Real World Vishing Techniques
Hello fellow penetration testers, social engineers and security practitioners, we’re fresh off the wild ride that was DEF CON 23 where our SECTF competition was just tremendous! This was my first year working in the SE Village, and I have to say, it’s amazing to be part of such a dynamic team. Our village presents a unique opportunity for DEF CON n00bz and veterans. Both can watch our contestants live call organizations to extract informational flags. While this event is massively popular, our goal is that attendees walk away with a very clear demonstration that targeted attacks need not be technically sophisticated to be devastating. Vishing, the practice of eliciting information or attempting to influence action via the telephone, has been, and continues to be, a very lucrative vector for obtaining information or influencing an organization’s employees to take action that leads to a breach.
During a vishing engagement, callers who think fast on their feet do exceptionally well, however it’s also important to note that there are some techniques that can be employed to make voice elicitation effective. When it comes right down to it, the best voice elicitors are able to make strategic use of conversation in order to extract information from an individual without giving them the feeling anything is amiss. At Social-Engineer, our goal is to leave the target feeling better having met us. Today I want to discuss some techniques for doing so.
Bless Their Little Hearts
Not everyone can slap on an authentic southern drawl at the tip of a hat, but as a Southern native, I commend you if you can. It is important to recognize the role language plays in vishing. With our language we are not only transmitting information, but the language used provides a lot of information about the person speaking.
An individual will draw conclusions about gender, age, race or even state of mind just based on the accent the caller has. Call center representatives may be more apt to help a slow speaking and polite southerner, because, bless their little heart they are just a little bit ‘slower’ than a fast speaking, direct and task-oriented caller who has no time for small talk.
Am I saying you should always slap on a Southern accent and play dumb? Absolutely not, but what I am saying is that understanding how accent is interpreted by others will certainly carry you far. If you do have an accent, bring it out, and it’s not just Southern accents, other foreign accents can have the same impact. The takeaway here is that it’s important to make use of the resources you have at your disposal to augment a good pretext.
Suspend That Ego
Another valuable vishing technique I would like to discuss is feigned ignorance. Sometimes it pays to act like you just don’t know what’s going on. Humility is a function of ego suspension and a great mechanism for building rapport. The key is to get the other person’s brain to reward them for talking to you, by releasing dopamine and oxytocin. Making deliberate use of phrases like “I’m so sorry, I don’t know” or “I didn’t even realize” and then letting the other person be the correct and knowledgeable one, can make this happen.
This technique is particularly useful when in the early information gathering phase. For example, say you call into an organization in hopes of obtaining a password reset, but you realize you’re getting shut down because you don’t know a certain piece of information. One quick way to salvage the call is to pretend like you’re new, or out of the loop or have never attempted this task before. You can say, “Oh my goodness, I didn’t realize I had to get a manager’s approval. My manager is on vacation and I’ve never done this before? What information will I need when I call back?” More often than not, the helpful individual on the other end of the line will give you the exact information you need.
Ideally before conducting a vishing call, you will do some research on your target or targeted organization. This information can be used to garner credibility or persuade the target into thinking that you have knowledge or associations in common, thus increasing the likelihood they’ll provide assistance. Dropping tidbits of information you know to be true can carry you far. This can include name-dropping, mentioning a system, technology, process or protocol you know is used to establish instant credibility.
Deliberate False Statements
One of my personal favorite tactics is the utilization of deliberate false statements. This particular tactic is meant to exploit the human tendency to be helpful and/or correct mistakes. If you have the wrong information, people want to aid you by providing the right information. It works because the target will likely give you information, thinking it was their idea to do so. It’s important to remember when using this tactic: only use the right amount of wrong. In other words, don’t call and pretend that every piece of information you have is incorrect. The impact will not be the same. You can start by throwing out a few tidbits of accurate data in to establish credibility.
Deliberate false statements work particularly well when you’re trying to obtain a very specific piece of information such as credit card number. It works like this: “Oh I just wanted to make sure my husband put the right credit card on our account. We have several and I need to ensure it’s not the one that’s maxed out. Is the card he added to the account the one that ends in 5966?” Often the caller on the other end of the line will divulge the correct information before you have the chance to even request it. If that doesn’t work you can still maintain your pretext and finish the call, saying it must be one of the cards in his wallet and that you’ll call back.
What Did You Say?
Before wrapping things up, I would be remiss not to discuss the mumble technique. Typically when I use this technique I do so in combination with a prop such as background noise. This technique can be useful when you have only partial information. A great example is when you’re impersonating a target and you need to answer a security question but don’t have all of the details. You know their birth month is October and year is 1976, but you don’t know the specific day. Mumbling something along the lines of seventeen and five and then enunciating the year will sometimes suffice. Particularly if there is a lot of background noise – generally people don’t want to be rude by asking you to repeat the answer.
Putting it All Together
This is just a brief list of some of my favorite techniques to use during vishing assessments for organizations. By no means is it an extensive list, but it’s a starting point for considering different mechanisms for obtaining information over the phone. Any (or all) of these techniques can be used during vishing calls – feel free to get creative in the application! One key thing to remember is to communicate and adapt based on the individual you are talking to. This will help the target feel at ease. In turn, they’ll be more willing to comply with requests for help or information.
One of the biggest questions we get is how you can practice these skills? One way is by getting paid and legal work that you can use to go out and practice!
If that is not an option then you can just go out and have a conversation with a complete stranger. You don’t try and get their deepest secrets, but can you find out where they live and work and their family name. You will be shocked at how easy it is when you try…
Either way, you gotta start somewhere, so to start I suggest applying these techniques to everyday conversations, and who knows? Perhaps you’ll be the next winner of our SECTF!
Written by Jesssssssss Clark