Vishing – Another Form of Social Engineering
Recently, a customer reached out to me and asked me to comment on the current state of Vishing, or Voice Phishing, as it applies to today’s communications environments. Since it is one of my pet peeves, I gladly provided them with a brief write-up on the topic of Caller ID spoofing and the net effect on overall network security. Writing about such things is like walking a very thin line. While you don’t want to educate potential “bad actors” with information on how to perpetrate an event, you need to increase awareness so that others can easily recognize potential threats that fit, or do not fit, a specific pattern or profile.
As communications technology migrates away from traditional carrier network architectures, confidence in Caller ID is dwindling. In a legacy network, Caller ID is typically associated with a specific pair of wires connected to the telephone company end office. The subscriber information for each call is associated with the call event by the central office, and the originating endpoint, in most cases, has no ability to generate or modify this information. Based on this, the information received at the terminating side (Caller ID) was trusted and assumed to be verified.
While this is true for analog endpoints, or POTS lines, the same is not true for VoIP. This new technology brings a twist to the trust factor of Caller ID, as now the origination endpoint (being IP-based) has the ability to define and transmit the Caller ID and name of each individual call session.
VoIP carriers rarely provide any validation of this information, letting it proceed into the PSTN unfettered. This enables the creation of several new scenarios that, before now, were not even possible without complex equipment or access at a deep level in the telephone network. If sent by the originating endpoint, Caller Name (CNAM) information can be transported to the receiving endpoint. Typically it is applied at the terminating Central Office which does a CNAM lookup based on the ANI or Caller ID received. Unfortunately, this can enable a spoofed Caller ID at the terminating endpoint.
Telephone hackers, or “phone phreakers,” can use this loophole to add a level of credibility to their efforts. Using a number of methods, they can easily control whatever Caller ID and CNAM appear, ultimately masking their true identity and adding an incredible amount of credibility to their phishing schemes.
It is a well-known fact that hackers look for and exploit tiny, seemingly irrelevant bits of information and then use that information to build credibility.
Imagine receiving a simple call from a representative of your company’s IT support team that displays a valid, recognizable caller ID.
This new technology makes that hack possible. It creates a veil of confidence that allows the phreaker to extract sensitive information such as usernames or passwords.
Scared? Good, you should be.
What’s even scarier is the fact that there is currently no way to authenticate or expose this tactic, so we must remain alert and diligent. We need to train our employees to immediately recognize and then report social engineering attacks.
There is a lesson in this story. While the hack is simple caller ID spoofing, it in itself is not the sole threat. This is an enabler of an even graver threat: social engineering… and that is difficult or impossible to prevent.