Vishing on a star: Caller ID Spoofing in Phishing Attacks

The phenomenon of cybercriminals utilizing a phone for phishing attacks, referred to as “vishing,” can often increase their chances for success by using caller ID spoofing technology, which fakes a familiar phone number.

According to the Internet Crime Complaint Center, the reporting mechanism for the FBI, over 13,000 people in 2019 reported being victims to scammers impersonating government officials. This resulted in an estimated $124 million of reported losses. 

But vishing is not limited to impersonating a government official. The deep and dark web provides the necessary components for successful vishing attacks by leveraging illegally obtained Personally Identifiable Information (PII), customer data obtained through breaches, compromised payment cards and account information.

This enables threat actors to perform identify fraud, theft, and account takeover, by creating various cover stories with the help of caller ID spoofers. These include but are not limited to: 

  1. Imitating an account holder and calling a financial institution to transfer funds.
  2. Mimicking a company’s IT support/Help Desk service to call a “fellow colleague” to provide them with requested information. 
  3. As mentioned above, impersonating a figure of authority (government agency, financial institution, etc) and calling the victim directly.  

The use of caller ID spoofing technology in itself is not illegal. It is legitimately used by law enforcement, collection agencies, confidential discussions between domestic abuse victims and medical professionals, and for companies that want to display the same toll-free number rather than an extension when calling out.  What determines the legality of the practice is related to the intent of the user, whether for lawful uses, or illegal ones designed to deceive and accomplish malicious ends.  

Vishing well - the deep and dark web is the go-to place for spoofing knowledge

The use of caller ID spoofing during scams has been increasing in popularity, in part due to the proliferation and ease of using VoIP technology. In general, VoIP is less expensive than a landline, since it already leverages an existing internet connection, and does not require hardware or installations. As a result of the lower cost, the lack of geographical constraint, and no required in-depth knowledge of landline equipment, scammers face a much-lowered barrier to entry, which has also made caller ID spoofing an important part in the vishing process. 

A review of data taken from Sixgill’s portal highlights this increase, as references related to caller ID spoofing and vishing appear to be trending upward. Between 2018 and 2019, there was a 2x increase in mentions.

vishing-1

Deep and dark web: caller id spoofing References

References to caller ID spoofing in the underground are primarily centered in the following categories: receiving recommendations for popular spoofing sites/applications;  tutorials for how to set up a vishing attack with caller ID spoofing; spoofing service providers advertising their wares; and those offering call services that can be used in vishing attacks. 

Seeking Recommendations: In the post below, a threat actor seeks a recommendation for a caller ID spoofer and receives a response several hours later for one of those services. 

vishing-2

Providing a Tutorial: To boost one’s prestige in the underground, some threat actors will post “best practices”, explanatory posts, or provide guides and tutorials free of charge. The threat actor below lays out a step by step tutorial on spoofing a number. 

vishing-3

Advertising: Although spoofing a number for non-malicious purposes is not illegal, the promotion of such services on dark web forums dedicated to hacking does not leave much to the imagination. In order to garner interest in one of these services, a threat actor provides a pricing structure and puts forward the capabilities of their caller ID spoofing application. 

vishing-4

Call Center Vishing Services: Obtaining caller ID spoofing technology is just one component of a vishing attack. The threat actor still needs to make the calls, which can be time consuming, and may also involve an intended victim who may not speak the same language. This element can be outsourced to fraudulent call centers, that cover a variety of languages. In the post below, it is interesting to note that both American and British accents are being offered as part of a vishing call center offering, highlighting the likely popularity of both the US and UK as targets. 

vishing-5

FUTURE OUTLOOK

In a targeted vishing attack in March 2019, threat actors used artificial intelligence to imitate the voice of the CEO of a German company, convincing an executive at its UK subsidiary to transfer $243,000 to a “supplier,” which of course did not exist. While this sort of attack will likely require more advanced knowledge,  utilizing voice cloning software may be the next frontier in vishing attacks. Sixgill has already identified threat actors seeking these services. When there is demand, there will likely be a supply. 

vishing-6

Successful vishing may require nuance and manipulation skills, while new scams are constantly emerging. This necessitates increased vigilance, and because Sixgill’s portal provides access to the discourse on the dark web, it supports organizations’ desire to be proactive and adapt early on to the warning signs of threats. 

To see Sixgill's threat intelligence investigative portal in action, schedule a demo with a threat intelligence expert today.

SCHEDULE A DEMO