This week, Charlie discusses vishing and how it can affect your organisation, and looks at the importance of sufficient cyber training in the workplace.
This week, I was going to write about the MGM Resorts hack in September 2023 and, as part of my research on the hack and its effects on the casino, I learned that the hack had been initiated by a vishing attack. Vishing is using social engineering and then contacting a victim who is tricked into giving away credentials, two factor information, and passwords, which allow hackers to then gain access to the victim’s systems. In the case of MGM Resorts, attackers used vishing to gain access to the company’s Okta client, which is a cloud-based identity and access management (IAM) service. Once the attackers had access to the Okta client, they were able to further access more credentials in the identity management firm’s system. This allowed them to infiltrate MGM’s network and deploy ransomware, which encrypted the company’s data and demanded a ransom payment.
The reason I decided to write about vishing is that we are generally educated to be vigilant against phishing scams. We receive a lot of training on avoiding clicking on links in emails, and many organisations conduct phishing campaigns to test our susceptibility. While most campaigns almost always catch someone, I believe those at work should at least be aware of the vishing scam.
In our personal lives, we are also cautious about scam phone calls, whether they are purportedly from banks, government officials, or individuals offering seemingly too-good-to-be-true deals. If we have elderly parents, we often find ourselves needing to educate them about calls claiming to be from their bank or Microsoft, regarding apparent IT issues, as these are likely to be scams. However, I believe there is a gap in awareness when it comes to vishing calls at work.
At work, many of us are accustomed to receiving calls or emails from unfamiliar individuals. In commercial organisations, we expect unsolicited calls, often hoping they are potential customers interested in purchasing our products or services. I think people at work need to be trained to be as wary of vishing calls as they are of phishing emails. Additionally, we are accustomed to receiving calls from both inside and outside our organisation, with individuals seeking information. What can make vishing more difficult to detect is the use of deep fakes, using the voice of a person in authority to implement the scam. I came across this example: In 2023, a hacker used AI to deepfake the voice of a senior executive at a large financial institution to trick an employee into approving a fraudulent wire transfer of $10 million. The hacker called the employee and posed as the senior executive, claiming to be in an urgent situation and needing the employee to approve a wire transfer to a third-party vendor. The employee, believing that the request was legitimate, approved the transfer.
The gang alleged to have carried out the MGM hack is Scattered Spider, they are distinct compared to other groups. Those who conducted the vishing attack spoke English fluently and without an accent. I came across a Joint Cybersecurity Advisory[1] from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) on the group.
What I thought was interesting was the different types of vishing attacks that they have carried out and who they posed as:
- Company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network
- Company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access
- IT staff to convince employees to share their one-time password (OTP), an MFA authentication code
- Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue)
- Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts
With some hacks, the vishing part may only be one aspect of a broader attack and may be combined with other attack techniques, such as phishing or smishing, to obtain information for social engineering. In conclusion, we need to educate our staff about the threat from vishing, as well as the more frequently promoted phishing.
[1] https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
