Detailed attack pattern

Stable

CAPEC-656: Voice Phishing

Also known as: Vishing, VoIP Phishing

An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a "cold call" or by the victim if calling an illegitimate telephone number.

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.
- Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
- Optionally obtain a legitimate SSL certificate for the new domain name.
Step 2
Explore
[Explore legitimate website and create duplicate] An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.
- Use spidering software to get copy of web pages on legitimate site.
- Manually save copies of required web pages from legitimate site.
- Create new web pages that have the legitimate site's look and feel, but contain completely new content.
Step 3
Exploit
[Convince user to provide sensitive information to the adversary.] An adversary "cold calls" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.
- Call the user a from a spoofed legitimate-looking telephone number.
Step 4
Exploit
[Use stolen information] Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.
- Login to the legitimate site using another the victim's supplied credentials

What the attacker needs

Prerequisites

An adversary needs phone numbers to initiate contact with the victim, in addition to a legitimate-looking telephone number to call the victim from.
An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.
If passively conducting this attack via a spoofed website, replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.

Skills required

Medium skill: Basic knowledge about websites: obtaining them, designing and implementing them, etc.

Resources required

Legitimate-looking telephone number(s) to initiate calls with victims

How to mitigate it

Defenses that reduce the risk of CAPEC-656.

Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.

How to detect it

Indicators that this attack may be underway.

You receive a call from an entity that you are not even a customer of prompting you to log into your account.
You receive any call that requests you provide sensitive information.
You are redirected to a website that instructs you to call the number on-screen to address the call-to-action.

Examples

The target receives an email or text message stating that their Apple ID has been disabled due to suspicious activity and that the included link includes instructions on how to unlock their Apple account. The link in the text message looks legitimate and once the link is clicked, the user is redirected to a legitimate-looking webpage that prompts the user to call a specified number to initiate the unlock process. The target initiates the phone call and provides their credentials or other sensitive information to the individual they assume works for Apple. Now that the adversary possess this data, it can be used to log into the account to obtain other sensitive data, such as Apple Pay information.

An adversary calls the target and claims to work for their bank. The adversary informs the target that their bank account has been frozen, due to potential fraudulent spending, and requires authentication in order to re-enable the account. The target, believing the caller is a legitimate bank employee, provides their bank account login credentials to confirm they are the authorized owner of the account. The adversary then confirms this authentication and claims that the account has been unlocked. Once the adversary has obtained these credentials, money can be transferred from the victim's account to an account controlled by the adversary.

Frequently asked questions

Common questions about CAPEC-656.

What is CAPEC-656?

How does a Voice Phishing attack work?

It typically unfolds over 4 phases. It begins with: [Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.

How do you prevent CAPEC-656?

Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.

How severe is CAPEC-656?

MITRE rates CAPEC-656 as High severity with high likelihood of attack.

CAPEC-656: Voice Phishing

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Terminology & mappings

Alternate terms

Frequently asked questions

What is CAPEC-656?

How does a Voice Phishing attack work?

How do you prevent CAPEC-656?

How severe is CAPEC-656?

References

Defend against CAPEC-656

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related attack patterns

Parent

Terminology & mappings

Alternate terms

Frequently asked questions

What is CAPEC-656?

How does a Voice Phishing attack work?

How do you prevent CAPEC-656?

How severe is CAPEC-656?

References

Defend against CAPEC-656