12 Days of Red Teaming, Day 4 - Vishing Santa’s Workshop
The Red Team on Lapland Industries continues with a Vishing campaign to try and gain access to the naughty or nice list.
What is Vishing?
Voice Phishing or Vishing is a type of Social Engineering cybercrime that uses phone calls or voice messages in order to get the recipient to reveal personal information or allow access to a system or network.
Vishing, Phishing and Smishing
Vishing, Phishing and Smishing have the same goal, the only thing different is the medium used to get victims to reveal their personal information.
- Phishing uses email
- Vishing uses voice or telephone
- Smishing uses smartphone numbers
These methods do not have to be in isolation, some attackers will utilise a combination of these methods to gain access. For example, a Smishing attack could start with an instant message and contain a telephone number for victims to call.
Why utilise Vishing?
It can be harder to identify a Vishing attack over Phishing and Smishing. There are specific programs that mask voices and geographical accents, making it hard to recognise international callers. This can be particularly difficult for employees to identify in large organisations with high staff turnover, or no central database of staff details. A hacker can easily call a staff member pretending to be a new employee working in the IT department.
Carrying out a Vishing attempt on Lapland industries
Following on from our Phishing campaign, we now have 11 elves login credentials, 5 of the accounts which have the access levels we require have Multi-Factor Authentication (MFA). They then targeted these accounts for a Vishing campaign. The first target for this was Hermey the Elf.
Having obtained Hermey’s valid credentials, the intentions were for Cybaverse to imitate an IT 3rd party and submit their password, with the intention to social engineer the MFA code to gain access to the network.
The next step was obtaining a contact number. It was possible to dial the number obtained from Google, which would allow a call to be put through to an Elf receptionist, who could forward the call to Hermey. Adding urgency to a call whilst adding the valid password that results in an MFA code makes the attack vector more successful.
Neither Hermey or any of the other elves would pass over their MFA codes and insisted their IT Department needed to authorise this first, which meant this Vishing attempt was unsuccessful. Many threat actors would continue to find another way of triggering MFA for a different, more susceptible set of elves.
Tomorrow Cybaverse will try another tactic used by the Gruber Group – Password Spraying. Cybaverse will look to complete a password spray based on information collected from the Lapland Industries Christmas party.
How to protect yourself from Vishing campaigns
There are two main ways for organisations to protect themselves from Vishing campaigns.
- Awareness– ensuring every employee is aware of the different types of attack, specifically Vishing. Complete regular training with employees and ensure thatany known scams or attempts are circulated to all staff.
- Technology– if you’re utilising a cloud-based telephone system ensure that a spam caller protection is active. You can also use firewalls and regular Penetration Tests to ensure that your systems are secure.
Updating Santa on our findings
Once the Vishing campaign was complete, Cybaverse updated Santa on their findings and made preparations for tomorrow's password spray attempt on Lapland Industries.