“Hi, my name is Samuel Gills, I’m one of the lead database engineers for (insert company name here). Our database for employee identification crashed overnight and we need to verify some information to ensure that what we recovered is accurate and correct, could we just have five minutes of your time to help us out with this very painstaking process.”
Believe it or not calls like that come into companies all the time, in this case this is called a “Vish” (think of that as voice phishing). The ones that come in legally are executed by professional security researchers, often labeled as “White Hat Hackers”. These are experts hired by the company to determine which of their employees are gullible to the biggest weakness for most companies today, the human brain.
Let us dive into the world of Social Engineering and how security researchers utilize this tool for Red Team Operations and how criminals use it in the exact same manner, only just for malicious purposes.
Vishing is the phone call version of phishing and it is often highly effective because it forces the recipient of the call to use “heuristics”, or quick instantaneous decisions. The caller knows that the individual who picks up the phone is more than likely not going to verify the credentials of the caller if the caller provides that information immediately.
Security Researchers who are hired by a company to test if an employee will click a link in an email or provide what is called “guarded information”. This would be like when the employee’s vacation is, if John Doe still works with (insert business name here), or if they can get the employee to do something that is outside of protocol. The researchers will often research the company’s IT department number or the number of another department that they could be hired to audit. When they place the call, it will genuinely seem as if it is a number from that department; this is called “Call Spoofing” or “Spoof Dialing”. Call Spoofers are applications either via mobile app or online tool, that allow the caller to disguise their caller ID and number as someone else. Literally anyone else.
With a proper security researcher performing the operation, the call is often placed to the targeted sector of the company or specific employee. It will 90% of the time look as if it is from a number from within the corporation.
These individuals are professional Social Engineers, or people who perform security audits on a corporation by physical intrusion. You can see an example of this in action on the channel Tech Insider via YouTube where white hat hackers perform a Red Team Op: they‘re hired to hack the US electrical grid.
Often these individuals will claim they are doing a random audit and need to access the database or other essential IT areas within a business. These professionals will always get permission in writing to do what you see in the video beforehand, so if something does happen, they have paperwork to prove that they are hired to do the operation.
One of the most notorious Social Engineers, and at one point the most wanted hacker in the world by the FBI, Kevin Mitnick, explains in his book “The Art of Intrusion”, how these individuals use cunning, deceit, and extensive “foot printing”, or reconnaissance so to speak, to launch an audit on a building or a company.
They often study for weeks the building, its exits, the doors that the employees use for lunch that has little to no security (piggy backing opportunity), if there’s a gate checkpoint for vehicles (this would require much more preparation before launching the audit), if there’s a security check-in before entering , or if the physical barriers (fences, locks, door locks), can be picked or broken. On occasion, to survey the property they could use a drone to map the area. All of this takes place before even launching the physical part of the audit, which would be the Social Engineering.
Once these audits begin, the Social Engineer will often physically gain access to the building, or more specifically exploit the flaws of the employees, in order to get to the targeted area within the corporation as requested by the employer in writing.
Ah yes, the “phish”. These are well crafted emails that will normally have a link within the email. It could be suggesting anything, from a new pre-screened credit card offer, life insurance, hoax style phishing emails (setting you in a panic and causing you to believe that you need to click the link), or even a “test phish” sent by your own corporation.
Many companies now test their employees with decoy phishing emails. These will often say something like “Click here to see the new Summer uniform policy” or “Congratulations! You are in the sweepstakes for a $250 Visa gift card from (insert business name here)! Click on this link to activate your entry.”
Now typically what happens if you do indeed click the link: it sends you to a dummy page or the page goes blank. What happens next is you are registered as clicking the phishing email, typically your boss will have a sit down with you and mandate more “phishing defense” training. Let us say you clicked the internal corporate “Report Phish Email” button link within the corporate E-mail service, believe it or not you will typically be notified that you: “Passed the test! This is was a simulation.”
At my company I had one of those and when my instincts said to report it, I did. General rule of thumb for phishing emails: if it looks sketchy, odd grammatical mistakes, or anything else that simply generates skepticism of the email, it more than likely is a phish.
In conclusion, these types of attacks happen every day and it is a good idea to retain a stout mind in these types of scenarios. Some are utilized by paid professionals and others would be with criminal intentions. The general rule of thumb is if the vish, phish, or individual seems even just slightly out of place, there is more than likely malicious intent behind it.