How We Used Vishing to Attack an Internal Corporate Network
We are back with the third and final write-up of our social engineering blog series to add to previous posts about an email phishing campaign and target phishing scenarios using social media. This post is all about a vishing call!
Vishing or Voice Phishing is a social engineering technique that leverages phone calls to elicit and obtain often personal or confidential information from users. Threat actors will impersonate someone believable to trick the target into providing information. In a red team or penetration test engagement where we have not had much success during email phishing campaigns, we often use a vishing call.
The Story of Our Vishing Call Campaign
For this specific engagement, I compromised the client’s Outlook 365 environment, but I wanted more. I wanted to compromise the VPN in order to interact with internal resources and applications in their corporate environment. So, I bought a domain like ‘vpntesting.com’ and created a reverse proxy using their real VPN system.
To kick this effort off, we needed to do our homework first and recon!
Phase #1 – Recon
|We can Google or check the signature of the emails to enumerate phone numbers. Then, we can modify the last two digits and keep trying for a valid number.|
We only validate the phone number after the person picks up, and even so, we may have reached a different person and sometimes a completely different company.
|In most cases, we are not sure who we called. Ask first who is talking! Keep the list of employees near you and reference it. Knowing the target’s role can make a difference here.|
Phase #2 – Define Your Persona
As always, we need to define who we will be impersonating in the scenario. In this exercise, I impersonated an Incident Response (IR) employee.
|I like to act as an IT person and use my own name. At this company, the employees do not know everyone in the company, and when you say your own name, you feel more comfortable. Personally, I feel more comfortable using my own name because lying straight-faced, even over the phone, is not an easy task.|
In addition, I prefer to pose as an IT employee because someone in that role would normally ask technical questions. However, as always, you can be creative.
Phase #3 – Making the Call
Posing as a concerned IR employee, I explained to the user on the other end of the vishing call that their account was performing suspicious behavior and that we should test the VPN credentials to ensure everything was correct; otherwise, I would block the account for further investigation.
|We don’t want to ask for passwords or sensitive information because the victim could quickly lose trust and refuse to work with us.|
I explained the “serious” issue at hand and then I asked the victim to login for testing purposes. Queue the reverse proxy!
Phase #4 – Access Granted
At this stage of the engagement, I captured enough data to join the VPN session using the reverse proxy, and then attacked the internal corporate environment. I was able to access servers, applications, and services that only an employee could access. If a real threat actor gained this type of access, they could search employee-confidential information and take their social engineering campaign even further by targeting other employees. They could also search for vulnerabilities in the network, and even try to escalate their privileges to a Domain Administrator.
Where Social Engineering is Concerned, There’s Always a Way
The purpose of this series was to show how social engineering is applied during red team and penetration testing engagements while bringing awareness to this common issue that can cost organizations hundreds of thousands of dollars. I hope you found this information useful.
Learn how your organization stands up to social engineering activities — schedule a penetration test today.
To beat an attacker, you need to think and behave like one. We use the same tools and techniques as today’s advanced attackers to mimic real-world incidents within your organization’s security environment.
Sign up for a penetration testing engagement with us to learn how your organization stands up against simulated attacks and gain actionable data on how to improve your organization’s security posture.