A Beginner’s Insight into Vishing
In 2015, the term “vishing” was added as an official word in the Oxford Dictionary. At the time, many had never heard of the expression before. Social-Engineer defines vishing as, “the practice of eliciting information or attempting to influence action via the telephone.” Similar to phishing, the goal of vishing is to obtain valuable information that could contribute to the direct compromise of an organization by exploiting people’s willingness to help. Now in 2019, one would be hard-pressed to find anyone who has not yet received a scam call. Consumers—regardless of backgrounds, beliefs, or demographics—are constantly bombarded with scams calls to such a degree that a 2018 study predicted that this year, nearly 50% of all calls received will be illegitimate.
What does this mean for the corporate world? More than ever, organizations need to be on guard for callers targeting their employees and attempting to acquire corporate and/or personal information. Over the course of several years, enterprises have contracted vishing services by Social-Engineer. Throughout that time period, which culminated in more than 5,000 completed phone calls, more than 50% of targeted employees were compromised by providing supposedly-privileged information to the visher. From those calls, our Vishing as A Service® (VaaS®) team was able to obtain several flags: 15% of employees provided their social security numbers (SSN), 9% discussed internal projects, and 1% furnished their security questions and answers. These findings show just a small glimpse into the danger that vishing poses to organizations and highlights the importance of using professional vishing services to test and train employees.
With such a vast threat landscape to protect, in combination with the potentially severe level of consequences vishing poses, there is a pressing need for people to join these professional white hat vishing teams. So how can someone become a successful visher? Social-Engineer recently hired two team members who have not only joined the vishing team but have been accumulating tremendous success. We interviewed them and we are sharing their insights with you in this newsletter.
Doctor, Firefighter, Astronaut…Visher?
When asked as a child what you wanted to be when you grew up, we’re betting a very small number of you, if any, replied “a visher.” Although not many have set out to become a visher from the beginning, many vishers have had the opportunity to vish professionally through an unlikely series of events, much like other professions within information security. This was the case for both of our new team members. Even without prior formal vishing training, they still find that many things from their past jobs and experiences have helped them greatly in their new roles. Ron*, who was classically trained as an actor in his past, says that using the skills he learned as a working actor have greatly helped him to be able to “roll with whatever is happening.” Being quick-on-your-feet and able to intelligently improvise is an invaluable quality as a visher. You’ll never know for sure who will answer the phone, or what situation you may be forced to adapt to. Being flexible, while maintaining character, will result in success when you are thrown into a circumstance you weren’t expecting. For instance, Ron relates a time when he was on a vishing call and the target placed him on speakerphone with their manager in-room. Instead of getting rattled by this new development, Ron continued to make small talk with the two and was able to still obtain the flags, even when they could not properly identify him. By staying calm and collected, Ron was able to maintain and build rapport, turning the scenario that may have otherwise ended the call quickly into a vishing success. It is important to note that if at any time you do feel overwhelmed, to not just end the conversation abruptly or hang up the phone call. Find a way to exit the call as naturally as possible, using common and believable excuses such as “my computer locked up,” “another call is coming in,” etc.
Isabelle* has used her studies in psychology to help her become a successful visher. “I am currently studying the theories of personality which has tremendously helped me analyze a target’s personality characteristics to know how they would rather have me talk, respond, etc.” By listening to their voice inflections, the nervousness of their voice, and their willingness to communicate, Isabelle can use that to build rapport with her targets. She says, “I know that if the target I’m calling is a man that speaks in sharp, fast syllables, I need to be more direct and bolder with my statements in order to combat his confident, stern personality. If I’m talking to an elderly woman who speaks softly and goes off on tangents, I know to be more relaxed, sweet and almost innocent to heed to her nurturing personality.” By taking communication and personality into consideration and adapting to her target’s personal communication style, Isabelle is able to not singularly focus on the flags that she needs, and instead works to naturally lead the conversation in the right direction to compromise the target.
The most valuable resource a visher can take advantage of is training, either prior-to-starting and/or on-the-job. Ron discussed how learning from his vishing team was a key contributor to his success, “I really love listening to other calls. Both compromises and shutdowns. Reading the tactical and psychological theory behind successful vishing was huge, but for me, actually getting to hear vishers use the techniques I’d been reading about was where I was able to really internalize how those tactics could play out against real targets.” The value of taking a formal education course in social engineering should be emphasized when training for a career involving vishing. Before being hired, Isabelle completed Social-Engineer’s Advanced Practical Social Engineering (APSE) week-long training course. She says it was the best training focused on social engineering she received, and that it helped lead to her success in her new role. “Attending the APSE training course, however, was the best thing I could have done before beginning vishing. By attending the course, I learned the most successful tactics to influence people into revealing confidential information and how to recognize the different communication styles in people.”
Prepare, Prepare, Prepare
Joe Gibbs is quoted as saying, “A winning effort begins with preparation.” That advice speaks volumes especially in the context of vishing work. Whether it’s your first or your one hundredth call, preparation truly is key. Start with setting up your workspace in a way that gets you to the right headspace. Be away from, and try to minimize, any distractions. Take time to get yourself mentally prepared to start the call. Isabelle says, “I enjoy listening to music that hypes me up before I begin making calls. I put my headphones in, turn my music up loud, and jam out for a few minutes to get my confidence level up. Putting myself in a positive, enthusiastic mindset greatly influences the success rate when I do my vishing.”
A solid pretext can be the difference between success and failure on a vishing call. Before any call is made, you should know your character so well that you are comfortable speaking and answering questions as that person. Oftentimes, to truly embrace a character and a pretext, Open Source Intelligence (OSINT) gathering is required. Your end goal or needed flags will drive the need for procuring OSINT. Sometimes, vishing calls themselves are used as OSINT, gathering needed information that can otherwise be difficult to find publicly. By asking seemingly innocuous questions, you can compile your information to make a better, targeted vishing call. Other times, you will need OSINT to create a believable pretext. In our Social Engineering Capture the Flag (SECTF) competition, held at DEF CON and DerbyCon, we have observed that competitors who have spent dedicated time on OSINT prior to competing have had the most success on their vishing call portion of the competition. Over the years, our SECTF reports have consistently shown that simply learning the names of people who work in the company and using terminology the target may be familiar with helps gain vishers the most flags.
The Dreaded Burnout
Many times, when describing what we do for a living, people say, “That sounds like fun!” While being a social engineer is a uniquely enjoyable experience, the toll of making calls can become emotionally and mentally overwhelming. For our new vishers, a variety of challenges have presented themselves. For Ron, although he speaks enthusiastically about how this is the most fun he’s had on a job, he also shares the struggle of dealing with shutdowns and how those outcomes can get him feeling down. “Getting shut down a bunch of times in a row can put me in a headspace where I am trying too hard, and getting a little too hungry for a win, which makes me a little obvious and burns me out faster.”
To combat the mental and emotional fatigue and toll vishing takes on most professionals, it’s important to take breaks, breathe deeply, and talk to your colleagues to share your successes, failures, and frustrations. People in emotionally difficult work “need to have guiding principles and actions that emphasize their own health and well-being.” Find what works for you personally and ensure that you take care of yourself. Isabelle says that having a hands-on hobby helps her when she is feeling overwhelmed, “When I start to realize that I need to let out some steam, I grab pen and paper and sketch a couple doodles for a few minutes before hopping back on the phone. Doodling helps me loosen up and take time to breathe.”
For the Greater Good
Another effective way to regain a positive vishing mindset is to remember the larger picture: you are being professionally contracted to assess people on their security posture. When asked about this Ron says, “Our clients get a practice run against vishers who are trying just as hard as a real attacker would. But in this case, they can examine and adjust their training and preparedness.” You are ultimately helping an organization and its most valuable—and vulnerable—assets. Isabelle also focuses on how this helps beyond the corporate scene, “The client’s employees are consistently being reminded to be secure, which ultimately benefits them not just in their company, but also their private lives as well.” You have the opportunity to influence an enterprise’s culture; and you have the opportunity to help real people protect themselves and their families from malicious actors. And we call that, a win.
While actively involved in a vishing campaign, it’s easy to fall into the loop of being on call after call, which can lead you to lose sight of the human being on the other end of the line. To not lose that sense of humanity, Isabelle says she has to focus on working towards the betterment of the client. “By keeping this mindset throughout my work, I can easily monitor the words that I choose and the tone of voice that I use on the target. By taking a break every few calls and reminding myself once again that this is for the safety and security of an incredible number of people, I am more inclined to take into consideration the emotional side of the target individual.” It’s very easy to get hungry for the win, to get so excited that you forget that you are talking to a real person. Having a personal code of ethics will help you to stay focused on doing the most good for the client and keep you from participating in unethical acts that leave your target feeling vulnerable or discriminated against. While this may add a challenge to your engagements, you will also find that the results and teachable moments your clients are able to provide their employees is of far greater value.
Remember, “leave them feeling better for having met you,”—always.
Written By: Amanda Marchuck and Allie Hansen
*Names have been changed for privacy.
Sources:
https://blog.oxforddictionaries.com/2015/02/26/vishing-unboxing-teachable-moments-new-words-added-oxforddictionaries-com/
https://www.social-engineer.org/framework/attack-vectors/vishing/
https://www.social-engineer.org/framework/general-discussion/real-world-examples/phishing/
https://www.social-engineer.org/sevillage-def-con/
https://www.social-engineer.org/resources/2018-social-engineering-capture-flag-report/
https://www.cutimes.com/2018/09/28/nearly-half-of-mobile-calls-will-be-scams-by-2019/?slreturn=20190311122658
https://www.social-engineer.com/vishing-service/
http://www.irongeek.com/i.php?page=videos/derbycon8/track-1-00-irs-hr-microsoft-and-your-grandma-what-they-all-have-in-common-christopher-hadnagy-cat-murdock
http://www.washingtonpost.com/wp-srv/sports/redskins/history/gibbs/articles/jg93feat.htm
https://www.social-engineer.org/framework/influencing-others/pretexting/successful-pretexting/
https://hbr.org/2016/08/coping-with-the-effects-of-emotionally-difficult-work
https://www.social-engineer.com/it-is-important-to-have-ethics-in-social-engineering/