Security journalist Brian Krebs reports that telcos and other big businesses are being targeted by organized criminals who gain access to corporate networks by phoning new employees as they work from home, then telling them to enter their credentials into websites designed to look like the company’s VPN or email portal. Krebs’ article included a screen shot of helpdesk-att.com, a phishing website that was designed to look like a portal for employees of AT&T, the US telco.
According to Krebs, the gang behind these custom social engineering attacks are mercenaries that sell their skills to other criminals. Their attack begins with creating a website that looks like a genuine corporate portal. The intended victim then receives a voice call from a gang member who claims to belong to their employer’s IT function. The employee is told they need to log on to the phishing website to deal with some bogus technical issue. As a consequence, the victims unwittingly share their usernames and passwords. Multi-factor authentication, such as using one-time passwords generated by an app, will not protect the victim’s company either, because the employee will also type these details into the phishing website. Additional factors typically only work for a short period of time, but the first criminal keeps talking to the victim whilst an accomplice immediately uses their credentials to log on to the real corporate site.
What makes this phishing attack novel is that it involves a hybrid of spear phishing and voice phishing, also known as vishing. Spear phishing is aimed at specific individuals unlike less focused attacks which are instigated by spam emails and other automated messages delivered to large numbers of people. The most familiar forms of phishing make contact with potential victims using an electronic message because this is cheap and quick, but voice phishing involves calling the victim. Krebs says these criminals have a very high success rate, and that is probably because of how much effort they are putting into making the interaction seem like the victim is speaking to a fellow employee.
The same style of hybrid attack has also been identified as the method used by the hackers who recently took over a large number of ‘blue tick’ Twitter accounts, including those belonging to Barack Obama, Elon Musk and Apple. That attack succeeded because Twitter employees were overly trusting of calls they received whilst working at home. The hackers learned the phone numbers and personal details of Twitter employees by doing detailed research through social media.
There are some remarkably gullible people who have access to sensitive telecoms systems. That is obvious from the disturbingly large proportion of our community who unthinkingly trust the contents of emails they have received, and webpages they have read, as if they present verified facts. The current circumstances further lend themselves to deception because staff are working from home in record numbers. They are more likely to receive unexpected calls from colleagues, making them less likely to be guarded when somebody new calls them. They are also motivated to help the bogus IT function because their work may depend on remotely connecting to the corporate network. I shudder to think how many telcos will get hacked as a result.
Many telcos will not warn others after they have fallen prey to social engineering like this, because they will not want to admit their own failings. That means laggard telcos who only act after other warnings from their peers will do nothing to train staff or tighten security until they have been attacked. Do not be surprised if we see members of this community being rapidly ejected from their jobs without anyone clarifying why they were suddenly told to leave. This advanced form of social engineering poses a risk that some will severely underestimate.
You can read Krebs’ article on spear voice phishing here.