How DirectDefense Compromised a Banking Institution’s Help Desk and Member Services Using a Phone Social Engineering Attack + 5 Common Vishing Pitfalls to Avoid
Cyber criminals will stop at nothing to steal personal and confidential information from their target. In recent years, many high-profile attacks have leveraged targeted phone social engineering attacks, known as vishing. Vishing is short for “voice phishing,” which involves defrauding people over the phone and enticing them to divulge sensitive information, typically with the goal of gaining a financial advantage.
Putting A Vicious Tactic to the Test
As part of a comprehensive enterprise security assessment for a large banking institution, DirectDefense used vishing tactics to attempt to access confidential information from the bank’s IT help desk and member services desk. Think your organization’s secure information can’t be stolen in a matter of minutes? Read the following real-world phone-based scenarios and think again…
Scenario 1: Targeting the IT Help Desk
Our first phone social engineering attempt involved calling the IT help desk and pretending to be a contracted employee of the bank who was looking to reset their password and multi-factor authentication (MFA) for their account.
Help Desk: IT help desk, how can I help you?
Attacker: Hi, I’m a contractor for the bank and I’m trying to log into my account. The account is new and the password and multi-factor authentication need to be reset. Can you help me with that?
Help Desk: Sure, what’s the username on the account?
Attacker: abcd at bestbank dot com
Help Desk: (brief pause) Ok, your temporary password is BestBank1111.
Attacker: Great, thanks! Can you also help me to set up my MFA as well?
Help Desk: Ok, the next time you log in you’ll be able to reset the MFA. Is there anything else I can help you with today?
Attacker: No, I have everything I need. Thanks for your assistance!
The “bank consultant” then hangs up the phone and proceeds to log in to Microsoft 365 resources using the temporary password – allowing them access to private and confidential bank account information.
Scenario 2: Targeting the Member Services Desk
In this scenario, when we contacted member services, our consultant used a spoofed number (which was the phone number for the head of IT at the banking institution) to contact a representative. When we called member services, we got lucky and the number actually popped up on their caller ID with that individual’s name. They answered, calling the head of IT by his name, allowing our consultant to immediately understand the role they had to play.
Service Desk: Hey, Steve!
Attacker: Hi, I’d like to reset a password.
Service Desk: (brief pause) All set!
Attacker: Thanks, but I’m actually trying to reset a member’s password and multi-factor authentication.
Service Desk: Oh, ok got it. Sorry about that! What is their member ID?
Attacker: I don’t have their member ID, just the name of the member. It’s John Doe from ABC Bank. Can you also change the email address on file and send the password and MFA reset to the new email?
Service Desk: No problem. What is the new email address?
Attacker: johndoe at abcbank dot com.
Service Desk: Ok, the email has been updated and the reset instructions have been sent to the new email.
Attacker: Perfect, thanks so much for all your help.
Service Desk: My pleasure, Steve! Have a great day.
The member services representative fully believed our consultant was the head of IT, and once they were directed to change the password on the email account, the representative did so – no questions asked.
In both scenarios, our team was able to successfully convince both the IT help desk and the member services help desk into resetting both a password and multi-factor authentication for a user’s account. Each spoof call lasted only a few minutes, demonstrating how quickly information can be handed over to an attacker.
DirectDefense was successfully able to reset both a password and MFA for a contractor account using very limited information. The consultant was not challenged with security questions or other independent verification methods. A password was provided over the phone to someone claiming to be a bank contractor, as well as the MFA being reset allowing the person with the password to perform a complete takeover of the account.
5 Common Phone Security Pitfalls to Avoid
DirectDefense was able to compromise the account due to the following common pitfalls:
• Lack of Independent ID Verification: The identity of the caller was not verified. The consultant called from a burner number not associated with the contractor’s account. The help desk did not verify the phone number, ask security questions or other questions only the contractor would have known.
• Lack of Internal Third-Party Verification: The help desk did not attempt to verify the consultant’s identity internally, either by contacting the user manager or another contact within the bank that would be able to verify the access and identity of the caller.
• Password Provided via Phone: The password to the account was provided to the caller over the phone without any additional verification. The caller would then be able to log into, and take over, the account.
• Non-Random Password: A password provided to a caller that is similar to the bank’s address or uses the bank’s name (i.e. bestbank1111) could tip off an attacker that there may be additional bank users who have had this password set by the help desk, making them easier to guess and could be used in a password spray attack against the organization.
• MFA Full Reset: The help desk reset the MFA for the account at the same time as the password, effectively degrading the account to single-factor authentication. This allowed the consultant to take over the account as MFA could be newly set up upon the next log-on.
Educate, Educate, Educate
An overall lack of proper training and education of employees, combined with the increasing amount of vulnerabilities being discovered in the client’s personnel training are contributing factors to vishing scheme success. In addition, the institution should have security questions in place for all employees, contractors, and members as a layer of certification that the person is who they say they are.
Another option is to institute a call-back method. If you call back a spoofed number, your call won’t go to that number; for example, if the member services representative had called back the spoofed number for the head of IT, they would have reached the head of IT, not the consultant.
Unfortunately, issues pertaining to end user security awareness are inherently difficult to fix. The human component is typically both one of the first lines of defense as well as one of the most vulnerable. However, with regular security awareness training and phone social engineering exercises (such as the ones conducted by our consultants) employees can be taught their role and responsibility in helping the organization thwart these attacks.
Answer the Call!
All organizations (not just banks!) who fall victim to a phone social engineering attack stand to lose not only internal critical data and information, but that of customers or members, which leads to costly reputational and operational losses. Who can afford that?
Don’t let something as simple as a phone call compromise your organization’s security. Vishing attempts are no match for a well-trained and educated staff. Let DirectDefense put your organization to the test so the next time the phone rings you’ll be ready to answer the call!
Contact Us Today!
Take stock of how secure your organization is from malicious attackers. Visit directdefense.com or call us at 1 888 720 4633.