Vishing: Another Way to go Phishing

8/1/2018

hand holding phone with incoming call and vishing warning message

If you thought there was only one kind of phishing attack, you'd be wrong. There are a handful of types and "vishing" is becoming increasingly common. To understand vishing, a definition of phishing itself is in order.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Wikipedia quoting Handbook of Information and Communication Security.

Most of the time when we think about phishing we think about "electronic communication" as referring to email or the web. But there is another form of electronic communication fraudsters are using for phishing: voice telephone calls. That's the "vishing".

The idea behind vishing is virtually identical to traditional phishing - use social engineering to try to convince the victim to disclose potentially confidential information.

How Does It Work?

Some preparation is required: one can purchase lists of names and corresponding phone numbers on the dark web fairly inexpensively (or so I've heard). It is also easy to copy the look of a website using tools such as wget. A programmer can readily create a malicious backend for a website if the user interface has been copied.

Now consider the perpetrator making a phone call to the potential victim. He or she may call the potential victim directly or (and this seems to be a common characteristic of the attack) the caller's "caller-id" information may be spoofed to be something the callee is likely to answer. That could be a bank, a large retailer, or a computer hardware or software company. I routinely receive calls to my cell where the caller-id matches my number's area code and exchange. I generally ignore those calls as I suspect they may be vishing.

If the potential victim answers, the caller could explain (using the callee's name, potentially) that there is an issue with an account so the business (a bank perhaps) has set up a special site to address it. The potential victim is directed to contact the site and change a password or answer a security question or two. This is not fundamentally different from an email phishing attack! There is the lack of a link to hover over to verify, but the caller can try to explain that away.

What Can I Do?

First and foremost, don't go to the sites these people promote. If you need to change a password, follow a bookmark or type in the actual site URL.

As I mentioned above, I also generally avoid answering telephone calls when I do not know the number. There are a couple of exceptions to this (e.g. clients with many numbers), but I try to follow it as a rule.

Another option is to let everything go to voicemail - the attacker is less likely to be persuasive in a recording and may just decline to leave a message at all.

There will likely be over one and a half million unique phishing attacks this year alone. I cannot guess how many will be vishing, but it will likely be a significant amount, if the reports I have been reading are correct. Don't be a victim: never go to a URL from a phone call or email; go to the official URL of the desired organization. Period.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.