Cybercriminals are getting savvier at incorporating voice-based conversations into their attacks as a way to coax victims into downloading malware or handing over sensitive data.
The use of voice-based social engineering by threat groups to add an air of legitimacy to attacks is not novel. However, cybercriminals are scoping out more innovative ways to integrate voice into their attack chains. Threats actors are setting up call centers to integrate into their malware delivery process, for instance, while scammers are reinventing the wheel with voice-based phishing tactics to convince victims to hand over sensitive data. In 2019, attackers used voice-generating artificial intelligence in order to mimic a CEO over the phone, and convinced a U.K. company’s CEO to wire transfer $243,000 to attacker-controlled accounts.
Abhishek Iyer, director of product marketing with Armorblox, said that the use of phone numbers - rather than malicious links - in an email greatly increases the chances of the email getting past filters or blocklists that flag known bad links. The other advantage for cybercriminals here is that voice-based conversations - where attackers pretend to be a trusted entity - move quickly, making it difficult for victims to detect something is amiss while they are happening. Victims on the other hand have more time to think about the red flags in a phishing form or before enabling macros on a malicious document.
“A phone number is not an Indicator of Compromise that the security community tracks in a structured, shareable manner right now (and might never be, due to the fungibility of phone numbers, random numbers generated through Google Voice, etc.),” he said. “Secondly, using phone numbers increases the likelihood of extracting a variety of sensitive information from victims. If threat actors use phishing links that lead to forms that ask for lots of sensitive data, victims might get suspicious and not fill the form.”
"From a tradecraft perspective, vishing attacks actually don't need to raise the bar too much - they are relatively straightforward to set up and execute. The improvements are made in the socially engineered details tied to the vishing attacks."
In a recent example of malware attackers leveraging voice-based social engineering, researchers with both Sophos and Palo Alto Networks observed the threat actors behind the BazarLoader malware bundling call centers into their spear-phishing attacks.
Starting in February, researchers observed emails telling targets they were being charged for a premium trial and giving them a phone number to call if they had any questions. Researchers with Palo Alto Networks’ Unit 42 team traced the phone number and found that it led to a call center, operated by attackers. The attackers, pretending to help victims cancel the subscription, would personally guide them through a process designed to infect their systems with BazarLoader, convincing them to download a malicious spreadsheet from a website and enable macros. The BazarLoader malware, which provides backdoor access to an infected Windows host, exfiltrates data, conducts reconnaissance, exploits network and downloads follow-up malware, like Cobalt Strike, Anchor and the Ryuk ransomware.
We contacted this call center on at least five different occasions, and the operator was a different person each time," said Brad Duncan, threat intelligence analyst with Unit 42 on Wednesday. "All operators were seemingly non-native English speakers. Two of the operators were female, and three were male. Each operator followed the same basic script, but there were variations.
Another attack making use of voice impersonations, observed by researchers with Cado Security in April, was launched by a Middle Eastern cyber espionage group called APT-C-23. The threat group utilized a voice-changing application in order to produce audio messages purporting to be women encouraging targets to install malware. The attackers then “ensnare their victims through conversations,” said researchers. “As the conversations continue, the ‘women’ offer up a ‘video’ - laden with malware to infect the target’s system.”
Voice phishing (also known as vishing), another tactic incorporating voice-based social engineering, has been a long-standing issue that continues to prove successful for attackers. Researchers with Armorblox on Thursday highlighted a pair of attacks that attempted to steal Amazon customers’ credit card information, by sending them fake order receipts that included phone numbers to call for “processing order returns.” One of the attacks, which targeted 9,000 organization mailboxes, came from a Gmail account and included an ‘Invoice:ID’ in the title. The email told victims that they owe an Amazon order total (in one case of almost $900) and included a “Contact Us” phone number. Upon calling the phone number, researchers talked to a real person pretending to be an Amazon representative, who asked for their order number, name and credit card details - before cutting the call and blocking their number.
Iyer said researchers have seen both vishing and credential phishing attacks increase over the past year, but because vishing attacks started from a lower base, their growth rate has been higher.
“From a tradecraft perspective, vishing attacks actually don't need to raise the bar too much - they are relatively straightforward to set up and execute,” said Iyer. “The improvements are made in the socially engineered details tied to the vishing attacks. For example, using HTML stylings in emails remarkably similar to Amazon, having a working phone line staffed by a real, friendly-sounding person to extract information, and hijacking the context of legitimate processes that actually use phone calls (like customer support, online order returns).”
"The most jarring aspect of the call was that they were so pleasant about it."
One part of voice-based social engineering attacks that make them successful for attackers is the human interaction piece, as it sets up a level of trust and person-to-person contact that's not present in email-based attacks. In talking to a BazarLoader call-center representative, Andrew Brandt, principal researcher for Sophos, said that the representative was “very helpful” in “gently” guiding unknowing victims through the process of downloading the malicious Excel spreadsheet.
“The most jarring aspect of the call was that they were so pleasant about it,” he said.
In addition to avoiding detection, another reason attackers might incorporate phone numbers into their malware and phishing emails is that it’s easy to set up - and also seamless to work around if the number is taken down, said Iyer.
“If the number here was taken down, it’s very easy for the attackers to stand up another number and repeat the attack flow, because they know the email is getting past Office 365 email security,” said Iyer.
Iyer said, similar to malware and phishing emails that don’t include a voice-based conversation aspect, potential victims should be suspicious of any caller asking for personal identifiable information (PII) over the phone - and always confirm with legitimate contact numbers for the purported brands being used in the attack.
“If you suspect the call you’re on is a potential vishing conversation, immediately hang up and don’t feel obliged to carry on speaking or replying to questions out of politeness,” said Iyer. “If the caller provides a call-back number, avoid calling that number and instead search for a publicly available number of the company (in this case, Amazon) and call that number.”