I was recently tasked with managing a rather large vishing campaign targeting a major financial institution. Normally when we get these kinds of campaigns, we’re tasked with making ten to fifty phone calls (whether or not someone answers) and report the results. This campaign differed in that we had to talk to 100 individuals. Now it doesn’t sound so bad, right? In reality, our team ended up making hundreds of calls to hit that final goal of 100 actual conversations (in a relatively short period of time). In this post, I’ll share the challenges we faced in executing a mass vishing campaign with high requirements and expectations.
Let us first examine the specific requirements: our team was expected to talk to 100 people in four days’ time during banking hours (0900-1700). We received a call list of around 500 numbers to call, which was great, but our chosen pretexts ended up disqualifying roughly sixty of those individuals based on their respective departments and positions. The pretexts themselves were required to be pre-approved by our point of contact. Our objective for the engagement was to obtain sensitive information and/or corporate credentials. As this was executed for a long-time client, most of the participants had a working knowledge of the target; we were therefore only permitted to use information obtainable via OSINT during the vishing campaign. No fruit of the poisoned tree, so to speak, would be permitted.
Without being too specific, our first chosen scenario required cloning a web portal to the company’s externally facing HR portal. This page consisted of a simple login page, reset instructions, and a help desk phone number. We chose to spoof our calls from the help desk number. The pretext was simple:
We've just completed some back-end work on the HR portal, and we've randomly chosen employees to test the functionality of the login form to make sure everything's working as it should...
For the second pretext, we again used HR as a means of soliciting information from our targets. We had two of our consultants call as two separate people from HR claiming that a merger with another financial institution had messed up some records in the database, and they had been tasked with calling people to verify certain pieces of personal data.
The most obvious challenge here is straightforward: do you have enough time to complete the large engagement within the specified parameters? We ended up calling 273 numbers (many multiple times) before we were able to reach the required 100 targets; we were able to have an actual conversation roughly one out of three calls. Our second pretext also required that we conduct on-the-fly OSINT in order to legitimize our request for PII. With an average call length of around 5 minutes, that’s a little under 23 hours of calling plus prep time.
The Incident Response team at our client wasn’t privy to our engagement, so they acted as they should have and roughly four hours into the assessment, they started blocking our cloned websites so our targets could not visit them.
Internal emails were also being sent around the client and our attacks were getting noticed. Again, with time being the biggest issue here, the longer we took to talk to 100 people, the more opportunity there was for people to talk and lessen the likelihood of our success. Again, great for the client, but presented a challenge for our social engineers.
How We Dealt With It
With the amount of calls we had to place, having a small team was the best option. We had 3-4 callers and one manning a sort of ‘scoreboard’ which kept track of users, numbers, pretext used, success/fail, and what information was obtained. All of this would be needed further down the road for statistics on the report.
Secondly, we used a chat room, like slack or the various XMPP options out there, to keep track of everyone’s calling statistics. This worked well as many calls were going out at the same time, and rather than yelling out calling statuses, putting them in a chat allowed the team leader to keep everything up-to-date.
Finally, we designated one person to send emails as the other talked as it was part of our pretext. The email was loaded and ready to go in King Phisher, and the verbal queue was “alright I’m sending you an email now, could you please visit that link when you get it?”
If you end up in a situation where you have to talk to a substantial number of people for a vishing engagement, follow these simple rules and you’ll have a more efficient and successful assessment:
- Develop more than one pretext in the event you end up calling people who are physically located close to each other
- Build a team with a designated leader, callers and tech workers
- Use a chat room to communicate
- Don’t spend too much time with one person
Don’t get discouraged! Having to talk to a higher number of people requires a lot of time and effort. But as long as you do your due diligence and prep work, in the end, you’ll be tired but successful.