August 20, 2020
Last month, three alleged hackers were arrested for manipulating Twitter to control 45 accounts of high-profile figures including Jeff Bezos, Joe Biden and Elon Musk. Now, the technique these young malefactors used — dubbed “phone spear phishing” — is being used by so many other bad actors that experts dub it a crime wave. Phone spear phishing, also known as “vishing,” a mashup of “voice phishing,” has been used this last month to attack banks, web hosting companies and cryptocurrency exchanges, said investigators.
Wired reports that, “as in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools.” The hackers then sell that access to others who target “high-net-worth users of the company’s services — most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.”
At Unit 221B, chief research officer Allison Nixon reported on the “big increase in this type of phishing” simultaneous with the Twitter attack, including companies not ordinarily seen as soft targets.
According to ZeroFOX director of threat intelligence Zack Allen, these individuals appear to be “young, English-speaking hackers organizing on forums like the website OGUsers.com and the chat service Discord.” He added that, “he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees — some even starting their very first day on the job — and convincingly impersonating IT staff to trick them.”
Until now, phishing has “focused on phone carriers, largely in service of so-called ‘SIM swap’ attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession” and then use the number to reset passwords or intercept two-factor authentication codes. Nixon said that phone carriers may be “hardening their defenses against SIM swaps … and hackers are finding that other industries that are less well prepared for their tricks.”
She stated that the attacks are “well-coordinated, with multiple collaborators working together and hiring independent hackers offering specialized services from reconnaissance to voice acting.” On one OGUser forum, users openly advertised for collaborators. Hackers “typically use a VoIP service that allows them to spoof their phone number … [and] attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers.”
When the “victim seems convinced,” hackers ask him or her to “navigate to a fake login page address … and enter their credentials,” while another member of the hacking team “immediately obtains those details and enters them into the real login page.”
Because the phishing site vanishes and there’s no email evidence, “this sort of phone-based engineering [is] often harder to detect than traditional phishing.” “People do not know that it’s happened,” said SocialProof Security chief executive Rachel Tobac. “They think the entire time that they were talking to a tech support person.”