The attacks used fake order receipts and fake phone numbers to attempt to steal credit card details from unsuspecting victims, Armorblox says.
A standard phishing campaign uses email to try to trick people into disclosing confidential information. But attackers are increasingly using a variation of this ploy known as vishing, short for voice phishing. In a vishing attack, the scammer always masquerades as someone from a trusted company, but uses a phone call as the weapon of choice.
SEE: Social Engineering: A Checklist for Professionals (Free PDF) (TechRepublic)
In some cases, the attacker calls or leaves a voicemail message for the targeted victim. In other cases, the criminal sends an email with a contact phone number urging the recipient to call that number. Whichever method is used, the attacker relies on savvy social engineering tactics to convince the person to provide financial or account information during the phone call.
In one report published Thursday, cybersecurity firm Armorblox examined two recent vishing campaigns that spoofed Amazon in order to capture credit card details.
In the first campaign, an email sent from a Gmail account used the subject line “Invoice: ID” followed by a long and apparently legitimate invoice number. The post spoofed the look and layout of an actual Amazon email and refers to an LG OLED TV and XBOX console allegedly purchased by the recipient.
The real threat in the email was a “Contact Us” phone number in the body of the message. When Armorblox researchers called this number, a real person answered the call, pretending to be from Amazon. This person asked for an order number, name, and credit card details before getting wise and hanging up.
In the second campaign, an email was sent using an address of [email protected], which at first glance looks like a real Amazon address. Entitled “A shipment with goods is being delivered”, the message included a random order number to make it appear more legitimate.
As with the first email, this one included a phone number, asking people to call if they wanted to return the items in question. In this case, the Armorblox researchers who called the number first encountered an endless ringing and ultimately no response, indicating that the number had been removed. However, attackers could easily set up another number to restart the campaign.
Both emails received a Spam confidence level (SCL) from ‘1’ from Microsoft Exchange Online Protection (EOP), which meant that the messages were not considered spam and were sent to the inboxes of the intended recipients.
How to protect yourself
To help your organization fend off attacks and other threats, Armorblox gives you four tips.
- Complement your native email security with additional protection. The two emails cited in the report were delivered after Microsoft’s EOP determined that it was not spam. To avoid this type of situation, add more layers to increase your native security, especially those that use a different approach to detecting threats. Armorblox recommends Gartner’s Market Guide to Email Security as a useful starting point for evaluating different products.
- Look for social engineering signals. Rather than accepting an email at face value, take a more methodical look at it. Inspect the name of the email sender, sender email address and language. Look for clear inconsistencies in the message that trigger questions like “Why is Amazon emailing my work account” or “Why the call-to-action buttons in the email aren’t working don’t they?
- Avoid sharing sensitive information over the phone. Beware of anyone who requests personal or sensitive details through a phone call. If you think the call may be a vicious attempt, just hang up. If you think you need to call back, do not contact the person using a phone number listed in the message. Instead, search for a publicly available number for the business.
- Follow best practices for multi-factor authentication (MFA) and password management. Vishing attacks often attempt to recover your account credentials as well as your financial information. Protect your organization’s user accounts using the following methods: 1) Implement multi-factor authentication on all accounts and for all sites. 2) Do not use the same password on multiple accounts. 3) Use a password manager to store your passwords. 4) Avoid using passwords that refer to publicly available details such as your date of birth or birthday. 5) Do not use generic passwords such as “password”, “123456” or “qwerty”.