When authorities arrested three young hackers on USA and the United Kingdom, for the big one Twitter hack, many believed the case was closed. However, as it seems, the phishing technique that allowed them hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk and dozens of other celebrities is still being used against many other companies.
In mid-July, Twitter revealed that hackers used a technique called "Phone spear phishing", which allowed attackers to target the accounts of 130 people, including CEOs, celebrities and politicians. In accordance with Twitter, hackers called Twitter employees and, using fake identities, deceived them and made them give their credentials, gaining access to an in-house tool that allowed them to reset the passwords and two-factor authentication settings of the targeted accounts.
However, Twitter is not his only goal "phone spear phishing ”, or as it is otherwise known“ vishing ”or“ voice phishing ”. This technique is essentially a form social engineering. Since last month, dozens of companies - including banks, exchange services and web hosting companies- have been targeted with the same technique. As in the Twitter hack, employees of these companies received phone calls from hackers presented as IT staff and asked for passwords for internal tools. The attackers then sold this access to others who used it to target users high profile. The main goal was theft of cryptocurrencies.
"Simultaneously with the Twitter hack and in the days that followed, we saw a huge increase in this type of phishing in many different industries," says Allison Nixon, a security researcher at Unit 221b.
Like the Twitter hack, the perpetrators seem to be young, English-speaking hackers organized in forums such as the website OGUsers.com and the chat service Discord, says researcher Zack Allen. The researcher says that he is shocked by the research done by the hackers and their careful moves to find inexperienced employees and have a better chance of success.
"I've never seen anything like it before, nothing so targeted," says Allen. He warns that the hackers' tactics have been as effective as they are matter of time to be adopted by ransomware groups and government hackers. The most worrying thing is that attacks not made by professionals other than teenagers.
"Phone spear phishing" is a relatively new practice for hackers. Until recently, phone-related attacks focused mainly on "SIM swap" attacks, exploited by telecommunications companies.
With the increase in remote work, the social engineering based on the phone, has become more powerful.
The same hackers who have improved their skills against telecommunications companies have found other industries that are less well prepared for their tricks, the researchers say.
Despite the young age of the hackers, Nixon says the ongoing attacks seem to be well coordinated and many hackers are involved. In addition, the perpetrators hire independent hackers who offer specialized services for voice fraud. In the forums there are such ads for finding the right people.
In most cases, hackers use one VoIP service, which allows them to hide their phone number. They try to make the victim trust them, stating seemingly private data, such as the role of the victim in the company or the names of their colleagues, etc. When the victim is convinced, they ask him to go to a fake login page to enter his credentials.
Another member of the hacking team immediately receives this information and puts it on the actual login page. Then the actual login page asks the victim to enter the two-factor ID. The user enters it the password on the fake website and the hacker takes the password and puts it on the real page. That's how he gets it access to the victim's account. The fake site is removed immediately after the theft of the victim's credentials. The removal of the site and the technique of phone spear phishing leave no traces of the attack and thus it is more difficult to detect. Employees almost never understand that they are talking to a scammer. It is not like phishing emails that can be perceived.
Companies should train employees to detect suspicious phone calls or use FIDO tokens like Yubikeys for two-factor authentication. These USB dongles must be connected to the USB port of any new machine when a user wants to access their accounts. Nixon also recommends using security systems that require a specific software certificate on a user's machine to access remote accounts, excluding everyone else.
Therefore, great care is needed because if this technique is used by experienced or government hackers, the problems will be even greater.