the message for playback, a vulnerability is exploited to allow the phisher to either take control of the device or cause it to perform actions not normally authorized by the victim.
The ability to mask or impersonate various caller IDs is particularly important to phishers. By changing caller ID data, they can help reinforce their social engineering story as well as make it more difficult to track the source of an attack. IP telephony services that allow Internet phones to use local dialing code “point of presence” (POP) exit points (i.e., a phone number within the same regional calling code) can similarly increase the success of an attack.
By merely leveraging this ability—as well as the ability to place an Internet call from anywhere in the world—the phisher can also conduct what could best be called “live” attacks. In a live attack, the phisher initiates the call to the potential victim, who then encounters an automated voice system that encourages him to supply personal information. To be successful, the phisher will either impersonate a well-known national entity (a major bank or retail chain) or a local business (a local radio station or government office) and use an appropriate caller ID.
As the cost of Internet calling falls even further, it will be financially viable for organized criminals to essentially build their own call centers to manually walk potential victims through the vishing scam. In other words, they will not be required to use a recorded message. Such a manual attack vector would likely have the highest success rates of all vishing scams.
Fraudulent live attacks can similarly use the social engineering aspects described in the previous sections of this paper but may be more successful by using more local, timely and interactive messages, such as the following:
Vishing will inevitably advance beyond the current range of attack vectors to constitute one component of a sophisticated and targeted attack. Consider the following:
Phishing has proven to be an extremely profitable business for criminals. As IP telephony services mature and market penetration expands, we can expect criminal organizations to more frequently adopt phishing techniques, and we can expect to see further evolution of the vishing threat.
Vishing will become an increasingly popular attack vector for phishers because of its ability to reach beyond the computer screen and target a broader range of potential victims and because it is a more effective platform for launching social engineering attacks. The historical trust that consumers have placed in telephony services—the assumption that the phone number calling the consumer can be traced back to a (local) billable address—will be fully leveraged by phishers for maximum profit gain.