My name is Steven Verscheure, I am involved in most of the social engineering assignments that tSF covers.
Today I want to talk about a use case that uses a specific part of Social engineering: Vishing, also called Voice phishing. Vishing is all about making use of telephony to perform phishing attacks.
Whenever we need to perform a Vishing exercise, the first step is reconnaissance (this applies to every social engineering exercise we perform). Either we get targets from our client, or we have to set our own targets and investigate if we can find their phone numbers from public resources.
For today’s use case, we will use the fictitious company ACME. ACME was a banking institution that asked us the question of how easy it was to scam their staff.
Since our target was a help desk employee from one of the bank’s branches, it was fairly easy to obtain phone numbers from their websites. The main objective of our exercise was to change the address and phone number of one of their regular customers. Furthermore, we were allowed to be creative ourselves and request or change as many extras as possible (the transfer of financial goods was obviously out of scope).
An in-depth reconnaissance allowed us to get a detailed profile from a particular customer of ACME. We had the person’s date of birth, full name, address and had found out that he is a regular customer at the bank in question.
All preparations were taken into account. Ready for action!
|Actor||Good morning. This is Bert Verscheure speaking, a client of this bank. Am I speaking with the help desk of ACME?|
|Victim||Yes, this is Claudia. How can I help you?|
|Actor||Due to COVID regulations and the lockdown that was announced last evening, I am obliged to work from my current location, which is my appartment in Oostende. Since I'm actively dealing with some important payments and documents according this bank, I'd like you to give my accountant power of attorney over my banking account.|
|Victim||I guess this is possible. I will just need to confirm your date of birth due to security reasons.|
|Actor||Ofcourse, That's only natural! My date of birth is the 24th of October. My home address is Gasthuisstraat 232 in Niel. Do you need some more information about me?|
|Victim||That will be sufficient, Bert. I will do the necessary. Who is your accountant?|
|Actor||His name is Joe Johnson, from Niel. His mail address is firstname.lastname@example.org. You can send him a mail, he is aware of this.|
|Victim||Sure, Bert. He will be granted access with that mail address. I will call him first to confirm his identity. Can you give me his phone number?|
|Actor||0475849384. Thanks in advance. This will speed up some procedures I'm currently going through. I have one more question. Is it possible to send a new card reader to my address here in Oostende? I forgot mine at home, and need it for some banking transactions. My address is Koekoeksweg 45, Oostende.|
|Victim||No problem, Bert. I requested this in our system. This will probably be sent out tomorrow.|
|Actor||Thanks a lot for the smooth communication. This is why I love my bank.|
We called the employee with our own phone number and indicated that we now work from home from two fixed sites. I indicated that I was required by COVID measures to work from my second residence. It was important to give as much information as possible before the employee could start asking questions herself. In this way, she is already integrated into the story and we will sound more credible. We also indicated that it was impossible for us to follow up all the accounts and payments from this location, so it was important that the power of attorney on the account would be transferred to person X. The telephone number and the address of the account should also be permanently changed to our second location. Given the amount of information the woman had received from us, she only did a single identity check. Indicating the date of birth was enough to completely take over this account.
When we informed the customer about this, they were very impressed that such a thing could happen.
The fact that we were able to take over an account completely and actually hijack it with just one phone call ensured that in the future they will have additional mandatory identity checks carried out when contacting their employees. There are now also periodic security awareness trainings given to the staff to avoid these situations in the future.