While “vishing” is by no means a new threat, it's not something that has ever happened with sufficient frequency to get most people's attention. So, if you haven't heard the term before, you're not alone.
“Vishing” is short for voicemail phishing, and it is apparently on the rise based on data collected by the security firm Zscaler. Attackers are specifically targeting tech firms and US military installations.
No actual voice mails are involved, which is interesting. What the attackers do is send emails with links that supposedly point the way to voicemail messages stored on LinkedIn, WhatsApp, or other services. The idea behind the attacks are is to trick an unsuspecting recipient into disclosing his or her Outlook or Office 365 credentials.
To make their credential capture page more convincing, the attackers have even taken to deploying a CAPTCHA system, which makes the page look just annoying enough to be legitimate.
A spokesman for Zscaler had this to say about the company's recent discovery of the surge in vishing attacks:
“Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments. This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users' credentials.”
The folks at Zscaler have a point. If your employees haven't been made aware that this kind of attack is not only possible but growing in popularity in certain sectors, make sure they know what to be on the lookout for. Kudos to the sharp-eyed folks at Zscaler for spotting the trend.
We may not be able to keep hackers from making the attempt. However, if we can warn enough people about the tricks they're using, we can frustrate their efforts and that's a good start.