Phishing, smishing, vishing... Outside of haunting CISOs day and night, what’s the difference? Well, phishing can be considered the parent of them all. It involves sending targeted email messages to trick recipients. Phish sounds just like fish, and there’s a reason for that: the analogy of an angler throwing a baited hook out there (the phishing email) and hoping the recipient bites.
Now the etymology of the word phishing… The term arose in the mid-1990s among hackers aiming to trick AOL users into giving up their login information. The “ph” is part of a tradition of whimsical hacker spelling, and was probably influenced by the term “phreaking,” short for “phone phreaking,” an early form of hacking that involved playing sound tones into telephone handsets to get free phone calls. We’ve already talked about phishing attacks in previous blogs, so it’s now time to dive into the world of vishing attacks...
Vishing: A New Type of Threat
The FBI has issued a warning about a new type of attack known as vishing which stands for voice phishing. Criminals use vishing techniques to obtain employees’ login credentials and other sensitive information over the phone. Although this type of attack may seem low tech, criminals often use advanced voice simulations and information stolen from previous cyber attacks. These attacks often exploit network misconfigurations and the access privileges of remote employees.
Specifically, the FBI issued a Private Industry Notification (PIN) to warn that these criminals are using chat rooms and vishing techniques to leverage social engineering attacks against employees. In these attacks, criminals are trying to obtain employee credentials like login information.
Some of these cybercriminals have used Voice over Internet Protocol (VOIP) platforms which use voice to create a digital signal that can make calls from data-driven devices like computers or a VoIP phone, which makes them difficult for law enforcement officers to trace.
In a statement, the FBI said, “During the phone calls, employees were tricked into logging into a phishing webpage to capture the employee’s username and password. After gaining access to the network, many cybercriminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.”
By phishing employees on official chat rooms, these cybercriminals convinced their victims to login onto false VPN pages. The criminals used these compromised credentials to login onto the company’s VPN to find users with higher access credentials.
Vishing: A Few Statistics
To better grasp what the volume of vishing attacks represent, I’d like to share with you a few statistics from the 2019 Scam Call Trends and Projections Report:
- Over 28 percent of all scam calls targeted victims using personal data.
- 75 percent of all scam victims were called by scammers who already had their personal information.
- Nearly 1 in 3 people who experienced a loss of at least $1,000 thought they were answering a call from a business they knew.
- 39 percent of victims said the scammers knew their home address.
- 75 percent of scam victims reported that the scam callers were able to verify all or part of their social security number.
Vishing Also Impacts Consumers
Vishing attacks are also very common on the consumer side. These can either start as “war dialing” as many potential victims as possible, or focusing on one particular, high value potential victim. One example is hackers stealing financial information from bank customers. Some victims are targeted because their information was leaked elsewhere, such as in the 2017 Equifax data breach.
Scammers will often use a socially engineered situation to create an urgent problem, like a “compromised debit card”, to get victims to give away information quickly. They exploit the fact that their victims are likely to trust a human voice. The first step for a hacker is to simply verify that a real person is actively using the phone number that they have. Once verified, increasingly personalized and aggressive tactics can be used. When a scammer has a real person on the line, they pretend to be an authority figure like a bank. Then, customers receive a text message claiming that there is a financial problem like a malfunctioning debit card. They then ask for a PIN and card number to reactivate it. If they actually obtain financial information, they might try to transfer funds to another country or city. If they get a credit card number, they’ll make as many purchases as they can before the account gets shut down.
FBI’s Mitigation Tips
The FBI offers several mitigation tips to reduce the risk of vishing attacks. Some of their tips include implementing multi-factor authentication (MFA), network segmentation, and issuing two administrator accounts. Also, it is important to be suspicious of any call that claims to be from an authoritative source that asks for money or sensitive information. If you receive one of these calls, independently seek out the contact information for the bank or government agency and call them to see if they were trying to reach you. Also, never pay with a gift card or wire transfer over the phone. These are common methods that vishers use to steal money from their victims.
Now, are those mitigation tips sufficient?
The Truth About 2FA and MFA
2FA and MFA are not entirely secure solutions, especially if they leverage passwords at any point during the authentication process. Remember that 81 percent of all data breaches are the consequence of password mismanagement. And the goal behind phishing and consequently vishing attacks is to obtain the victim’s login ID and password as an entry to compromise an entire system. So, passwords, which are the first authentication factor, can be stolen or lost. Second factors such as one-time emails, texts or tokens can also be intercepted or coerced from end-users. It is the same issue with a security key that can also be forgotten inside the pocket of a pair of jeans and run through the laundry. There are 2FA solutions that use device-based biometrics as a second factor of authentication. But Touch ID and Face ID do not prove a user's identity.
The Only Bulletproof Solution Against Vishing
There is the one logical and wise solution: Do NOT give your user ID and password over the phone to ANYONE. Actually, simply do not share your credentials. Do not write them down on any post-it you then stick on your computer monitor for everyone to see.
Beyond vishing, the only sustainable solution that can truly eradicate the risk of identity compromise and therefore data breach is to abandon the use of passwords.
Passwords do not prove the identity of a user and they are highly vulnerable.
Instead, to ensure that your employees and customers are who they say they are, when respectively accessing your systems and transacting online with your organization, you need to adopt a solution that combines indisputable digital identity proofing with advanced biometrics, passwordless authentication; and, cherry on top, that stores user data encrypted in a private, permissioned blockchain. Only then are you able to reach the highest levels of assurance and authentication assurance per the NIST SP 800-63-3 guidelines, or IAL3 and AAL3.