A new blog post report has shone a light on the malicious practice known as voice phishing or vishing – a social engineering tactic that some cyber experts say has only grown in prominence since COVID-19 forced employees to work from home.

And in some instances the technique is being used to supplement email-based phishing attempts.

“Vishing is one of the attacks that we’ve seen a huge surge in since lockdown,” in part due to the increase in conversations that happen over the phone or over Zoom, said report author Abhishek Iyer, director of product marketing at Armorblox, in an interview with SC Media. Iyer estimated that the number of vishing attacks have doubled since the COVID-19 pandemic took hold in March of 2020. Indeed, some of these attacks even leveraged the pandemic as a lure, to trick people into calling numbers for coronavirus test results, he added.

Iyer also believes that the frequency emails sent from businesses and employers related to password resets, security alerts, locked accounts, order confirmations and invoices have increased during the pandemic as well. “And so many of the attacks that we see try to replicate these workflows,” because “we tend to act quicker on these.”

The report from Armorblox describes a pair of recently observed attacks in which adversaries sent an email designed to fool recipients into calling phone number staffed by a malicious actor who then perpetuates the scam from there. A similar tactic was used recently by actors looking to spread BazarBackdoor malware, but in this latest case, the purpose was to steal credit card information.

This hybrid use of email and phone is a technique designed to avoid actually placing malicious phishing URLs or attachments in emails, in order to bypass email security solutions and spam filtering. For instance, both of the attacks described by Armorblox reportedly bypassed Microsoft security controls.

“The only payload here is a phone number, and phone numbers are not something that the security community tracks and shares in a scalable manner. I don’t know if it’ll ever be,” said Iyer. And because phone numbers can be changed and reassigned, you often “don’t really know if a phone number is legitimate or not.”

“It is apparent that it is a two-prong attack – the first being phishing and the second being vishing,” said James McQuiggan, security awareness advocate at KnowBe4, commenting on the report. “Phishing is not always about clicking a link or opening an attachment, but getting the victim to take an action they might not otherwise take. The email appears believable, and they provide a phone number which continues the confidence or social engineering scam against the victim.”

Both email attacks were sent from Gmail accounts, used a fake order confirmation as a lure, and employed social engineering techniques such as messaging that’s “carefully treading the line between vagueness and urgency-inducing specificity,” Iyer wrote in the blog post.

One attack impersonated electronic retailer Best Buy’s Geek Squad division, even using similar HTML stylings as the actual company in order to feign authenticity. This attack informed recipients that they had been renewed for an annual protection service at the cost of $358.46 – a sizable enough fee to potentially trigger some victims to call the posted number before recognizing that something is suspicious.

The other attack impersonated communications from Norton AntiVirus, but using the digit zero instead of the letter O in order to trick “deterministic filters or blocklists that check for brand names being impersonated,” the blog post explains.

In both cases, Armorblox researchers discovered that the numbers listed in the phishing/vishing emails had been disconnected. But it’s simply enough for a new number to spring up just as quickly. According to Iyer, it’s relatively easy and cheap for cybercriminals set up this kind of scam. “ I don’t think there’s anything too sophisticated, he said. “Setting up a Google Voice number is very easy. They email attack doesn’t even need to have a URL, and attackers can be confident of launching these attacks at scale and maybe they’ll make their way past inboxes.”

In his blog post, Iyer recommenders that user organizations protect themselves by bolstering native email security with additional controls, be aware of social engineering cues, observe MFA and password management best practices, and avoid sharing sensitive information over the phone.

“Always be sensitive when you’re talking to someone over the phone and they’re asking you for data that sounds strange, especially if it’s someone you have ever talked to before,” said Iyer. “We want to be polite over the phone, so if someone asks us [for personal information], we won’t hang up straight away. We’ll see what the call is about – there is a human being on the end of the line, after all.”

Keep that politeness in check, he added, especially when someone is asking you for account details.

“Users must educate themselves and remain aware of the latest scam emails, and trust, but verify when it comes to billing or information requests,” added McQuiggan. “Users should understand that they need to confirm information through the actual website and avoid utilizing the information within an email when prompted with an email.”

The post Hybrid phishing and vishing attacks hunt for credit card info appeared first on SC Media.