Most of the time, vishing requires a skilled operator to manipulate people.
Attackers need to not only be skilled, but also speak the language of the victim.
However, we found call bots attacks to be very popular to circumvent MFA: by having an automated bot call people and ask for the One Time Password (OTP) after credentials has been entered.
This is a prototype we built as a proof of concept.
Most bots are controlled through Telegram channels and will output the data on top of stealing cookies and setting up persistent access through specific Telegram commands.
Video demonstration
How it works
It's pretty simple. All attackers need are valid credentials and the phone number of the victim.
Valid credentials can be obtain from data leaks and infostealer data. If not directly, common pattern recognition can help build relevant password list and bruteforce or "stuff" credentials to deduce the good combination.
Phone numbers can be obtained through data brokers and most common prospection and sales enrichment tools.
Once the attacker have this, they can start the call bot which will in turn:
- Call the target
- Explain that a Time-based One Time Password will be send to them to verify their identity, pretexting a security procedure.
- Log into the MFA protected portal to trigger the SMS-based MFA
- Ask the user to enter the code on their keybord
- The information is captured through DTMF signals (the phone sounds each number emits when pressed) and injected into the p
- The callbot and phishing kit will then steal the session cookie and establish persistance by adding a second MFA method controlled by the attacker
The process is very simple and we've seen it deployed and using Telegram channels as a command and control interface.
It makes it very easy for attackers who don't speak the language, don't have the infrastructure or know-how to call their targets and conduct the voice phishing attack themselves.
Note that phone numbers can be spoofed pretty easily and the callbot might call from an official phone numner, fitting the pretext.
Stay safe out there and don't answer the callbots and hang up on suspicious automated calls.
