Vishing for Whales
By Gavin Debetaz, Information Security Analyst
This is the account of a vishing project for a small organization in Nebraska who wanted to test all their employees. My cover was “Ryan” from their local internet service provider. Using a spoofed phone number, I was asking their employees to help me diagnose why a security patch update was not being installed properly. I was given a name to drop from their IT department to reference in the calls, and for this article we’ll call him “Joe.” On the calls, I mentioned that I was working with “Joe” and asked if the employees could assist by navigating to a website and performing a quick speed test on their device to make sure this was not a network related issue. While network speeds might not be very useful in a real-world attack, an employee should never navigate to an unfamiliar website that was mentioned from an unauthorized user.
Typically, when performing vishing calls on an organization, you will get an understanding of their employee’s information security early on. Their employees will answer the call with phrases such as “I did not receive any notice from our IT personnel about this” or “I do not believe I am authorized to do that.” These are all good responses, and usually result in a pass for the employee. Untrained employees could be more naïve and go along with what the analyst says because they reference the name drop, use technical verbiage, and sound official. One employee in this organization went along with my ruse over the phone and attempted to perform a speed test. When they navigated to the website, they were unable to perform the speed test properly. This is most likely because the organization has settings in place to prevent their workstations from connecting to test servers such as the ones used for these speed tests. This is still a failure for this employee because they navigated to the website, but this was not the result that I had hoped for. As I progressed through the rest of the campaign, there was not much luck. The organization’s employees were deflecting my calls to their IT department or ignoring them all together.
There was one more number that I had left to call, but I assumed there would not be an active engagement. The CEO of the organization. Typically, CEOs do not answer random calls, or they delegate that responsibility to their secretaries. Sure enough, a secretary answered the phone, and I used my alias to mention that I needed to consult with the CEO about this possible network issue. To my surprise, I was transferred over to the CEO. He answered and seemed to be in a bubbly mood. I was in no rush, so I introduced myself using my alias. The CEO began to make small talk, asking which location I was at currently. Thankfully, I had done prior research before the call and referenced a location that was close to their office in Nebraska. The CEO then asked if I had ever travelled to Omaha, and I lied and said that I have. Let it be known, I had never been anywhere near Nebraska. He mentioned that his family likes to travel there frequently and mentioned that there was a seafood place in the area that he loved. As the CEO rambled on about this place, I muted my microphone to quickly search for seafood areas in the Omaha area. Once he mentioned the name of the place, I quickly navigated to their page on Yelp. I mentioned that I loved their lobster roll, and the CEO agreed that it was great.
After engaging in this small talk, the CEO seemed more willing to assist with what I needed. Since I knew that the speed test would not work, I figured I would push my luck and attempt something riskier. I asked the CEO if they could open a command prompt on their computer and type a command. Most users would never fall for this, especially if they are unfamiliar with command prompts. But the CEO agreed and ran the command. Then I asked for as much information as I could from him, and he provided internal IP addresses, MAC addresses, and other highly sensitive information. Thankfully, I had no ill intentions, but an attacker’s mouth would be watering if they managed to secure this information. The CEO seemed willing to do whatever it took to help me after I earned his trust, but after doing my due diligence, I thanked him for his help, suggested trying the blackened catfish on his next trip to Omaha, and ended the call.
As mentioned before, it is important to make sure everyone in an organization is properly trained on how to respond to these types of situations. An attacker is aware that employees who are constantly answering the phone are less likely to fall for these attacks, so they will be searching for other numbers and extensions to target. This specific failure fell on the shoulders of two employees who did not respond properly. For one, the secretary transferred me to the CEO without verifying my identity. And second, the CEO did not verify my identity before revealing sensitive information. Even though high-ranking members of an organization might seem to be too busy to concern themselves with information security training, they are just as important in an attack as anyone else and should be treated as such.
TraceSecurity recommends performing these types of social engineering campaigns on your employees regularly, especially as new people are hired, and others change positions. It is easy to assume that your employees would never fall for a trick like this, but our analysts make these calls all the time, and are experienced on what to say and how to act to convince people to believe their stories. We also recommend testing anyone and everyone that you can in your organization, even your high-level executives. Anyone can be susceptible to these attacks, and these executives are the most dangerous members in an organization to become victim to an attack like this.