While modern technical controls and protections can thwart basic phishing attempts, phone communication remains a lucrative avenue for would-be attackers. This is a typical route used to gain a foothold into an environment via an unsuspecting employee. However, this time-consuming manual process makes documenting and using your social engineering results difficult.
Fortunately, existing interactive voice response (IVR) technology can help solve this problem. While these systems are typically used to assist people, we could also leverage them to gain entry to systems.
The abundance of cloud-based services makes this simple to accomplish and even easier to expand upon with your own custom scenarios, all while capturing respondent information. This presentation from NetSPI Director of Social Engineering Patrick Sayler covers how to take existing, off-the-shelf tools and configure them to build your own social engineering “robot.”
- 0:40 – Background on phone-based social engineering
- 4:00 – Identifying effective social engineering solutions
- 9:45 – Attack scenarios
- 20:36 – Social engineering demo
Background on Phone-Based Social Engineering
Phone-based social engineering, often known as vishing, is a social engineering technique in which a threat actor calls the victim and tricks or entices them to share sensitive information, click on a link, or take another action that may expose confidential data. A typical phone-based social engineering engagement is fairly straightforward.
Some steps in engagements typically include:
Phone-based social engineering techniques are effective, fun, and unique – because no two tests are alike. However, this approach does have some drawbacks, including a lot of time and effort, downtime stress in between calls, especially when targets hang up right away or don’t engage.
To make the process better and save time that would otherwise be spent talking directly to targets, you can consider recording your own voice and playing the audio back over the phone, but this approach can take a lot of time and work. Another option is text-to-speech (TTS), in which you leverage a website with a robotic, but legitimate, sounding voice to record key phrases, such as “You have one new message,” “Please share your username,” and “Share your password.” This approach has shown success with gaining entry into a customer’s internal network environment.
Identifying Effective Social Engineering Techniques
A more effective phone-based social engineering technique requires the following criteria:
- Easy setup and maintenance
- Scalable for multiple users and calls
- Centralized recording, tracking, and analytics
If this sounds familiar, it’s because the list above describes a call center, and call center software has existed for several years. One such platform is Amazon Connect, which includes all the criteria listed.
Using an affordable solution like Amazon Connect, you can do the following:
- Inbound and outbound phone calls
- Audio recording
- Call routing/triaging
- Customizable prompts and triggers
- Integrate with the Amazon Web Services (AWS) ecosystem, enabling additional capabilities, including:
- Amazon Transcribe with speech recognition and voice-to-text conversion
- AWS Lambda to run code, process information received from recordings, and flag specific passwords, among other features
- Amazon Lex conversation bot features
By chaining these tools together, this enables you to programmatically place a phone call with Amazon Connect, request and receive information from targets with Lex the chatbot, and process the requested data and do something with it by using Amazon Transcribe and AWS Lambda.
A few different phone-based social engineering attack scenarios can really take advantage of this automated system using a solution like Amazon Connect.
Here’s an overview of potential attack scenarios:
- SMS phishing
- This is similar to standard email phishing, except it’s over a text message, with the same concepts and methodology, including mass delivery and broad reach
- Steps include:
- AWS simple notification service (SNS) sends a text message
- Victim calls the associated number and is prompted to share credentials
- Lex recognizes the data and transcribes it for Lambda
- Lambda takes the data and sends a notification to the tester
- Email phishing
- Standard email phishing, but with a phone number rather than a link in the message
- Emails often also include a link and the phone call is a secondary option
- Outbound call to target
- Amazon Connect provides an API to place outbound phone calls
- Outbound calls can be placed into a workflow that follows an automated system, with prompts such as, “Please say your name,” and “Confirm your username and password”
- Lex then recognizes the data and transcribes it for Lambda
- Lambda then takes the credentials and sends them to the tester
- Distraction call (another form of an outbound call to the target)
- Problem: When working on a phone-based social engineering test, sometimes the tester can’t find the direct phone number for an employee and finds a dial-by-name directory, but can’t reach it directly
- Solution: The tester makes an outbound call to the operator, once the operator answers, the line is busy, then the tester places a second call and is routed straight to the directly to reach individual employees
NetSPI’s Social Engineering Capabilities
Now that you have an understanding of phone-based social engineering techniques and solutions, it’s critical to make sure your employees are prepared to recognize potential attacks and avoid sharing sensitive information. NetSPI’s social engineering testing helps validate and improve your procedural security controls and employee training.
Through our phone social engineering (vishing) solution, the NetSPI team makes several calls to your IT support, customer support and other employees, posing as a customer or colleagues, in an attempt to obtain sensitive information or functionality without verifying the identity of the caller. This technique can help your team verify the use of existing identification validation procedures.