Criminals are using a combination of server exploitation, email, and voice calls to execute voice phishing attacks, often referred to as vishing.
In a session at the RSA Conference in San Francisco, John LaCour, founder and CTO at PhishLabs, and Davey Ware, Special Agent at the FBI, detailed the mechanics of how vishing attacks work to defraud victims of money, as well as how one group of criminals was found.
"Vishing attacks are phishing attacks that use the telephone network," LaCour said.
He explained that in vishing attacks the lure is delivered in one of several ways, including an email message with a call-back number, SMS via a telephone provider, and robocalls from an interactive voice response system (IVR). According to data cited by LaCour, over a one-year period more than 50% of vishing attacks targeted small banks and credit unions.
Vishing attacks occur in stages involving compromising a Windows server with some form of Remote Desktop Protocol (RDP) backdoor to gain access. Attackers also compromise IVR systems and then create fake email accounts as well.
The FBI Investigation
The FBI is aware of vishing attacks and has been actively involved in tracking down criminals. Ware detailed one such investigation involving three vishing hackers from Romania who had exploited a small bank in South Carolina.
By going through the logs of the impacted bank the FBI identified a number of clues, including IP addresses from RDP sessions. With some basic internet searching, Ware said, the FBI was able to make a link to a Facebook account and then via legal processes was able to get additional information on the criminals.
The FBI then found further evidence in Facebook chats that tied three Romanian individuals to the vishing attack. Over a two-year period, Ware said, the FBI collected enough evidence that they felt they could go to the next step, connecting with law enforcement in Romania.
Arresting the Vishers
Romanian law enforcement, working with the FBI, raided the homes of all three suspects at the same time in 2014. Ware noted that one of the criminals threw his laptop and power cord out the window as soon as police showed up. Luckily, the laptop landed in the snow and the data were still all on the laptop.
At the time of the raid, Ware noted, there was an active RDP session open on the laptop, with a text file including credit card numbers.
"They were literally doing the scheme when the search warrant was served," he said.
While the raid were conducted in 2014, the legal process takes time. All three of the suspects were indicted in 2017, extradited to the US in 2018, and, after pleading guilty, sentenced in 2019 to jail terms of approximately 8 years.
"Why we're talking about this case now is because it has been fully adjudicated, so we can talk about it," Ware said. "We want to present this because attackers are still using the same tactics now."