The kind of attack that broke Twitter in July – phone spear phishing, voice phishing or “vishing” – is targeting dozens of other companies. These companies can train their employees to detect fraudulent callers, or use FIDO tokens like Yubikeys for two-factor authentication. Instead of a code that can be stolen in real time by a hacker, those USB dongles must be plugged into the USB port of any new machine when a user wants to gain access to their accounts. Vishing attacks can be stopped with a YubiKey.
But Twitter is hardly the only recent target. In just the past month since the Twitter hack unfolded, dozens of companies—including banks, cryptocurrency exchanges, and web hosting firms—have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that’s been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company’s services—most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.
In their social engineering calls with victims—including in one recorded call reviewed by WIRED—the hackers typically use a VoIP service that allows them to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers. In some cases, they’ll even ask the victim to confirm that they’re a “real” IT person, suggesting they look up their spoofed identity in the company’s directory or its collaboration software. When the victim seems convinced, they ask them to navigate to a fake login page address—usually for a single sign-on portal like Duo or Okta—and enter their credentials.
Another member of the hacking group immediately obtains those details and enters them into the real login page. The real login page then prompts the victim to enter their two-factor authentication code. When the user is fooled into typing that code into the fake site, it’s also relayed to the second hacker, who enters it into the real login page, allowing them to fully take over the account. The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.
“They see a phish and they click that report button. I’ll maybe have a 12 or 15 percent report rate for phishing, which can actually really shut me down,” says Rachel Tobac, CEO of SocialProof Security, a company that tests clients’ vulnerability to social engineering attacks. But she says she can place phishing calls to 50 people at a target company in a week, and no one will report them. “People do not know that it’s happened. They think the entire time that they were talking to a tech support person,” Tobac says. “Vishing has always flown under the radar and will continue to.”
As in the Twitter hack, the perpetrators don’t appear to be state-sponsored hackers or foreign cybercrime organizations, but young, English-speaking hackers organizing on forums like the website OGUsers.com and the chat service Discord, says Zack Allen, the director of threat intelligence at security firm ZeroFox, who has also worked with the industry group tracking the incidents. He says he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.
“I’ve never seen anything like this before, nothing this targeted,” says Allen. He warns that the hackers’ tactics have been so effective, it may be only a matter of time until they’re adopted by foreign ransomware groups or even state-sponsored hackers who simply contract out the phone calls to English-speaking phone phishers. “It’s like what you’d expect from a whole team of intelligence professionals building dossiers and executing attacks, but it all seems to be done by teenagers on Discord.”
To read the entire article on WIRED, click here.
Photo credit: BetaNews