Vishing: Voice Scams [ML BSide]

Authentication has come a long way since the 1980s or 90s, but when it comes to phone calls - we’re still in the Middle Ages. Vishing, or Voice Scams, are probably as old as the Telephone itself, yet it is still very easy to impersonate someone over the phone or spoof a phone call’s origin.
Rachel Tobac is a hacker and the CEO of SocialProof Security, where she helps people and companies keep their data safe by training and pen-testing them on social engineering risks. Rachel spoke with Nate Nelson, our Sr. producer, about Vishing: how common is it, where attackers get the information they need to impersonate someone from, and the many many psychological tricks they can employ to fool the person on the other side of the call.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Rachel Tobac

CEO, SocialProof Security, Friendly Hacker

Rachel is a hacker and the CEO of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also 2nd place winner of DEF CON's wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row. Rachel has shared her real life social engineering stories with NPR, Last Week Tonight with John Oliver, The New York Times, Business Insider, CNN, NBC Nightly News with Lester Holt, Forbes and many more. In her remaining spare time, Rachel is the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she works to advance women to lead in the fields.

Episode Transcript:

Transcription edited by @hakinadey

[Rachel] it doesn’t require me to have any technical access to anything that you own. It’s the least technical way of hacking, and it’s very scary.

[Ran] Hi, and welcome to Sambarizen’s malicious life b-site. I’m Ran Levy.
With websites and apps, we have pretty robust security protocols, passwords, multi-factor authentication and these kinds of things. None of them are perfect, of course, but there’s no doubt that electronic authentication has come a long way since the 1980s or 90s. But when it comes to phone calls, says Rachel Tobac, our guest today, we’re still in the Middle Ages. Vishing, or voicecams, are probably as old as the telephone itself, yet it is still very easy to impersonate someone over the phone or spoof a phone call’s origin.
Rachel Tobac is a hacker and the CEO of Social Proof Security, where she helps people and companies keep their data safe by training and pen-testing them on social engineering risks. Rachel spoke with Nate Nelson, our senior producer, about vishing. How common is it where attackers get the information they need to impersonate someone from, and the many, many psychological tricks you can employ to fool the person on the other side of the line? Trust me, after you listen to this conversation, you’ll think twice, even three times, before answering a call from an unrecognized number.
Enjoy the interview.

[Nate] What is vishing?

[Rachel] Vishing is any time you are attacking somebody with your voice, so typically over the phone. Vishing typically happens within, say, a few-minute phone call where you call and convince somebody to pay an invoice that you sent them that isn’t real or legit. Convince them to download remote access software, go to a malicious URL, give out sensitive details, or change something like email or password or account details, like a phone number, so that they can perform account takeover.

[Nate] Is this a common type of attack? Because I don’t feel like I hear about it all that much.

[Rachel] I would say most people will probably get a vishing attack at some point in their life. We’re seeing them increase in frequency.
You as an individual, I would say, are also likely to, and you probably have received them. It’s just that the ones that you’ve received are pretty scammy and obvious. Your car warranty has expired. Call this number so that we can help you work through that. People get voicemails like that once a week at this point. That’s a vish. Now it’s probably not a vish you’re going to fall for, but you’ve probably received one.

[Nate] Then is there a more common kind of more dangerous vishing?

[Rachel] The vishing attacks that you’re more likely to receive are things like tech support scams. So somebody will say that they’re from Apple, Microsoft, Dell, Geek Squad. Hey, we got report from your specific device. We have you on record here. We’re seeing that your device has an issue. We need to help you solve it.
This is something that hits everyday folks. So your best friend from high school, you, your parents, your aunt, those are the folks that are most likely to fall for these. We’ve seen this hit numerous folks within our, even just like our, our trusted circle.

[Nate] What does falling for one of these look like?

[Rachel] They’re generally either letting them remote access into their phone or their computer to quote, fix the virus, which of course doesn’t exist. Uh, gaining access to be able to exfiltrate files, get sensitive details, data, things that could be used for blackmail, et cetera, or they’re just looking to get paid. You know, Hey, send me $125 so I can fix this virus for you. Very common. So that’s something that you’re likely to experience as an individual.
Now as an individual at your company, if you are client facing in any way, you’re likely to receive it, I’d say at least once a year. And if you’re not client facing, I would say expect it at least every other year, someone’s going to send you something like a phone call or a text message. It’s like, Hey, I’m an executive at your organization. I need gift cards to XYZ for a client. These are really common attacks that we’re seeing right now.
And I know we’re focusing on, on vishing, so phone attacking, but you’re also going to expect to see them over email, text message, social media, in addition to phone calls.

[Nate] Rachel, if you were putting yourself in the place of an attacker, um, what is typically the first step that you might take to perform a vision attack?

[Rachel] Well, typically I’m going to look up that individual that I’m targeting. So find you on LinkedIn, Twitter, Instagram, Facebook. What are your likes? What are your dislikes? Um, you know, I see if you really love dogs, I might play the sound of a dog barking in the background so that we have something to bond about like, Oh, I’m so sorry. My dog will not stop barking. And then you’re like, Oh, no worries. I have two Chihuahuas. And you’re like, Oh my gosh, me too. And now we’re best friends so I can get access to everything.
Um, so get a sense of your likes and dislikes, what your role is, who you report to. I need to be able to name drop the right people. So Nate, if I know that you report to somebody named Kyle or somebody named Michelle, I might say something like, I just got Michelle and Kyle all set up. I’m calling over here and IT support to make sure that your computer is up to date. I just need to go through a few things with you real quick. You’re more likely to be convinced that this is legitimate if I name drop the right people.

[Nate] That’s interesting. I could imagine how easy it might be to figure out like the dog thing based on just like looking up my social media profiles. Um, if you were figuring out, you know, that I report to somebody named Kyle, is that something you’d find on LinkedIn?
Like I’m interested to know where you’re finding this information and how.

[Rachel] Yeah, typically I can find reporting structure, org charts. Um, I can usually find on LinkedIn, get a sense of who reports to who and who’s commenting on each other’s posts and things like that. You can also see that in team pictures posted on Instagram, Twitter, Facebook, LinkedIn.
And then I can also sometimes Google dork, which is a special search operator you use during OSINT open source intelligence. So using a special way of searching, special terms to be able to uncover things that are hard to find to uncover things like org charts that are typically thought of as private, but I can find them just by finding accidentally leaked PDFs online.

[Nate] Likes, dislikes and organizational structure is one thing, but I know not to put my phone number, home address, that kind of thing on the web. Do you need that kind of information or is that almost something that’s you’re going to get later down the line in the attack?

[Rachel] Well, most people I would hope do not willingly post their address and their phone number, their date of birth and all of that online. Some people do. Um, but unfortunately it’s not you typically who’s leaking that data.
It’s data brokerage sites. So if you’ve ever Googled yourself and you see your phone number, every past addresses you’ve lived at, um, your parents names, your siblings names, and all the other personal details about you on something like PQ, my life, uh, those are the data brokerage sites that are harvesting data across the internet and selling it. And they’re making money on that data. You can take that information down. You can send in a fax to each and every data brokerage site, uh, or you can pay to get it removed and they’ll take down that data because oftentimes it’s not you that’s posting your phone number that I use to hack you. It’s a data brokerage site.

[Nate] What are some of the more, um, the ways that I may be exposing myself without even realizing, um, beyond social media, beyond like home address, phone number.

[Rachel] So a lot of times people don’t think of something like leaving a review or saying, “I love this specific airline” or “@airline, I need support” publicly. They don’t think of that as a problem because they think like everybody gets support on Twitter, right? You just tweet at the airline or hospitality service that’s doing poorly by you and attempt to get support. Um, that feels like such a common channel for people, but when you do that, if somebody is targeting you and you have an elevated threat model, meaning you’re more likely to get hacked, then they can contact that specific service provider on your behalf.
So if you’re tweeting at your razor company and your, um, shipping company and the airline that you, they just lost your luggage. Well, I can try and intercept in the middle of that trusted communication and either phish to you as the airline, for example, “Hey, we found your luggage. Click here”. You sign in, I get access to your credentials, right? Or contact your airline as you and steal all the rest of your info, get access to your account and perform account takeover.
So that information doesn’t feel sensitive to people and it really shouldn’t be, but unfortunately it is because services do not always do a good job of authenticating that we are who we say we are when we call in, kind of in the dark ages of phone call authentication. I mean, can you imagine if you could log into your Gmail with your date of birth and your last address? Never. But I can do that when I’m logging in quote unquote over the phone.

[Nate] How exactly do impersonate me over the phone to my airline?

[Rachel] A lot of times I’m going to do this by say spoofing your phone number because many times they just look at caller ID and if it says it’s calling from you, the user of their product, then they’re cool with that. And they say, Hey Nate, how can I help you? When in reality it’s me on the other end of the line using a voice changer, pretending to be you and getting access to your account by getting past their knowledge-based authentication questions.
Things like where did you last live? What are the last four digits of your social security number? Um, what’s your mother’s maiden name? You know, those classic KBA knowledge based authentication questions.

[Nate] Are there any like psychological tactics or tricks that a hacker could use to get customer service agents who you’re not going to know anything about obviously to divulge my personal information to you without me knowing?

[Rachel] Oh, absolutely. So I recommend reading Robert Cialdini’s book Influence. He talks about these principles of persuasion. So I’ll give you a few examples. First, we have reciprocity.
So if I need to figure out how to say, let’s say I need to hack the customer service agent at XYZ company, I need to know what operating system they use there so I can tailor my malware to work on their machine. So I’m talking to the customer support agent and I’m like, I cannot get this software to work on my computer. I don’t know if it’s because I’m on a Mac or what, but in the customer support agent might say, well, I’m on a windows machine right now, but let me see if I can walk you through how to use it on a Mac.
And now I know, okay, they’re using windows. So we’re going to want to use windows exploits against this organization. And I can also use something like a principle of persuasion like urgency or authority. So for authority, I might name drop, this is both social proof and authority actually, social proof being I’m name dropping a coworker. Oh, I just talked to Katie and Katie told me to talk to you because of the escalation and I needed access to this today and all of these reasons. And this person is like, oh, well, I really do work with a Katie. I don’t have time to check that Katie actually said this, but they know that I work with Katie. So it’s got to be legit, right? So that social proof and that authority really is useful.
Another thing with authority is like a really sneaky trick I use is I give you the authority to tell me information. So I give knowingly false information. I might say something like, hi, this is Donnie and I have 90,000 points on my account and I need to get access. And they’re like, oh, I’m sorry, you have 75,000 points on the account. And I’m like, oh, okay, sorry, nevermind. I hang up and call back and say, hi, this is Donnie. I have 75,000 points on my account. And they’re like, okay, great. Your caller ID matches. So you are Donnie and you already answered one of our knowledge-based authentication questions to verify your identity. You have 75,000 points because you know that about your account. You’re in.

[Nate] All of that was incredibly interesting. Are there any more like really advanced psychological tactics that hackers can use here?

[Rachel] There’s a principle called amygdala hijacking. Amygdala in your brain, my background’s in neuroscience. That’s what I have my degree in. So I’ll just get a little nerdy for a second, but not too bad. Your amygdala in your brain is the emotional center of your brain and it reacts a half step faster than any rational portion of your brain.
So if I use some sort of empathetic reason for why I need it now, urgency and empathy together, it really does cause what’s called amygdala hijacking, which is you making a choice that you wouldn’t normally make faster than you would normally make it. So I might say something like, I am so sorry. My dog has to go to the vet. I don’t know what’s going on. We’re really trying to get out the door. Can you help me with this? Like right now I have about 10 seconds. I’m so sorry. And it really does cause people to do something that they would normally do. Like, oh yeah, absolutely. Let’s see. What’s the easiest course? Okay. Just tell me your mother’s made a name and that’ll be enough to verify the account. And those little amygdala-hijacking moments are things that we have to defend against by creating tools and processes that make it so that amygdala hijacking isn’t even possible.

[Nate] And at what stage, if any, in this whole process does malware come into play?

[Rachel] So let’s say I’m talking to somebody in a vision call and I need them to do something more technical. I might get them to go to a malicious URL and download something there over the phone. So I could say the malicious URL is X, Y, Z. And people will often type that in, download something, or just give me remote access to their machine so I can do whatever I want and steal the data that I want. Another thing they might do is combine vishing with phishing. So I might say, I just shot you over an email. Go ahead and open that up. And that email contains something malicious.

[Nate] I imagine that’s harder with customer service because you don’t know who you’re getting on the other end of the line. Would you also apply this kind of technique in that scenario? Or is it mostly when you’re hacking individuals or like people who you know in an organization by name?

[Rachel] I think when we’re thinking about customer service attacks, typically they’re account takeover based attacks. So the ones that we’ve seen in the news recently, Twilio’s, CloudFlare’s and Twitter’s account takeover attacks, those happen to customer support professionals or people who had access to the admin panel that customer support has access to. And what they’re trying to do is get access to their password. So, hey, go to this URL for me so that we can get your password to work while you’re working from home. I know you’re having trouble logging into your VPN, et cetera. They go to a malicious website. Somebody says the website to them over the phone. They type it in while they’re listening over the phone.
And they go ahead and they input their username and password. And then we siphon out the MFA code from there. That’s a very common tactic that we’re seeing used right now that happened in the Twitter hack. In the Twilio and CloudFlare hacks that we’re seeing right now to a lot of Okta customers, those are happening first over SMS. Hey, your IAM changed. You need to update your password here. You click the link in your SMS text message. It brings you to a malicious lookalike site. You input your username and password. It steals your MFA code. And now the attacker can log in as you.

[AD] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place. Cybereason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement. The Cybereason Predictive Response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered.
Visit cybereason.com to learn more about Predictive Ransomware Protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.

[Nate] How easy or difficult is it to pull this kind of thing off and how long does it take?

[Rachel] Typically when I’m vishing, I can gain access in like 30 seconds to a minute. So a company will usually hire me and say, hey, we just updated XYZ protocol. We want to see how the protocol works. And if they don’t have something like multifactor authentication in place, or they don’t use the right methods to verify identity for, let’s say a customer who’s calling into customer support, I’m usually able to do account takeover within a few minutes or I’m able to get the credentials that I need within 30 seconds to a few minutes.

[Nate] And then at that point, is there anything that I as the hacky can do to save my accounts and information or mitigate the damage you’re going to cause or do you just have full license?

[Rachel] Well, if you report it immediately to your IT team, they can shut down your account, make it so that my device as the attacker can’t get the access that it needs. You can change your credentials if you gave them out over the phone. There’s a lot of really, really important things you can do, starting with reporting. That’s the most essential thing you can do.

[Nate] And just to drive the point home, what kinds of things can you do to me once you have my account?

[Rachel] Yeah, I mean, I could steal all your money, turn your lights off, change your cable, change your healthcare, kick you out of your house, quit you from your job by sending an email to your boss. I mean, I could do anything, right? Anything you could do, I could do.

[Nate] Since it really is this effective, surely there must be like news stories out there of successful phishing campaigns that I might have heard of.

[Rachel] Yeah, I think the Twitter hack of 2020 is like the most famous example of phishing.
So the attacker pretended to be IT support, called up customer support, got them to go to a lookalike malicious URL to change their password to quote, get into their VPN while working from home under COVID conditions, of course. The victims went ahead and put their credentials into that site. The attacker then said, all right, great, send me your multi-factor authentication code. All right, sent that over. Now the attacker can just log into the admin panel as if they are the admin, the person who works at that company.
And they were able to go into the Twitter admin panel and tweet out from Elon Musk’s account about a crypto scam, former president Barack Obama, Kanye West. I mean, the list just goes on and on. So once you have admin access, you can pretty much do what you want.

[Nate] What are the steps, the procedures that companies need to be putting in place to prevent the kinds of phishing that you’ve described here?

[Rachel] So companies typically use KBA, knowledge-based authentication questions, where you grew up, your mother’s maiden name, your date of birth, your phone number, your address to verify that you are who you say you are. If you’re not sure what your company uses to verify your identity, I recommend calling them. So you could call just as yourself and say, hi, this is Nate. I just got a new phone. What information do you need to verify I am who I say I am for this airline account? And they’ll say, okay, we need your mother’s maiden name and the last four digits of your social and your current address and phone number. Once you know what it is that a company is going to ask of you, you can use that for hacking or you can use that for defending.
Unfortunately, most organizations use knowledge-based authentication. That’s pretty not secure rather than multi-factor authentication, which would be something like you have a phone number and an email address on file. If I give a call to the phone number of customer support for, say, my airline, they should say, absolutely, Rachel, happy to help you. I went ahead and I sent a code to your email and your phone on file. Go ahead and read that out for me. That verifies that I’m not spoofing my phone number and I have access to the actual account. I know that I am that person. I have that email address.

[Nate] But to play devil’s advocate, I would imagine is also relatively simple for hackers to take over your email account with a malicious link and a phishing email or even your SMS. I mean, there are all kinds of purported problems with SMS-based MFA. Are there any kinds of MFA that really are more foolproof or is it that in most cases, the risks to these kinds of MFA just aren’t as realistic to worry about it too much?

[Rachel] Typically when we’re hacking, we don’t have access to everything at once. I haven’t popped both your service providers and your email and also SIM swapped you all at the same time.
Typically if I’m calling your service providers to change the information on your account and gain access to your account, it’s because I haven’t popped your email yet. If I popped your email, I wouldn’t need to be calling the service providers because I could go ahead and change the email address on the account by doing a password reset flow to the email address that I popped and I could just change it to my account. Do you know what I mean?

[Nate] Yeah. Now that I think about it, you could theoretically vish me without even knowing how to hack computers.

[Rachel] The vishing element is particularly insidious because it doesn’t require me to have any technical access to anything that you own. No devices, email addresses, phone numbers, nothing. I actually don’t need to have popped you at all. I just need to hack you through your service providers and convince them that I’m you. It’s the least technical way of hacking and it’s very scary.

[Nate] Usually when we hear about phishing, the advice boils down to, at least in my experience, like education and using MFA. But I feel like we have enough of a problem still that either that advice is not getting through or it’s not doing the job. Are there any other simple practical tips that you’ve given people to protect themselves from the kinds of attacks you’ve outlined today?

[Rachel] Sure. Something that people don’t always think about is that you don’t actually need to give a lot of these companies the correct data that they’re asking for. Let’s say you know your airline. You call up your airline. You can see that they’re using KBA. They say, okay, we just need your address and we need your phone number and your date of birth to verify you are who you say you are to get you into your account. The address on your account for many of these hospitality sites like your hotels, et cetera, they don’t necessarily need to be accurate.
Let’s say you want to put your address on your hotel account. You can make that something that’s not searchable, something that you don’t typically have associated with you in any way, so that if the attacker goes in and says, okay, great, all I need is their address, the address that’s on the data brokerage forums is not going to be the same thing that you actually use with your sites. Make the data that they use to verify your identity, the knowledge-based authentication questions, make them wrong or different and save them in your password manager. If they’re like, what’s your mother’s maiden name? And you’re thinking, oh my goodness, they should not use this to verify my identity. Make the mother’s maiden name almost like a password.

[Nate] Rachel, this was fun. Any final thought you like to leave us with?

[Rachel] I would say a lot of people, when they hear this stuff, they throw their hands up and say, well, there’s nothing that I can do to prevent this. They’re contacting my service providers without my knowledge. And I would say, you’re right. I mean, there’s not a lot that you can do, right? You can take your service providers off your social media so I don’t know who to call. You can use bad security questions that are like fake words and letters and numbers stored in a password manager to get around all of their bad authentication protocols for phone calls of support needs. But there’s not a whole lot you can do.
The onus really is on companies to protect your data. And so I would encourage you when you notice that you’re talking to customer support for your company, say something like, hey, I noticed that you just verified my identity with those questions. Those are knowledge-based authentication questions. I would love for you to move towards multifactor authentication. And if enough of us say that to enough companies, they’ll start to listen and change.