Threat Actors Get Real-Time Access to Attacks via Voice Phishing Kits

Researchers

In order to assist threat actors in launching advanced voice phishing (vishing) assaults that circumvent multifactor authentication, a number of phishing kits have surfaced.   “The most important of these features are client-side scripts, which give threat actors the ability to deliver vocal instructions or react to verbal feedback from the targeted user while simultaneously controlling the authentication flow in the targeted user's browser in real-time.”   “The plausibility needed to persuade the threat actor's target to accept push notifications, provide one-time passcodes (OTP), or take other steps the threat actor needs to get over MFA protections is provided by this real-time session orchestration.”

 

Attackers can lead the victim through the attack flow using the phishing kits, which goes like this:

●     By doing reconnaissance on a target, the threat actor discovers user identities, frequently used apps, and phone numbers from IT support calls.

●     The threat actor impersonates the company's phone number or help hotline and launches a personalized phishing site in real time, calling the targeted users.

●     Under the guise of an IT support or security requirement, the threat actor persuades the targeted user to visit the phishing website in their browser.

●     After the targeted user inputs their username and password, the threat actor's Telegram channel is automatically accessed.

●     After entering the targeted user's login and password into the genuine sign-in page, the threat actor evaluates the MFA challenges that are displayed to them.

●     In order to support their verbal request that the user provide an OTP, accept a push notification, or complete other MFA tasks, the threat actor continuously adds new pages to the phishing website.

How does it work?

a)    You can quickly understand why we are seeing an increase in voice-based social engineering if you take control of one of these tools.

b)    When a targeted user interacts with credential phishing pages, an attacker on the phone with that user can manipulate the authentication flow.

c)    They have the ability to precisely match the directions they are giving on the call with the pages the target sees in their browser.

d)    Any type of MFA that is not phishing-resistant can be defeated by the threat actor using this synchronization.

 

Note: To get a stress-free working environment, you can go for a specially designed tool, “PhishNext,” which provides specialized simulations of phishing attacks so that users can get used to such attacks and never become victims of such attacks.

Continue Reading

1. AI and Vishing Social Engineering Risks Aiming Businesses
2. Time Pressure is the Biggest Email Red Flag: Why?
3. Top 10 Impactful Ways to Enhance Cybersecurity Awareness with Behavioural Insights
4. Shipping-Themed Phishing Attacks Aiming at Middle East and Africa
5. Phishing, Vishing, and MFA Attacks Target Enterprise Identity Systems
6. Most Cmmon Passwords used in the Whole Year: Report
7. Human Risk Management and Security Awareness Training