The ZeroFox Alpha Team has been assisting industry and threat-sharing partners in tracking a large-scale vishing (voice phishing) campaign targeting financial institutions, cryptocurrency exchanges, telecommunication companies and single-sign-on (SSO) providers. The actors target employees of a company and do an extensive amount of research on the employees and the company to build a convincing persona of an IT contractor working with the victim company. The actors call the victims using this information to serve a phishing site that is tailored for the company, including the company’s SSO portal. Once the victim logs into the phishing portal, the actors attempt to access corporate VPN to gain access to internal tools and dashboards.
Alpha Team, alongside industry partners, assess that it’s probable that the major social media breach involving high-profile celebrities, politicians and business figures may have been due to a targeted vishing attack, resulting in an internal administrative panel being abused to take over these influencer accounts. Let’s take a look at the tactics threat actors are using to pull off a successful vishing attack and what security teams can do to prevent one.
Voice Phishing Yields High Rewards for Threat Actors
Vishing, or voice phishing, is a technique where an attacker calls a victim and performs a phishing attack over the phone. The harvesting of victim data can be achieved in different ways, such as the victim surrendering personal details over the phone. Vishing is also an effective way to get the user to visit a malicious website using pretext and social engineering.
ZeroFox Alpha Team has been assisting industry and threat-sharing partners with an investigation into a large-scale and effective vishing campaign targeting a number of industries.
Steer Clear of These Vishing Tactics, Techniques and Procedures
The TTPs of this group involve monitoring for new employees in their list of target industries. Here are the top industries they are targeting:
- Financial institutions and cryptocurrency exchanges linked to high net-worth cryptocurrency influencers
- Telecommunication and mobile companies
- SSO providers
- Public platforms such as social media, websites and code sharing sites
ZeroFox’s Alpha Team assesses that it is almost certain the actors target these types of industries for account takeover purposes, especially if they can use internal tools or panels to perform these account takeovers.
The vishing actors use Open Source Intelligence (OSINT) via social networks, company listings and announcements to target employees and determine the tools and software the company uses. For example, if a company has an IT Administrator that lists “Active Directory, Microsoft Teams” within their job profile on social networks, the actors will use this OSINT to build a voice script when interacting with possible victims at that company. In some cases, threat actors have registered LinkedIn profiles to connect with employees to gain access to people, information and announcements directly from the employees.
The actors will then register a domain using a combination of deceptive keywords and deceptive brands within the domain. The deceptive brand could include the target company or the target company’s SSO provider. The deceptive keywords we’ve seen so far could include any of the following:
The keywords can be plural (such as tickets), as well as contain hyphens (ticket-). Of observed domains, almost all had TLS certificates (typically Let’s Encrypt). The observed domains have mostly been registered with Namecheap and Shinjiru, possibly since they can accept cryptocurrency as payment.
Once a phone call is established with the target victim, the vishing actors use pretext built from their OSINT research to gain the trust of the victim. They pose as a member of the IT team and instruct the target victim that they are working on a ticket associated with VPN or SSO access. The malicious actor then directs the victim to the phishing site, which is made available online only for the duration of the attack. This means that they stage domains and pages ahead of the attack, then turn the websites off to avoid being banned from the registrar or being added to a blacklist. Due to the nature of the domain ecosystem, it is difficult for defenders to determine which domains belong to this actor group, especially with parked pages and search engine optimization from registrars creating these domains in their zone files before they are even bought.
Victims will visit the website, then input their credentials and their two-factor authentication code, which is replayed to the actors who then login separately to the SSO provider. Once connected, the actors can stage persistence via adding secondary two-factor authentication devices, as well as use the access for a VPN connection to access internal portals and tools.
The ZeroFox Alpha Team advises that these compromises are intended for long term access, allowing threat actors to finish the ticket call and then maintain access for some time afterward. They then broker this access and sell it to members of account takeover communities, whether to steal cryptocurrency or for bragging rights.
Avoid Getting Hooked by Vishing
This style of vishing is effective due to the assumption that a two-factor authentication code can help prevent phishing attacks. If the attack focuses specifically around spear-phishing, where a singular victim is targeted, then two-factor authentication is just as effective as usernames and passwords. A defense-in-depth approach involving training and education, monitoring and pre-emptive blocking of problem domains, SSO auditing, and employing role-based access best practices for internal panels will help mitigate most of the Tactics, Techniques and Procedures (TTPs) of this group.
Digital Risk Protection will help security teams quickly identify impersonation scams, domain spoofing and targeted threats against your organization. Without a digital risk protection service in place, security teams, especially those in the targeted industries group we previously identified, are tasked with promptly educating employees about the dangers of vishing.
If you have questions about how your organization can prevent a vishing attack, contact our team here.