Dark Mode
Capec-656 Detail
Voice Phishing
Detailed Social Engineering Likelihood: High Typical Severity: High
Parents: 98
Threats: T263 T292 T307
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-656 | capec | https://capec.mitre.org/data/definitions/656.html | |
| REF-592 | reference_from_CAPEC | https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/ | Jovi Umawing, Something else is phishy: How to detect phishing attempts on mobile phones , 2018--12---10, Malwarebytes |
| REF-594 | reference_from_CAPEC | https://ieeexplore.ieee.org/document/6604058/authors#authors | Jennifer van der Kleut, What is vishing? Tips for spotting and avoiding voice scams, NortonLifeLock Inc. |
| REF-595 | reference_from_CAPEC | https://www.kaspersky.com/resource-center/definitions/vishing | What Is Vishing?, AO Kaspersky Lab |
Explore
-
Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.
-
Explore legitimate website and create duplicate: An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.
| Techniques |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) |
| Optionally obtain a legitimate SSL certificate for the new domain name. |
| Techniques |
|---|
| Use spidering software to get copy of web pages on legitimate site. |
| Manually save copies of required web pages from legitimate site. |
| Create new web pages that have the legitimate site's look and feel, but contain completely new content. |
Exploit
-
Convince user to provide sensitive information to the adversary.: An adversary "cold calls" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.
-
Use stolen information: Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.
| Techniques |
|---|
| Call the user a from a spoofed legitimate-looking telephone number. |
| Techniques |
|---|
| Login to the legitimate site using another the victim's supplied credentials |
- An adversary needs phone numbers to initiate contact with the victim, in addition to a legitimate-looking telephone number to call the victim from.
- An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
- An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.
- If passively conducting this attack via a spoofed website, replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.
- Legitimate-looking telephone number(s) to initiate calls with victims
| Medium |
|---|
| Basic knowledge about websites: obtaining them, designing and implementing them, etc. |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Gain Privileges | Gain Privileges | Gain Privileges |
| Read Data |
- The target receives an email or text message stating that their Apple ID has been disabled due to suspicious activity and that the included link includes instructions on how to unlock their Apple account. The link in the text message looks legitimate and once the link is clicked, the user is redirected to a legitimate-looking webpage that prompts the user to call a specified number to initiate the unlock process. The target initiates the phone call and provides their credentials or other sensitive information to the individual they assume works for Apple. Now that the adversary possess this data, it can be used to log into the account to obtain other sensitive data, such as Apple Pay information.
- An adversary calls the target and claims to work for their bank. The adversary informs the target that their bank account has been frozen, due to potential fraudulent spending, and requires authentication in order to re-enable the account. The target, believing the caller is a legitimate bank employee, provides their bank account login credentials to confirm they are the authorized owner of the account. The adversary then confirms this authentication and claims that the account has been unlocked. Once the adversary has obtained these credentials, money can be transferred from the victim's account to an account controlled by the adversary.