Criminals are targeting people in US military and tech organizations with so-called “vishing”, where supposed links to voicemail dupe victims into revealing credentials for Microsoft Office 365 software and Outlook email accounts.
Vishing isn’t a new threat: the FBI raised an alarm about it in mid-2020 but it was spotlighted by Interpol this week as a growing threat when it announced arrests of 2,000 people accused of online fraud, including the lucrative category of business email compromise (BEC).
According to US security firm Zscaler, there has been a resurgence in vishing since May that’s targeting employees in software security, US military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain.
“The goal of the threat actor is to steal credentials of Office365 and Outlook accounts,” says Zscaler’s Sudeep Singh.
Attackers are sending email with voicemail notifications that advise them of a missed voicemail which prompts them to open an attachment from the web.
Many people don’t check voicemail, but voice messages on WhatsApp and LinkedIn have been a thing for several years, so it can be an effective way to trick users into clicking a link in an email.
Of course, there is no actual voicemail after clicking the link, which instead leads the target to a credential phishing web page hosted on servers located in Japan.
The attack even uses a CAPTCHA as part of the ruse. The same technique was used in a campaign Zscaler observed in 2020.
While solving a CAPTCHA test usually leads to a site the user intended to visit, this one leads to the phishing page.
“Once the user solves the Captcha successfully, they will be redirected to the final credential phishing page which attempts to steal the Office 365 credentials of the user,” notes Singh.
Voicemail phishing works because victims still tend to click on email attachments.
“Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments. This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users’ credentials,” says Singh.