Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)
PART II. APPLICATION ATTACKS
CHAPTER 9. VOICE SOCIAL ENGINEERING AND VOICE PHISHING
Dear Valued Customer,
We’ve noticed that you experienced trouble logging into Chase Online Banking.
After three unsuccessful attempts to access your account, your Chase Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Chase is committed to make sure that your online transactions are secure.
To verify your account and identify, please call our Account Maintenance Department at (800) 247-7801 24 hours/7 days a week.
Online Customer Service
—Voice phishing email
“Dear valued customer, your online account has been compromised. Please call 1-(800) 247-7801 to verify your account and identity. Call 24 hours /7 days a week.”
—Voice phishing call
Social engineering is a broad issue, where the attacker is trying to trick the victim into giving up valuable information and/or doing something they should not. The information may be personal information (PI) such as a social security number, financial account data such as an account number or PIN, or even government or trade secrets. There are many techniques for doing this, ranging from physically masquerading as a trusted individual to sending millions of emails trying to trick the user into clicking on a link. Social engineering technically includes activities such as dressing up as a repairman or other accepted/trusted individual and entering an area to get information. Human intelligence (HUMINT) and outright spying are also social engineering activities. These are effective but risky endeavors that put the attacker at more risk than most usually want to assume. At the other end of the spectrum, an attacker can generate millions of email messages, hoping that a tiny percentage of the users are gullible enough to click on a link that they shouldn’t. There is little risk in this attack, but it has lost a lot of its effectiveness because most users know they should not be clicking on links or visiting web pages that they don’t trust.
Covering all these forms of social engineering is well beyond the scope of this book. We will focus on those that involve voice calls and the clever use of UC to make attacks more effective. Voice, and telecommunications in general, is a perfect medium for faking familiarity, allowing and generating trust, but not getting too close for comfort for the attacker. An attacker armed with a little bit of PI, social skills, and moxie can often coax a bit more information out of a contact center agent trying their best to be helpful. The attacker can build trust, interact, gather information, but is still somewhat safe from getting caught.
Voice phishing, a form of social engineering, involves sending emails or making voice calls requesting users to call a number (usually a 1-800 number). When the victim calls the phishing number, it is answered by an interactive voice response (IVR), which gathers information from the user (just like an email phishing site). This attack is effective because users are somewhat more trusting of a voice call (although users are getting sensitized to all the voice SPAM and robocalls they receive).
This chapter first covers voice social engineering and harvesting information out of an IVR, followed by voice phishing (sometimes referred to as “vishing”). These attacks are all about gathering information through voice and UC.
Voice Social Engineering
Voice social engineering is the process of manually calling a human and trying to get general information, PI, financial information, or an action out of them. The techniques of finding a target, building trust, being engaging, and so on, are beyond the scope of this book. Many resources and in fact entire books have been written on this subject. Go to Amazon and search for “social engineering” and you will find a number of books, including one by the most famous social engineer of all time, Kevin Mitnick, whose book is The Art of Deception: Controlling the Human Element of Security. A list of social engineering books is provided here:
• The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, and Steve Wozniak (Wiley, 2002)
• Social Engineering: The Art of Human Hacking by Christopher Hadagy and Paul Wilson (Wiley, 2010)
• Educational Archives: Social Engineering 101, starring Dick York (Fantoma, 2001)
• No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long, Jack Wiles, Scott Pinzon, and Kevin Mitnick (Syngress, 2008)
Financial services organizations are a primary target of social engineering attacks—in particular, the elements within those financial organizations that actively process payments, credit cards, and other liquid financial transactions. Attackers often call with partial information, such as the customer name, SSN, account number, or the amount of a previous bill, and then attempt to talk the representative into divulging additional information, which eventually allows the perpetrator to access the account and extract money. This type of attack’s success relies on a convincing attacker and a less-than-vigilant, inexperienced, overloaded, or overly helpful agent. The largest banks in the United States can have over 10,000 agents, and you can be assured that some of them will be vulnerable to social engineering.
Although more and more customers use the Internet for account management, many customers still use voice services, especially for financial transactions. From our experience, across the financial industry, transactions are divided about 50/50 between the Internet and voice contact center. Simple voice transactions are often handled by a contact center IVR, but for complex transactions, such as moving funds between accounts or to an external account, a much greater volume is handled through an agent. In addition, Internet-based fraud detection has arguably improved to the point where attacking UC and a contact center is more attractive to fraudsters. Internet-based fraud detection never gets tired, is never inexperienced, and is never overly helpful—it is a constant.1,2,3
UC combined with other factors has made social engineering much easier for attackers and more difficult for enterprises to detect. First, as discussed extensively in Chapter 6, attackers can easily spoof their calling number to masquerade as legitimate users or cover their tracks. It has also become increasingly easy for attackers to arm themselves with basic PI, such as a victim’s name, date of birth, mother’s maiden name, possible security question answers, and more information obtained from the Internet. By spoofing the calling number, using some basic PI found from the Internet and IVRs, and finding a vulnerable agent, the attacker can gather even more information. Multiple calls can be made, and over time and eventually everything that is needed to enact an illicit financial transaction is at hand. Figure 9-1 illustrates this type of attack.
Figure 9-1 Voice social engineering
The following sections cover the various techniques used to perform social engineering. We will also cover other scenarios outside the financial contact center example used thus far.
Restricting or Spoofing the Calling Number
We covered spoofing the calling number in Chapter 6, but a quick review and discussion of how this applies to social engineering is useful. Any sophisticated social engineering attack will restrict or spoof the calling number because only a total novice would call over and over from his or her own phone number. Virtually all enterprises and “all” contact centers maintain CDR databases that record the source number and other information about every call.
Restricting your calling number is easy. Simply enter *67 before dialing the called number. This will prevent the source number from being presented to the called party. Everyone has received these types of calls, which normally shows up as “BLOCKED” and are quite common. Figure 6-1 in Chapter 6 shows that 3.5 percent of calls into contact centers had their calling number restricted. Figure 6-2 in Chapter 6 shows some 4.9 percent of calls had a spoofed calling number. You have to ask, why are so many users bothering to block or spoof their number?
Entering *67 prevents the calling number from being presented, but does not necessarily prevent it from being sent. For example, your calling number may be sent, but a flag is set to tell the IP PBX or handset not to display it. Also, the calling number is always transmitted for a 1-800 number, because the owner (usually a contact center) needs the number for billing purposes. If you are going to perform social engineering, it is much better to spoof your calling number.
Spoofing the calling number can be used for many purposes. For example, you can randomly select a calling number each time you call a call center. This will prevent the enterprise from tracking you. Even better, you can spoof the calling number to that of the user for whom you are trying to gather information. Some contact centers will accept the calling number as one authentication factor. Very few, if any, will depend totally on calling number, but if your intent is to steal funds from “John Smith,” it certainly helps to call in with his phone number. In fact, most contact centers will perform an ANI match, where they compare the calling number to the number saved for the customer. When they match, the software detects that it is “John Smith” calling and provides a greeting and also a first form of authentication. This will help the attacker get off on the right foot.
Another clever use of a spoofed calling number is to call an enterprise user with a number that looks like it is coming from within the same organization. If an enterprise user gets a call from a number with the caller ID of the same enterprise, this will increase the chances they will take the call and have a higher level of trust.
Restricting or Spoofing the Calling Number Countermeasures
We covered restricting or spoofing calling number countermeasures in Chapter 6. About the only difference is that contact centers should not trust the calling number and never use it as an authentication value.
Social Engineering for Financial Fraud
One of the most common forms of social engineering is to gather information to commit financial fraud. Contact centers and vulnerable agents are a common target. These attacks are very frequent and constant. We have observed these attacks across virtually all major financial and insurance contact centers. In one example, a social engineer from a known source number was calling thousands of times a month, looking for a vulnerable agent. Figure 9-2 shows an example of a persistent social engineer, who called in hundreds of times a month and continued calling, even when a rule was put in place to start blocking calls from that number, which implied that the calls may be automated. Attackers commonly continue to probe for weakness even though they are not currently able to exploit a specific vulnerability.
Figure 9-2 Persistent social engineer
Gathering Personal Information
Gathering personal information such as social security number, date of birth, mother’s maiden name, and phone number as a way to get critical account information (for example, account number and PIN) is getting much easier. An attacker armed with some basic information can use social networking to gather more important data. Various resources on the Internet can be used to gather basic personal information:
• Facebook This is a great place to gather basic information. Users routinely post phone numbers, addresses, and info that can be used for security questions (for example, pet names, high schools attended, and links to relatives, which can be used to determine maiden names). See the online article “Finding Phone Numbers on Facebook,” which describes how to perform searches, especially for phone numbers.4
• Other social networking sites Twitter, Instagram, Tumbler, and LinkedIn can also provide information about the user.
• Social security numbers (SSNs) Researchers at Carnegie Mellon University have discovered that with some basic information, such as the date and location of birth, it is possible to guess someone’s SSN. Note that there is no perfect formula here: You may only be able to guess some of the digits, so you may have to guess 100 to 1,000 different SSNs. This research is well documented, with one of the best resources being the researcher’s presentation at the 2009 Black Hat conference.5
• Credit reports These can be obtained from hacker sites or legitimate credit score sites. These sites do challenge the requestor, but the challenge is often easy to guess and the same across multiple sites. The credit report itself contains a lot of information about where the consumer has accounts. See the article “Hackers Turn Credit Report Website Against Consumers” on gathering information through credit reports.6
• Ancestry.com This site can be used to identify personal information such as the user’s ancestors’ names.7
• Plaxo.com This site (and similar sites) can be used to track a user’s address information as they move around physically and over the Internet.8 Plaxo is a good way to gather information about targets and determine where they are now.
Of course, there are many traditional ways to gather PI, including malware on consumers PCs, email phishing, or dumpster diving. These methods are beyond of the scope of this book, but can augment what is found on the Internet, making it just that much easier to have all the information you need for social engineering or actually performing illicit financial transactions. Note that one way to get key PI is through voice phishing, which we cover later in the chapter. Using PI from the Internet, voice phishing, social engineering, and having a willingness to enact the illicit financial transaction is a lethal combination.
Picking a Specific Contact Center as the Target
Financial organizations use essentially the same processes to authenticate a user before they are willing to make a financial transaction. Organizations such as the Federal Financial Institutions Examination Council (FFIEC)9 govern these procedures to some degree. In this context, we refer to a movement of funds outside of the enterprise. It is often easy to move funds from account to account within an enterprise if owned by one user. It may also be easier to move funds from one user to another user within an enterprise, but the attacker’s goal is usually to move the funds to an external account, perhaps out of the country, where it can be more safely accessed.
For social engineering, you are typically targeting an agent, but knowing the security procedures of the user’s financial enterprise is useful. Some security procedures may be weaker than others, or conversely may require a piece of authentication information that you are finding difficult to gather. You may find that some contact centers place more value in the calling number, thus making spoofing more useful. You may find that some contact centers are just less secure. You may find that some seem to have many inexperienced, overloaded, or overly helpful agents, and you may find that others do very little correlation between multiple calls and queries into an account. Conversely, you may find that some contact centers require callbacks, faxes, or some other out-of-band authentication.
One security mechanism that some contact centers use is to call back the number recorded for the account for any customer. This mitigates calling number spoofing, because the callback will go to the real user’s number rather than to the attacker. One way for attackers to address this is to make a separate call in to change the account’s phone number, using the reason that the user has “moved.” The illicit financial transaction would need to follow quickly (but not too quickly) before the real user is notified of the change to their account. Whether you identify a financial organization with weak security procedures or one whose procedures you know thoroughly, you will definitely want to reference this organization as part of a voice phishing attack, which we cover later in this chapter. Why randomly pick a secure bank when you can select an unsecure bank?
Once you have basic PI for a targeted user, the next step is to try to get enough information to enact an illicit financial transaction. What information you need will depend on the bank, financial, or insurance company you are trying to social engineer. Social security number, date of birth, mother’s maiden name, address, and pet’s name are some pieces of information that agents may use to verify a customer’s identity. Remember, even if you are a seasoned social engineer, you won’t be able to trick someone into giving you the information you normally know. How, for example, would you convince someone that you forgot your social security number? Account number and PIN, probably so; SSN, not likely.
Remember that by spoofing the calling number, you can immediately look like your victim. Couple this with basic PI and you will be able to get more data, such as the account number, if you find the right agent. Try telling the agent something like, “I wanted to check my account balance for a purchase, but could not remember my account number in the IVR.” Once you have the account number, the next step can be to change the PIN, which is common because users routinely forget them. You can also guess at account balances if you have to: “Yes, there is about $50,000 there, but my wife just signed us up for a cruise.” If you are off, you can always politely hang up and try again at a later time, almost certainly getting a different agent.
Again, not all agents are the same. If you are patient, persistent, and continue to call, you will eventually get someone who is less experienced, tired, overly helpful, or just not aware of the proper security process. Be a little wary, though, because some contact centers will detect suspicious activity on an account and redirect calls to more experienced agents, who can behave like a human honeypot. If you sense this, move on.
Example of a Social Engineering Scheme
Here is a description of a real-world social engineering scheme involving an attempt to steal funds from a home equity line of credit over a two-day period. The target enterprise was a bank within a large insurance company. The social engineers were a male-female pair who masqueraded as a married couple. They had managed to gather basic PI about the victim, including SSN, statement balance, and birth date. It isn’t known if this came from statements or other prior social engineering efforts. As the call proceeded, the attackers did the following:
• Passed the authentication questions by giving address, SSN, statement balance, and birth date.
• Established a set of security questions for the account for both the male and female.
• Got the most recent available funds balance on a home equity line of credit. It was $90,000.
• Discovered how to transfer funds directly out of the account, by first leading the agent with a ruse about transferring payment funds into the account.
• Got international wiring instructions to a foreign country.
• Discovered that wiring would require a call to the home phone number for verification.
During the call, excessive background noise and many requests for information to be repeated created a very tiring and difficult environment for the contact center agent to concentrate, and gave an impression that the customer needed an extra degree of helpfulness. The call length was also very long, and most of the suspicious information gathering occurred late into the call when the agent was made most malleable. For the second call the following day, the attackers did the following:
• Attempted to wire funds.
• Had worked with the local telecommunications provider to have the customer’s home phone forwarded to the social engineer’s cell phone. Alternatively, the social engineer could have changed the user’s callback number.
• Accepted the funds transfer verification call.
For an article with a description of a real-world attack, see “Takeover Scheme Strikes Bank of America.”10 See the articles “Banking Malware Finds New Weakness” and “How to Stop Call Center Fraud” for information on how attackers are changing the consumer number to enable transaction verification.11,12
Getting Information Out of an IVR
An IVR can also be a source of information. You can’t social engineer an IVR, but you can definitely analyze its behavior. For example, you can check to see if the IVR behaves differently based on the source number from which you’re calling. You can also try a few different source numbers, such as one you know is invalid (for example, 111-111-1111), and then if you have it, the source number of the victim. The IVR may behave differently, using the source number as one authentication value. Many IVRs that process credit and debit cards ask for the account number immediately, and you can use this setup to see if you have a valid account number for your intended victim. If you do have the account number, you can guess at the PIN, which is often a short string of four numbers. You can even automate this if you can determine how to detect that the PIN entered was correct. Once you have this information, you can also check balances, lines of credit (LOCs), and so on. Asterisk provides the capability to do this. Figure 9-3 illustrates some of these scanning attacks.
Figure 9-3 Getting information from an IVR
Checking account balances can also be helpful if you are using a “mule” to physically pull money out of an account that you transferred money into, as a way to confirm that they did what they were instructed to do.
Using DDoS and Other Attacks to Make Social Engineering Easier
You can also use a distributed denial of service (DDoS) attack against an enterprise’s financial website, which will not only consume the time and focus of security personnel, but also drive consumers from the website to the IVR and contact center. This will overwhelm agents and possibly leave them in a mental state where they try harder to help frustrated consumers and bypass security measures, thereby making it easier to perform social engineering or even make financial transfers. The article “DDoS Attacks—First Sign of Fraud” discusses this technique.13
Social Engineering for Financial Fraud Countermeasures
Protecting your personal information is critical, although this is getting more and more difficult. Try your best not to give out personal information any more than necessary, and avoid voluntarily placing information on the Internet that you don’t need to share. Some sites will find it anyway, but there is no reason to make it any easier for them. Unfortunately, once information is available online, it is hard if not impossible to remove it.
Unsophisticated social engineering attackers can be stopped if they continually call from the same number or with numbers from parts of the country or world where an enterprise doesn’t do business. These calls can be detected or blocked with a basic blacklist. Callers can also be detected or blocked by having the audio analyzed if they block their calling number. As stated, blocking the calling number actually makes it easier to detect the attacker.
The recommended “best practice” to successfully identify and defend against social engineering attacks via voice lines is having the capability to analyze calling patterns and correlate them to known or suspected fraudulent social engineering activities. Once suspicious activity is detected, the ability to record and analyze those calls to determine whether they represent social engineering is key. Confirmed or suspected social engineering calls can then be redirected to more experienced agents or the security team. Blacklists can be used to block future calls from numbers known to be associated with social engineering. Companies such as SecureLogix (www.securelogix.com) have voice firewall and IPS products that can monitor for this type of activity.
Another countermeasure is to employ some form of authentication, other than traditional PI. One authentication strategy is based on proving that the consumer is really who they say they are. There are different forms of this, but the most promising is the use of biometrics for speaker authentication. The idea is that consumers opt in, train the system to recognize them, and then confirm themselves when they call in. This technology is not perfect. Consumers must opt in to the service and train the system, and although the accuracy is not perfect, it is getting better and better. For more information on this topic, refer to the online articles “How Emerging Technology Fights Fraud in the Call Center Voice” and “Voice Biometrics as a Fraud Fighter.”14,15
There are quite a few companies in this space, including the following:
Another countermeasure is to employ authentication based on something that the consumer has in their possession, such as a credit card, some sort of token, or a smartphone. As discussed in Chapter 6, companies such as TrustID (www.trustid.com) have a calling number authentication service that confirms a consumer is really calling from their own landline or cellphone. See “Coping With the Threat of Fraudulent Funds Transfers” for a discussion of different forms of authentication.16
Nonfinancial Social Engineering
Social engineering can also occur outside a financial contact center. Spoofing the calling number is a great way to build trust. For example, if you are calling an enterprise user, trying to manipulate information out of them (such as passwords or other sensitive information), it is very useful to call with a number that looks like an internal extension. For example, if you are calling the Department of Defense (DoD) trying to social engineer information, you would want to call in with another number that looks like it is from within the same base or another part of DoD. Remember that if you call with the right number, the network will add on the correct caller ID string.
There are other examples where social engineering can be particularly effective—one example is hotels. Consider a scheme where you loiter around the hotel lobby and listen for the names of the guests checking in. “Reservation for Mark Collier?” Do this for a few minutes and you should be able to collect a few names, especially at a busy hotel. You may even hear the guests’ room numbers, but this isn’t common. Later, from an internal phone or your own phone, call and ask for one of the guests you heard checking in since you have their name. Hotels won’t normally tell you the room number. Once you get connected, say something like “I am very sorry, Mr. Collier, but our computer system went down and we lost everyone’s credit card information. Could you please give me your credit card again?” You could get the card type, number, expiration date, and verification code. This scheme might work best at hotels servicing a lot of tourists rather than business travelers.
Social Engineering Countermeasures
The best countermeasure is education, but it is difficult to educate everyone to be on their guard and suspicious. In general, users should never give sensitive or personal information to anyone they do not know and trust. In particular, be very cautious about protecting your personal information with people who handle it.
Incoming calls from the public network should never be coming from within the same organization or site. If they are, it probably indicates some sort of routing problem, which should be fixed anyway, because the calls may cost money or at least be consuming a trunk resource that they don’t need to. Incoming calls from the same organization or site can be detected within the IP PBX or through application-level security products.
Phishing is a type of identity theft or PI-gathering attack that has traditionally targeted email users and involves an attacker creating a spoofed website that appears to represent a legitimate site (a major bank, PayPal, eBay, and so on). Victims are usually lured into visiting the spoofed site and giving up the usual information—password, mother’s maiden name, credit card number, SSN, and so on. Email messages may also contain links to websites with malware that is installed on the victim’s device when a link is clicked. The malware can monitor for keystrokes after accessing a financial website.
Spear phishing is a related attack, where the email is targeted to a specific victim and contains information that further lures the victim into clicking on a link or otherwise taking action. Spear phishing is designed to have a high probability that the victim will take the desired action, whereas “standard” phishing relies on sending email messages to many potential victims, hoping that a small percentage will take the desired action.
Email phishing is still a very common attack, although one could argue that victims have gotten smarter about not taking action or clicking on a random link. Now with VoIP and UC, it has become cost effective to generate voice phishing attacks, which send emails or make automated calls with a 1-800 number to call back to. This attack has a number of advantages, which we will cover here. Let’s start by describing the process for the familiar email phishing attack and then move on to voice phishing.
Anatomy of a Traditional Email-based Phishing Attack
First, let’s briefly go through the steps of a traditional email-based phishing scam, as illustrated in Figure 9-4. As we will see in later in the chapter, voice phishing differs only slightly in the communication mediums used for each step.
Figure 9-4 Email phishing
The Come On
The first step for any phisher is to compromise a server (most often a web server) to use as his base of operations. This ensures that if anyone tracks him back to that server, he can, for the most part, remain anonymous.
The second step is to use this server to get his initial message out to as many victims as possible to lure them into visiting his site. The underground phishing community uses several toolkits to generate and send the initial email. This means that many of these generated phishing emails will contain small identifying characteristics that anti-phishing and anti-spam security vendors can use to detect them.
The one unifying characteristic among all traditional phishing emails is the inclusion of a clickable link that seemingly points to a legitimate site. Phishers use a variety of HTML obfuscation techniques to divert that URL instead to their own malicious spoofed site.
The potential email victim pool is usually culled from the same lists that spammers use. Typically, thousands of emails are sent, but only a small fraction of the recipients actually fulfill the following criteria:
• They are legitimate users of the phisher’s targeted brand (a major bank, eBay, PayPal, and so on).
• They are gullible enough to believe the received email is a valid message from their financial institution.
• Their first reaction is to click the supplied link in the email so that an incident is averted regarding their account.
Before these conditions are met, the phisher must have prepared a believable spoofed copy of the targeted brand’s login page for the potential victim. This most often includes images and links taken directly from the targeted brand’s legitimate home page.
The main login page, which collects the victim’s username and password, often also leads to a second page, which asks for more specific information, including account information and verification details.
After the victim enters their information into the spoofed site, the site stores the information or emails the data directly to the attacker.
With voice phishing, or “vishing,” the idea is very similar to email phishing. The attacker sends out email messages that, rather than having a link to click, have a legitimate looking number to call, which is normally a 1-800 number. Even better, the attacker can generate voice calls (with techniques similar to voice SPAM from Chapter 8) requesting the victim to call back to the 1-800 number. When the victim calls the 1-800 number, they are greeted by a fake IVR set up by the attacker trying to gather the victim’s account numbers and other information. Figure 9-5 illustrates this attack.
Figure 9-5 Voice phishing
Voice phishing involves an attacker setting up a fake IVR or a man-in-the-middle (MITM) environment. The intent, of course, is to trick victims into entering sensitive information such as account numbers, PINs, social security numbers, or generally any PI or authentication info that can be used to get more information to perform an illicit financial transaction. The IVR will record DTMF and/or audio, which can be easily replayed and decoded at a later time. VoIP, UC, and software such as Asterisk have made setting up this IVR much easier.
Voice phishing relies on the effective gullibility of a victim trusting a phone number more than an email link. For a very low cost, an attacker can set up the IVR through a SIP provider that is harder to trace than a compromised web server. Also, the nature of SIP makes this type of attack even more feasible because most SIP services grant their customers an unlimited number of calls for a monthly fee (or at least a very low rate).
Figure 9-6 gives an example of a phishing email. It is from the first edition of the book, but gives you an idea what a real voice phishing email looks like.
Figure 9-6 Voice phishing email example
For examples involving voice phishing calls, go to www.800notes.com, which was also referenced in Chapter 8. This site has many examples of voice SPAM, scams, and voice phishing numbers and calls received by and reported by users.
We are witnessing the growth curve of this threat. There will most likely be many variants and more reported cases of voice phishing. It is important to emphasize that voice phishing is not a VoIP-specific threat, but rather the evolution of the same social engineering threats that have followed us throughout history, such as bulk faxes, telemarketing, phone confidence scams, email phishing, and text messaging spam. Also note that VoIP and UC are used to facilitate the attack, but the targets can be residential users with analog phones, users with smartphones, or enterprise users with any combination of TDM and UC.
Setting up a voice phishing attack is easy. Even back in 2006, Jay Schulman gave a compelling VoIP phishing presentation at the Black Hat Briefings in Las Vegas on August 2, 2006.17 In his presentation, he demonstrated a proof-of-concept VoIP phishing attack with an IVR constructed wholly from open source tools. This presentation is still a great reference. In the following sections, we show how to set up a basic voice phishing operation. At its simplest level, this involves getting a 1-800 number, setting up the IVR system, and then generating the phishing calls to the intended victims.
The Come On: Sending Email or Voice Messages
We will discuss how to set up the voice phishing IVR later. Here, we discuss how to spread the word to potential victims. First, as with email phishing, we need to create a believable scenario, such as a major account issue, an information request, or some other “problem” to get the victim to call the IVR. Again, we can send emails or make voice phishing calls. Sending voice phishing emails is simple, similar to email phishing, but has the disadvantage that it doesn’t work much better than an email with a website link in it. One can argue that the victim may be more likely to make a call, but we can counter with the argument that making the call from a phone is harder than just clicking on a link. Traditional phishing email attacks are typically sent to tens of thousands or even hundreds of thousands of email addresses, with an average click-through rate of two to five percent. A tiny percentage actually clicks on the malicious website.
Because this is a VoIP and UC book, our preference is to make voice phishing calls, which have both pros and cons:
• Voice calls may get better responses, and we believe that users are still more likely to believe a voice call than an email (although they are getting more and more sensitized to robocalls for telemarketing purposes and scams).
• Building a list of victim phone numbers is arguably easier than getting email addresses. This is true if the fake IVR is from a major bank or insurance company, because random victims are likely to have an account. This is also true for localized scams, such as a fake ticket or missed jury duty, where a range of local numbers can be called. You can simply call all the DIDs within a given exchange or area code (if you have the resources).
• The best reason is that voice phishing countermeasures are very rare at this time. There is a very low chance that a voice phishing call will be blocked, even within an enterprise. This is less true for voice phishing emails.
• The major disadvantage to making voice phishing calls is that even though making the calls is getting cheaper and cheaper, they can still cost money, and generating a call with even 10 seconds of audio requires quite a few packets (about 80K, assuming G.711).
The content of the voice phishing call really isn’t any different than that of an email phishing attack, other than you will want to make it shorter. We have mentioned a few ideas, but in summary, here are a few common ones:
• Pretend to be a top-five bank, financial service, insurance company, or ecommerce company. This way, when you send an email or voice phishing message, it is likely to reach a victim who is a customer.
“Hello. This is Bill Stevens from American Express. Please call us immediately at 1-800-XXX- XXXX to discuss possible fraud with your credit card.”
“Hello. This is Bill Stevens from Citigroup. Please call us immediately at 1-800-XXX-XXXX to address your delinquent mortgage.”
• Pretend to be a local bank or other financial services company. This way, you can target a range of numbers within an exchange or area code. For local attacks, you may be able to leverage something like an accent to make the calls seem more authentic.
“Hello. This is Bill Stevens from local bank. Please call us immediately at 1-210-XXX-XXXX to discuss possible fraud with your credit card.” (Think of this message said with a friendly southern drawl.)
• Pretend to be a local court clerk and state that the victim has an outstanding ticket or has missed jury duty, and that if they don’t call in, a warrant will be issued for their arrest.
“Hello. This is the San Antonio court house. You have missed jury duty and a warrant will be issued for your arrest. You need to call 1-210-XXX- XXXX to resolve this issue.”
• Pretend that the victim’s auto warranty is about to expire. Everyone gets concerned when they hear that their auto warranty is about to expire.
“Your auto warranty is about to expire. Please call us at 1-800-XXX-XXXX to discuss an extended warranty.”
• Pretend to be from a mobile, phone, or ISP company and state there is an issue with the victim’s account.
“This is a message from Verizon. You have exceeded your data plan. Please call back at 1-800-XXX-XXXX during normal business hours.”
As discussed in Chapter 8, you can use the exact same techniques to attempt to reach victims or leave prerecorded messages for thousands of potential victims because the process is exactly the same. Once you have your vishing message set up, you simply generate calls to your intended victims. Again, free PBX software such as Asterisk/Trixbox, SIP trunks, and so on, make this process very easy and inexpensive. With a little extra work, you can extend your message to offer the victim a chance to press 1 to speak to an operator immediately, which will let you know that the victim may be gullible, or even to transfer them now to the IVR.
Toll-Free Number Providers
Performing a web search for “toll free provider” or “1-800 provider” yields pages of results. We choose the Voip-Info.org site shown in Figure 9-7 for its list of providers with discussions of the benefits of each one.18 Some of the information can include which audio codecs are supported, how to configure dialing plans, and trunk data in Asterisk and other pertinent information. It doesn’t matter which provider an attacker chooses as long as one suits their purposes. It is worth noting that some of the providers will pay the “customer” if the call volume is high enough.
Figure 9-7 List of 1-800 providers
The Catch: Setting Up the IVR System
In Chapters 7 and 8, we discussed the benefits of Asterisk (or Trixbox) and then used it as the platform for our attacks because the PBX is easily installed and highly configurable. For a slight change of pace, we describe using Trixbox, a variant of Asterisk, in this chapter. With one bootable DVD, you can have Trixbox up and running within an hour. Remember, a voice phishing attack platform would likely be a remotely compromised machine where these components would be installed, if the attacker is competent. After the installation, the attacker can log in to the administrative web console to complete any other configuration to ensure Trixbox is working properly. Figure 9-8 shows the Trixbox administrative interface.
Figure 9-8 Trixbox system administrative interface
Once Trixbox is running, the attacker can connect it to the selected toll-free service by adding a trunk with the web console. Most of the toll-free providers have examples on their websites demonstrating how to configure the inbound toll-free trunks and the accompanying dial plans for Asterisk. If they don’t provide examples, a few simple web searches will provide the needed information.
Once Trixbox is ready to accept calls, the attacker can easily tweak the IVR platform, and this is where some creativity will serve them well. The phishing attack to be executed will dictate how the IVR will be set up. The more detailed, realistic, and believable the scenario is, the more likely the victim will be to call the number and enter their personal information. A great way to do this is to call up the real IVR, such as one from a bank, record the prompts, and use them for the phishing IVR. Keep in mind that just like email phishing, only a small percentage of victims will call the 1-800 number back. Therefore, once you have the victim, you don’t want to lose them because you were lazy and did not set up a realistic-sounding IVR.
Numerous sites can provide information on how to set up an IVR, and you will probably have to use some information from many of them because one site won’t have the exact setup information you will need. For a sample scenario, let’s imagine our fake bank prompts that will ask for the phishing target’s account number, telephone PIN number, social security number, and ZIP code. Again, to make the attack more realistic, you should research the information necessary to access the account and mimic the prompts to lure the phishing target to take the bait. We have included a slightly modified sample IVR from nerdvittles19 for our sample scenario:
This is a very basic example, but it should provide a framework for how an IVR could be constructed. FLITE is a voice synthesis module for Asterisk and will repeat the words in quotations. As you can see, a caller would be asked a series of questions to verify their account, including account number, PIN, ZIP code, and social security number, and the call is then disconnected. You would need to build a simple script to store the information the caller enters, but that should not be too complicated if you can write simple scripts.
If you would rather create your own recordings, you can add the following lines to your extensions.conf file, as demonstrated on the Voip-Info site.20 This allows you to create your own custom sound files for the IVR.
Once you have prepared the recorded sounds for the IVR prompts, you can copy .wav files into the directory /var/lib/asterisk/sounds. The final step involves building a customized response menu system, called [custom-phish], for the incoming caller in /etc/asterisk/extensions.conf and then applying it through the Trixbox console.
The IVR system should now be set up for anyone to call the 800 number, hear the recordings, and leave messages.
Voice Phishing Countermeasures
There several ways enterprises can prevent a voice phisher from contacting their employees in the first place.
Preventing Phishing Emails from Reaching the Victims
Standard email anti-spam security technologies work fairly well at limiting the number of phishing emails that get through to a potential victim. A variety of services, software, and appliances address this multibillion-dollar market. Here are just a few of the commercial software and service offerings in this space:
Preventing the Voice Phishing Messages from Reaching the Victims
As we covered in the previous chapter, voice phishing is a social issue that enterprises have limited ability to affect. Some solutions are the responsibility of the larger VoIP (and SIP) community. If the VoIP community does not work together to address voice phishing before it is a big issue, enterprises will be forced to adopt “traditional” mitigation strategies, which are expected to be similar to those adopted for other voice security issues such as voice SPAM (and robocalls in general). Keep in mind that if a voice message is trying to sell you something or is a voice phishing scam, the countermeasures are basically the same.
Some of the countermeasures the VoIP community and enterprises can take are discussed at the end of the previous chapter and include legal measures, ways to identify the voice phishing, authenticated identity, service providers, and enterprise voice phishing filters (blacklists/whitelists, approval systems, audio content filtering, and voice CAPTCHAs/Turing tests).
Preventing the Victims from Calling Back to the Malicious IVR
Besides user education, there’s really not much an enterprise can do to prevent its users from calling a malicious IVR phishing system. The most obvious advice for end users is to always confirm the phone number of the financial institution before calling. You can find their number either on the back of your credit card or on the financial institution’s website.
A countermeasure unique to voice phishing is to maintain a list of the voice phisher scam numbers and block enterprise users from calling them. The Communications Fraud Control Association (CFCA)21 reports these scams, but to receive information you need to be a member. Websites such as www.800notes.com track numbers reported by consumers. Companies such as SecureLogix monitor this activity and maintain voice phishing lists that are used in their voice firewall and IPS to block calls to these numbers.
Shutting Down a Voice Phishing IVR
It is also possible to shut down the voice phishing IVR, but this requires service provider, SIP trunking vendor, and law enforcement cooperation. By the time this happens, the attack will be over. Remember that the time period for an attack is short. The email or voice phishing messages are sent out over a short period of time (depending on the number of messages and capacity of the attacker), and then the IVR will be available for a short period of time (maybe a week or so, which is the lucrative time to be up). Victims will see/hear the messages and either quickly respond or ignore them (remember, they are urgent). By the time the service providers and law enforcement can locate the attacker, the attack is over.
Social engineering and voice phishing attacks will continue to increase. Social engineering, especially into financial contact centers, is a long-standing issue that has gotten much worse due to the ability to gather basic PI from the Internet and spoof the calling number. Voice phishing is an evolution of email phishing, and is more effective due to the trust level still held for phone calls and because these messages are rarely blocked. What’s more, VoIP and UC have made generating voice phishing calls affordable. Setting up a 1-800 number and malicious IVR is simpler than ever. The combination of gathering PI from the Internet, social engineering, and voice phishing greatly increases the threat of financial fraud.
1. Mirko Zorz, “Social Engineering: Clear and Present Danger,” www.net-security.org/secworld.php?id=14393.
2. Jeffrey Roman, “Social Engineering: Mitigating Risks,” www.bankinfosecurity.com/social-engineering-mitigating-risks-a-4795/op-1.
3. Kelly Jackson Higgins, “Phone Fraud Up 30 Percent,” www.darkreading.com/attacks-breaches/phone-fraud-up-30-percent/240004801.
4. “Finding Phone Numbers on Facebook,” Fox News, www.foxnews.com/tech/2012/10/10/facebook-lists-user-phone-numbers-for-all-to-see/%23ixzz28ur07gr2.
5. Alessandro Acquisti and Ralph Gross, “Predicting Social Security from Public Data,” Black 2009, www.blackhat.com/presentations/bh-usa-09/ACQUISTI/BHUSA09-Acquisti-GrossSSN-SLIDES.pdf.
6. Bob Sullivan, “Hackers Turn Credit Report Website Against Consumers,” NBC News, http://redtape.nbcnews.com/_news/2012/03/26/10875023-exclusive-hackers-turn-credit-report-websites-against-consumers?chromedomain=usnews.
7. Ancestry.com, www.ancestry.com.
8. Plaxo.com, www.plaxo.com.
9. Federal Financial Institutions Examination Council (FFIEC), www.ffiec.gov.
10. Tracy Kitten, “Takeover Scheme Strikes Bank of America,” Bank Info Security, www.bankinfosecurity.com/takeover-scheme-targets-bank-america-a-5042?rf=2012-08-17-eb&elq=65029319302b4de4aae703a41f91dbe5&elqCampaignId=4244.
11. Tracy Kitten, “Banking Malware Finds New Weakness,” Bank Info Security, www.bankinfosecurity.com/articles.php?art_id=4473.
12. Tracy Kitten, “How to Stop Call Center Fraud,” Bank Info Security, www.bankinfosecurity.com/articles.php?art_id=4593&rf=2012-03-16-eb&elq=b60ebbd8c9d949dea5de8d192c3c2c7a&elqCampaignId=1587.
13. Tracy Kitten, “DDoS Attacks: First Sign of Fraud,” Bank Info Security, www.bankinfosecurity.com/interviews/ddos-attacks-first-signs-fraud-i-1705?rf=2012-10-26-eb&elq=b22e99f2192e45e9ba6698ddfaef1372&elqCampaignId=4939.
14. Stephanie Overby, “How Emerging Technology Fights Fraud in the Call Center,” ComputerWorld, http://computerworld.co.nz/news.nsf/technology/how-emerging-technology-fights-fraud-in-the-call-center.
15. Tracy Kitten, “Voice Biometrics as a Fraud Fighter,” Bank Info Security, www.bankinfosecurity.com/voice-biometrics-as-fraud-fighter-a-4789?rf=2012-05-22-eb&elq=375fd3e903df480abda2d6451957dbc9&elqCampaignId=3528.
16. Poyner Spruill, “Coping with the Threat of Fraudulent Funds Transfers,” JD Supra Law News, www.jdsupra.com/legalnews/coping-with-the-threat-of-fraudulent-fun-79313/.
17. Jay Schulman, “Phishing with Asterisk PBX,” Black Hat 2006, www.blackhat.com/presentations/bh-usa-06/BH-US-06-Schulman.pdf.
18. 1-800 Number Providers, Voip-Info.org, http://www.voip-info.org/wiki/view/Toll+Free+Termination+Providers.
19. Asterisk Weather Station by Zip Code, http://bestof.nerdvittles.com/applications/weather-zip/.
20. Voip-Info.org, http://www.voip-info.org/wiki/view/Asterisk+tips+ivr+menu.
21. Communications Fraud Control Association (CFCA), www.cfca.org.