Season 3 / Episode 189
Authentication has come a long way since the 1980s or 90s, but when it comes to phone calls - we’re still in the Middle Ages. Vishing, or Voice Scams, are probably as old as the Telephone itself, yet it is still very easy to impersonate someone over the phone or spoof a phone call’s origin.
Rachel Tobac is a hacker and the CEO of SocialProof Security, where she helps people and companies keep their data safe by training and pen-testing them on social engineering risks. Rachel spoke with Nate Nelson, our Sr. producer, about Vishing: how common is it, where attackers get the information they need to impersonate someone from, and the many many psychological tricks they can employ to fool the person on the other side of the call.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
Hosted By
Ran Levi
Exec. Editor @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Rachel Tobac
CEO, SocialProof Security, Friendly Hacker
Rachel is a hacker and the CEO of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also 2nd place winner of DEF CON's wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row. Rachel has shared her real life social engineering stories with NPR, Last Week Tonight with John Oliver, The New York Times, Business Insider, CNN, NBC Nightly News with Lester Holt, Forbes and many more. In her remaining spare time, Rachel is the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she works to advance women to lead in the fields.
Episode Transcript:
Transcription edited by @hakinadey
[Rachel] it doesn’t require me to have any technical access to anything that you own. It’s the least technical way of hacking, and it’s very scary.
[Ran] Hi, and welcome to Sambarizen’s malicious life b-site. I’m Ran Levy.
With websites and apps, we have pretty robust security protocols, passwords, multi-factor authentication and these kinds of things. None of them are perfect, of course, but there’s no doubt that electronic authentication has come a long way since the 1980s or 90s. But when it comes to phone calls, says Rachel Tobac, our guest today, we’re still in the Middle Ages. Vishing, or voicecams, are probably as old as the telephone itself, yet it is still very easy to impersonate someone over the phone or spoof a phone call’s origin.
Rachel Tobac is a hacker and the CEO of Social Proof Security, where she helps people and companies keep their data safe by training and pen-testing them on social engineering risks. Rachel spoke with Nate Nelson, our senior producer, about vishing. How common is it where attackers get the information they need to impersonate someone from, and the many, many psychological tricks you can employ to fool the person on the other side of the line? Trust me, after you listen to this conversation, you’ll think twice, even three times, before answering a call from an unrecognized number.
Enjoy the interview.
[Nate] What is vishing?
[Rachel] Vishing is any time you are attacking somebody with your voice, so typically over the phone. Vishing typically happens within, say, a few-minute phone call where you call and convince somebody to pay an invoice that you sent them that isn’t real or legit. Convince them to download remote access software, go to a malicious URL, give out sensitive details, or change something like email or password or account details, like a phone number, so that they can perform account takeover.
[Nate] Is this a common type of attack? Because I don’t feel like I hear about it all that much.
[Rachel] I would say most people will probably get a vishing attack at some point in their life. We’re seeing them increase in frequency.
You as an individual, I would say, are also likely to, and you probably have received them. It’s just that the ones that you’ve received are pretty scammy and obvious. Your car warranty has expired. Call this number so that we can help you work through that. People get voicemails like that once a week at this point. That’s a vish. Now it’s probably not a vish you’re going to fall for, but you’ve probably received one.
[Nate] Then is there a more common kind of more dangerous vishing?
[Rachel] The vishing attacks that you’re more likely to receive are things like tech support scams. So somebody will say that they’re from Apple, Microsoft, Dell, Geek Squad. Hey, we got report from your specific device. We have you on record here. We’re seeing that your device has an issue. We need to help you solve it.
This is something that hits everyday folks. So your best friend from high school, you, your parents, your aunt, those are the folks that are most likely to fall for these. We’ve seen this hit numerous folks within our, even just like our, our trusted circle.
[Nate] What does falling for one of these look like?
[Rachel] They’re generally either letting them remote access into their phone or their computer to quote, fix the virus, which of course doesn’t exist. Uh, gaining access to be able to exfiltrate files, get sensitive details, data, things that could be used for blackmail, et cetera, or they’re just looking to get paid. You know, Hey, send me $125 so I can fix this virus for you. Very common. So that’s something that you’re likely to experience as an individual.
Now as an individual at your company, if you are client facing in any way, you’re likely to receive it, I’d say at least once a year. And if you’re not client facing, I would say expect it at least every other year, someone’s going to send you something like a phone call or a text message. It’s like, Hey, I’m an executive at your organization. I need gift cards to XYZ for a client. These are really common attacks that we’re seeing right now.
And I know we’re focusing on, on vishing, so phone attacking, but you’re also going to expect to see them over email, text message, social media, in addition to phone calls.
[Nate] Rachel, if you were putting yourself in the place of an attacker, um, what is typically the first step that you might take to perform a vision attack?
[Rachel] Well, typically I’m going to look up that individual that I’m targeting. So find you on LinkedIn, Twitter, Instagram, Facebook. What are your likes? What are your dislikes? Um, you know, I see if you really love dogs, I might play the sound of a dog barking in the background so that we have something to bond about like, Oh, I’m so sorry. My dog will not stop barking. And then you’re like, Oh, no worries. I have two Chihuahuas. And you’re like, Oh my gosh, me too. And now we’re best friends so I can get access to everything.
Um, so get a sense of your likes and dislikes, what your role is, who you report to. I need to be able to name drop the right people. So Nate, if I know that you report to somebody named Kyle or somebody named Michelle, I might say something like, I just got Michelle and Kyle all set up. I’m calling over here and IT support to make sure that your computer is up to date. I just need to go through a few things with you real quick. You’re more likely to be convinced that this is legitimate if I name drop the right people.
[Nate] That’s interesting. I could imagine how easy it might be to figure out like the dog thing based on just like looking up my social media profiles. Um, if you were figuring out, you know, that I report to somebody named Kyle, is that something you’d find on LinkedIn?
Like I’m interested to know where you’re finding this information and how.
[Rachel] Yeah, typically I can find reporting structure, org charts. Um, I can usually find on LinkedIn, get a sense of who reports to who and who’s commenting on each other’s posts and things like that. You can also see that in team pictures posted on Instagram, Twitter, Facebook, LinkedIn.
And then I can also sometimes Google dork, which is a special search operator you use during OSINT open source intelligence. So using a special way of searching, special terms to be able to uncover things that are hard to find to uncover things like org charts that are typically thought of as private, but I can find them just by finding accidentally leaked PDFs online.
[Nate] Likes, dislikes and organizational structure is one thing, but I know not to put my phone number, home address, that kind of thing on the web. Do you need that kind of information or is that almost something that’s you’re going to get later down the line in the attack?
[Rachel] Well, most people I would hope do not willingly post their address and their phone number, their date of birth and all of that online. Some people do. Um, but unfortunately it’s not you typically who’s leaking that data.
It’s data brokerage sites. So if you’ve ever Googled yourself and you see your phone number, every past addresses you’ve lived at, um, your parents names, your siblings names, and all the other personal details about you on something like PQ, my life, uh, those are the data brokerage sites that are harvesting data across the internet and selling it. And they’re making money on that data. You can take that information down. You can send in a fax to each and every data brokerage site, uh, or you can pay to get it removed and they’ll take down that data because oftentimes it’s not you that’s posting your phone number that I use to hack you. It’s a data brokerage site.
[Nate] What are some of the more, um, the ways that I may be exposing myself without even realizing, um, beyond social media, beyond like home address, phone number.
[Rachel] So a lot of times people don’t think of something like leaving a review or saying, “I love this specific airline” or “@airline, I need support” publicly. They don’t think of that as a problem because they think like everybody gets support on Twitter, right? You just tweet at the airline or hospitality service that’s doing poorly by you and attempt to get support. Um, that feels like such a common channel for people, but when you do that, if somebody is targeting you and you have an elevated threat model, meaning you’re more likely to get hacked, then they can contact that specific service provider on your behalf.
So if you’re tweeting at your razor company and your, um, shipping company and the airline that you, they just lost your luggage. Well, I can try and intercept in the middle of that trusted communication and either phish to you as the airline, for example, “Hey, we found your luggage. Click here”. You sign in, I get access to your credentials, right? Or contact your airline as you and steal all the rest of your info, get access to your account and perform account takeover.
So that information doesn’t feel sensitive to people and it really shouldn’t be, but unfortunately it is because services do not always do a good job of authenticating that we are who we say we are when we call in, kind of in the dark ages of phone call authentication. I mean, can you imagine if you could log into your Gmail with your date of birth and your last address? Never. But I can do that when I’m logging in quote unquote over the phone.
[Nate] How exactly do impersonate me over the phone to my airline?
[Rachel] A lot of times I’m going to do this by say spoofing your phone number because many times they just look at caller ID and if it says it’s calling from you, the user of their product, then they’re cool with that. And they say, Hey Nate, how can I help you? When in reality it’s me on the other end of the line using a voice changer, pretending to be you and getting access to your account by getting past their knowledge-based authentication questions.
Things like where did you last live? What are the last four digits of your social security number? Um, what’s your mother’s maiden name? You know, those classic KBA knowledge based authentication questions.
[Nate] Are there any like psychological tactics or tricks that a hacker could use to get customer service agents who you’re not going to know anything about obviously to divulge my personal information to you without me knowing?
[Rachel] Oh, absolutely. So I recommend reading Robert Cialdini’s book Influence. He talks about these principles of persuasion. So I’ll give you a few examples. First, we have reciprocity.
So if I need to figure out how to say, let’s say I need to hack the customer service agent at XYZ company, I need to know what operating system they use there so I can tailor my malware to work on their machine. So I’m talking to the customer support agent and I’m like, I cannot get this software to work on my computer. I don’t know if it’s because I’m on a Mac or what, but in the customer support agent might say, well, I’m on a windows machine right now, but let me see if I can walk you through how to use it on a Mac.
And now I know, okay, they’re using windows. So we’re going to want to use windows exploits against this organization. And I can also use something like a principle of persuasion like urgency or authority. So for authority, I might name drop, this is both social proof and authority actually, social proof being I’m name dropping a coworker. Oh, I just talked to Katie and Katie told me to talk to you because of the escalation and I needed access to this today and all of these reasons. And this person is like, oh, well, I really do work with a Katie. I don’t have time to check that Katie actually said this, but they know that I work with Katie. So it’s got to be legit, right? So that social proof and that authority really is useful.
Another thing with authority is like a really sneaky trick I use is I give you the authority to tell me information. So I give knowingly false information. I might say something like, hi, this is Donnie and I have 90,000 points on my account and I need to get access. And they’re like, oh, I’m sorry, you have 75,000 points on the account. And I’m like, oh, okay, sorry, nevermind. I hang up and call back and say, hi, this is Donnie. I have 75,000 points on my account. And they’re like, okay, great. Your caller ID matches. So you are Donnie and you already answered one of our knowledge-based authentication questions to verify your identity. You have 75,000 points because you know that about your account. You’re in.
[Nate] All of that was incredibly interesting. Are there any more like really advanced psychological tactics that hackers can use here?
[Rachel] There’s a principle called amygdala hijacking. Amygdala in your brain, my background’s in neuroscience. That’s what I have my degree in. So I’ll just get a little nerdy for a second, but not too bad. Your amygdala in your brain is the emotional center of your brain and it reacts a half step faster than any rational portion of your brain.
So if I use some sort of empathetic reason for why I need it now, urgency and empathy together, it really does cause what’s called amygdala hijacking, which is you making a choice that you wouldn’t normally make faster than you would normally make it. So I might say something like, I am so sorry. My dog has to go to the vet. I don’t know what’s going on. We’re really trying to get out the door. Can you help me with this? Like right now I have about 10 seconds. I’m so sorry. And it really does cause people to do something that they would normally do. Like, oh yeah, absolutely. Let’s see. What’s the easiest course? Okay. Just tell me your mother’s made a name and that’ll be enough to verify the account. And those little amygdala-hijacking moments are things that we have to defend against by creating tools and processes that make it so that amygdala hijacking isn’t even possible.
[Nate] And at what stage, if any, in this whole process does malware come into play?
[Rachel] So let’s say I’m talking to somebody in a vision call and I need them to do something more technical. I might get them to go to a malicious URL and download something there over the phone. So I could say the malicious URL is X, Y, Z. And people will often type that in, download something, or just give me remote access to their machine so I can do whatever I want and steal the data that I want. Another thing they might do is combine vishing with phishing. So I might say, I just shot you over an email. Go ahead and open that up. And that email contains something malicious.
[Nate] I imagine that’s harder with customer service because you don’t know who you’re getting on the other end of the line. Would you also apply this kind of technique in that scenario? Or is it mostly when you’re hacking individuals or like people who you know in an organization by name?
[Rachel] I think when we’re thinking about customer service attacks, typically they’re account takeover based attacks. So the ones that we’ve seen in the news recently, Twilio’s, CloudFlare’s and Twitter’s account takeover attacks, those happen to customer support professionals or people who had access to the admin panel that customer support has access to. And what they’re trying to do is get access to their password. So, hey, go to this URL for me so that we can get your password to work while you’re working from home. I know you’re having trouble logging into your VPN, et cetera. They go to a malicious website. Somebody says the website to them over the phone. They type it in while they’re listening over the phone.
And they go ahead and they input their username and password. And then we siphon out the MFA code from there. That’s a very common tactic that we’re seeing used right now that happened in the Twitter hack. In the Twilio and CloudFlare hacks that we’re seeing right now to a lot of Okta customers, those are happening first over SMS. Hey, your IAM changed. You need to update your password here. You click the link in your SMS text message. It brings you to a malicious lookalike site. You input your username and password. It steals your MFA code. And now the attacker can log in as you.
[AD] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place. Cybereason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement. The Cybereason Predictive Response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered.
Visit cybereason.com to learn more about Predictive Ransomware Protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.
[Nate] How easy or difficult is it to pull this kind of thing off and how long does it take?
[Rachel] Typically when I’m vishing, I can gain access in like 30 seconds to a minute. So a company will usually hire me and say, hey, we just updated XYZ protocol. We want to see how the protocol works. And if they don’t have something like multifactor authentication in place, or they don’t use the right methods to verify identity for, let’s say a customer who’s calling into customer support, I’m usually able to do account takeover within a few minutes or I’m able to get the credentials that I need within 30 seconds to a few minutes.
[Nate] And then at that point, is there anything that I as the hacky can do to save my accounts and information or mitigate the damage you’re going to cause or do you just have full license?
[Rachel] Well, if you report it immediately to your IT team, they can shut down your account, make it so that my device as the attacker can’t get the access that it needs. You can change your credentials if you gave them out over the phone. There’s a lot of really, really important things you can do, starting with reporting. That’s the most essential thing you can do.
[Nate] And just to drive the point home, what kinds of things can you do to me once you have my account?
[Rachel] Yeah, I mean, I could steal all your money, turn your lights off, change your cable, change your healthcare, kick you out of your house, quit you from your job by sending an email to your boss. I mean, I could do anything, right? Anything you could do, I could do.
[Nate] Since it really is this effective, surely there must be like news stories out there of successful phishing campaigns that I might have heard of.
[Rachel] Yeah, I think the Twitter hack of 2020 is like the most famous example of phishing.
So the attacker pretended to be IT support, called up customer support, got them to go to a lookalike malicious URL to change their password to quote, get into their VPN while working from home under COVID conditions, of course. The victims went ahead and put their credentials into that site. The attacker then said, all right, great, send me your multi-factor authentication code. All right, sent that over. Now the attacker can just log into the admin panel as if they are the admin, the person who works at that company.
And they were able to go into the Twitter admin panel and tweet out from Elon Musk’s account about a crypto scam, former president Barack Obama, Kanye West. I mean, the list just goes on and on. So once you have admin access, you can pretty much do what you want.
[Nate] What are the steps, the procedures that companies need to be putting in place to prevent the kinds of phishing that you’ve described here?
[Rachel] So companies typically use KBA, knowledge-based authentication questions, where you grew up, your mother’s maiden name, your date of birth, your phone number, your address to verify that you are who you say you are. If you’re not sure what your company uses to verify your identity, I recommend calling them. So you could call just as yourself and say, hi, this is Nate. I just got a new phone. What information do you need to verify I am who I say I am for this airline account? And they’ll say, okay, we need your mother’s maiden name and the last four digits of your social and your current address and phone number. Once you know what it is that a company is going to ask of you, you can use that for hacking or you can use that for defending.
Unfortunately, most organizations use knowledge-based authentication. That’s pretty not secure rather than multi-factor authentication, which would be something like you have a phone number and an email address on file. If I give a call to the phone number of customer support for, say, my airline, they should say, absolutely, Rachel, happy to help you. I went ahead and I sent a code to your email and your phone on file. Go ahead and read that out for me. That verifies that I’m not spoofing my phone number and I have access to the actual account. I know that I am that person. I have that email address.
[Nate] But to play devil’s advocate, I would imagine is also relatively simple for hackers to take over your email account with a malicious link and a phishing email or even your SMS. I mean, there are all kinds of purported problems with SMS-based MFA. Are there any kinds of MFA that really are more foolproof or is it that in most cases, the risks to these kinds of MFA just aren’t as realistic to worry about it too much?
[Rachel] Typically when we’re hacking, we don’t have access to everything at once. I haven’t popped both your service providers and your email and also SIM swapped you all at the same time.
Typically if I’m calling your service providers to change the information on your account and gain access to your account, it’s because I haven’t popped your email yet. If I popped your email, I wouldn’t need to be calling the service providers because I could go ahead and change the email address on the account by doing a password reset flow to the email address that I popped and I could just change it to my account. Do you know what I mean?
[Nate] Yeah. Now that I think about it, you could theoretically vish me without even knowing how to hack computers.
[Rachel] The vishing element is particularly insidious because it doesn’t require me to have any technical access to anything that you own. No devices, email addresses, phone numbers, nothing. I actually don’t need to have popped you at all. I just need to hack you through your service providers and convince them that I’m you. It’s the least technical way of hacking and it’s very scary.
[Nate] Usually when we hear about phishing, the advice boils down to, at least in my experience, like education and using MFA. But I feel like we have enough of a problem still that either that advice is not getting through or it’s not doing the job. Are there any other simple practical tips that you’ve given people to protect themselves from the kinds of attacks you’ve outlined today?
[Rachel] Sure. Something that people don’t always think about is that you don’t actually need to give a lot of these companies the correct data that they’re asking for. Let’s say you know your airline. You call up your airline. You can see that they’re using KBA. They say, okay, we just need your address and we need your phone number and your date of birth to verify you are who you say you are to get you into your account. The address on your account for many of these hospitality sites like your hotels, et cetera, they don’t necessarily need to be accurate.
Let’s say you want to put your address on your hotel account. You can make that something that’s not searchable, something that you don’t typically have associated with you in any way, so that if the attacker goes in and says, okay, great, all I need is their address, the address that’s on the data brokerage forums is not going to be the same thing that you actually use with your sites. Make the data that they use to verify your identity, the knowledge-based authentication questions, make them wrong or different and save them in your password manager. If they’re like, what’s your mother’s maiden name? And you’re thinking, oh my goodness, they should not use this to verify my identity. Make the mother’s maiden name almost like a password.
[Nate] Rachel, this was fun. Any final thought you like to leave us with?
[Rachel] I would say a lot of people, when they hear this stuff, they throw their hands up and say, well, there’s nothing that I can do to prevent this. They’re contacting my service providers without my knowledge. And I would say, you’re right. I mean, there’s not a lot that you can do, right? You can take your service providers off your social media so I don’t know who to call. You can use bad security questions that are like fake words and letters and numbers stored in a password manager to get around all of their bad authentication protocols for phone calls of support needs. But there’s not a whole lot you can do.
The onus really is on companies to protect your data. And so I would encourage you when you notice that you’re talking to customer support for your company, say something like, hey, I noticed that you just verified my identity with those questions. Those are knowledge-based authentication questions. I would love for you to move towards multifactor authentication. And if enough of us say that to enough companies, they’ll start to listen and change.