Sign in Subscribe

When we think about a security assessment of any kind for a client, we typically think of our goals as a pentester, as an attacker. Credentials, access, code execution, etc. However, any assessment should be oriented around the client's needs. Do they want to ensure their network design is sound? Do they want to provide baseline training on malicious emails to their employees? Do they want to test their defense-in-depth with an attack originating with a phone call? Or do they want to test for compliance with standards or policies?

When working on a voice phishing engagement with clients in the financial industry, I usually see them set one of two very common goals. The first is some form of information disclosure, such as the public IP address for a branch, the other is retrieving account balances of their customers.

Information Disclosure

As I mentioned, in this first scenario, it's usually something small like a public IP address. There are a few ways to go about this. Sometimes a client will specify an entity for you to pose as, other times you can pick. I like having the flexibility to pick. Getting someone to tell you a public IP might come off as a little odd without the right context. It's not something the average bank teller or credit union employee usually has to even think about.

Typically, there will be a few entities to impersonate:

  • The client's IT team
  • The fintech/core provider (Fiserv, FIS, Jack Henry)
  • Another tech related provider such as Network Solutions or Level 3 Communications

If you choose the client's IT team, you're again presented with choices. Do you want to impersonate an actual employee, or make one up? There are pros and cons to both. Impersonating a legitimate employee may lead you to being burned, what if the person on the other end of the line knows that specific employee very well? If you make one up, you run the risk of someone looking you up in a directory, and being burned. Or, you may call someone who knows everyone on the IT team. Whichever you choose, there are a number of ruses you could present. One of my go-to stories is I broke something which caused the branch to fail over to a backup connection which is slower and I think I have it fixed, but I need to make sure. During this elaboration phase it can help to throw around a lot of jargon even if it doesn't quite make sense. Some people get confused and just want IT out of their hair. From there, I ask them to go to Google, search "my IP", click the first link, and read the string of numbers it shows.

Choosing their core provider is a decent choice, I've had client contacts tell me that a tech from their core provider calls quite frequently. Finding out who the provider is can be as simple as going to the client's primary website, sometimes it is listed right on the homepage. Other times you may need to do additional enumeration. Using another tech-related provider can be a gamble, you'll never know how the employee on the phone is going to react. Figuring out what providers the organization uses is an easier matter. You can look at the registrar of the domain, look for any providers listed on the site. If you have any IPs you can check the ISP. Don't be afraid to get creative with it.

Customer Information

This is one I've seen banks request a lot. There are typically two types of clients when it comes to this scenario: banks that want a clean report, and banks with a team that cares. Banks that want a clean report will typically give you a list of elderly customers that visit in-person regularly. The employees know these customers well and will immediately know that you're lying about your identity. On the other hand, you may get a list of random customers, or be given the option to enumerate a list of clients.

When given a list, the client will typically provide a full name, date of birth, and address. This is all readily available information for most individuals under the age of 90, so they want to see if their employees adhere to the policy of requiring additional information for verification. This could be an account number, security question, card number, recent transaction, code word, social security number, or a mixture. Typically, a call goes like this:

  • Teller - Hi, how can I help you?
  • Me - I'd like check my account balance please.
  • Teller - Sure thing! What's the account number?
  • Me - I'm sorry, I don't remember it, I didn't think I'd need to have it memorized.
  • Teller - That's okay. Who am I speaking with?
  • Me - John Doe
  • Teller - Alright John, can you give me your address and date of birth?
  • Me - Yeah, it's ___
  • Teller - Excellent, thank you. For security, I need a little more information. *Insert additional info prompt*

From here, there are several different strategies, dependent on what they ask for. I'll cover a couple. If the teller asks for a social security number, I'll either tell them that I'm in a public place and don't feel comfortable providing that information. Another go-to of mine is to say that I had some kind of hack a while back so I don't tell that to anyone anymore unless it's face to face. The goal here is to get it the teller to move to a different verification method. I'll usually take control at this point and say that I can tell them some purchases I've made or deposits to the account. This is going to rely on timing and the profiling you did on the customer. Sometimes you can find a purchase like movie tickets by looking at their social media, a lot of people still leave their social media wide-open. Here are a couple other approaches:

  • Around the first of the month? I just paid the mortgage
  • Is it a Monday or a Friday? I just filled up on gas

This has enough detail but is also vague enough to work. Often, the teller will respond with something like Is it the charge for $40 at Shell? and you can just say yes at that point. If they ask you for a specific amount, this is where prior profiling can be handy. Does the customer have a picture of their vehicle anywhere online? Can you look up their property taxes and see vehicles registered? You can make an estimate based on the vehicle they drive. Currently, if they drive a mid-sized sedan and use regular gas, you could assume they spend around $25. So tell them I usually spend about $25 to fill up, it might be a little more, I may have gotten a coffee. If they press for a specific gas station, again, you preparation may determine your success. If you've identified their employer and their home address, you can look at nearby gas stations, if there is a chain with a location present near both their home and work, that's probably a safe bet.

Wrapping Up For Now

We've covered a lot of ground, and as such, the rest of this is being ported to a part 2. Check back soon! You can also subscribe and be notified as soon as part two is live, it's free!

Vishing For Compliance