Telco Staff Targeted by New Custom Spear Voice Phishing Attacks

Security journalist Brian Krebs reports that telcos and other big businesses are being targeted by organized criminals who gain access to corporate networks by phoning new employees as they work from home, then telling them to enter their credentials into websites designed to look like the company’s VPN or email portal. Krebs’ article included a screen shot of, a phishing website that was designed to look like a portal for employees of AT&T, the US telco.

According to Krebs, the gang behind these custom social engineering attacks are mercenaries that sell their skills to other criminals. Their attack begins with creating a website that looks like a genuine corporate portal. The intended victim then receives a voice call from a gang member who claims to belong to their employer’s IT function. The employee is told they need to log on to the phishing website to deal with some bogus technical issue. As a consequence, the victims unwittingly share their usernames and passwords. Multi-factor authentication, such as using one-time passwords generated by an app, will not protect the victim’s company either, because the employee will also type these details into the phishing website. Additional factors typically only work for a short period of time, but the first criminal keeps talking to the victim whilst an accomplice immediately uses their credentials to log on to the real corporate site.

What makes this phishing attack novel is that it involves a hybrid of spear phishing and voice phishing, also known as vishing. Spear phishing is aimed at specific individuals unlike less focused attacks which are instigated by spam emails and other automated messages delivered to large numbers of people. The most familiar forms of phishing make contact with potential victims using an electronic message because this is cheap and quick, but voice phishing involves calling the victim. Krebs says these criminals have a very high success rate, and that is probably because of how much effort they are putting into making the interaction seem like the victim is speaking to a fellow employee.

The same style of hybrid attack has also been identified as the method used by the hackers who recently took over a large number of ‘blue tick’ Twitter accounts, including those belonging to Barack Obama, Elon Musk and Apple. That attack succeeded because Twitter employees were overly trusting of calls they received whilst working at home. The hackers learned the phone numbers and personal details of Twitter employees by doing detailed research through social media.

There are some remarkably gullible people who have access to sensitive telecoms systems. That is obvious from the disturbingly large proportion of our community who unthinkingly trust the contents of emails they have received, and webpages they have read, as if they present verified facts. The current circumstances further lend themselves to deception because staff are working from home in record numbers. They are more likely to receive unexpected calls from colleagues, making them less likely to be guarded when somebody new calls them. They are also motivated to help the bogus IT function because their work may depend on remotely connecting to the corporate network. I shudder to think how many telcos will get hacked as a result.

Many telcos will not warn others after they have fallen prey to social engineering like this, because they will not want to admit their own failings. That means laggard telcos who only act after other warnings from their peers will do nothing to train staff or tighten security until they have been attacked. Do not be surprised if we see members of this community being rapidly ejected from their jobs without anyone clarifying why they were suddenly told to leave. This advanced form of social engineering poses a risk that some will severely underestimate.

You can read Krebs’ article on spear voice phishing here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.