Vishing, SMShing, War-Dialing/Phreaking
Very similar to how a phishing email works, SMShing will focus on text messages and attacks against staff mobile phones. These can be generic messages or highly focused ‘spears’ akin to Spear Phishing Emails. User statistics such as click through rates of enclosed links, browser & device information are obtained and reported on.
SMShing is a commonly used attack vector in the wild yet few businesses adopt assessments into their testing habits. Choosing to defy this trend, your business could benefit from the foresight in testing staff.
- Bulk SMS messages can be sent, covering 1 member of staff to a million.
- Custom sender ID, we can mask the sender with a custom name.
- Full data analytics, every text message traced, Every click and time saved.
- Guide users to reply with information, click a link or even navigate to a custom login portal that will harvest credentials – right from their mobile phone in seconds.
- Secure data, Your staff data is in good hands every step of the way. We work directly with the nation’s safest SMS service centres.
– Take a look at how we are working to reduce these frauds in our blog Project ‘Sender ID’
– Read more about how we introduced SMShing campaigns to the UK Information Security market here.
We helped Natwest and the Royal Bank of Scotland explain to their customers about Vishing:
With the added layer of reassurance that comes from talking to a real person, an employee is more likely to comply with the demands of an attacker. Telephone attacks or ‘Vishing’ can be combined with other methods to really engage the employee in a well-constructed pretext.
Bill is our ‘mark’, he checks in on Facebook at a Chinese restaurant for lunch with a public privacy setting… A call is placed to his P.A.
Consultant – “Excuse me, has Bill set off for lunch yet? We are supposed to be meeting at the Jade Garden restaurant? I was meant to be eating with him 5 minutes ago, the number I have for him is wrong and can’t get hold of him”
P.A – “One moment I will get you his mobile number”
This seemingly harmless piece of information could reveal other social media accounts for Bill. It could enable an attacker to pass an additional security question with Bill’s bank, It could reveal his mobile network operator. Social engineering attacks chip away at an organisation gathering information and use this information at a later date.
The AntiSocial Engineer Limited will guide you through these assessments and work with every client on an individual basis to ensure a bespoke package is constructed. You will be able to test the effectiveness of staff training and assess the kind of information that is obtainable over the phone. These assessments prove to be quite useful when used in conjunction with other kinds of social engineering assessments such as physical penetration testing.
Large companies often use blocks of phone numbers. By revealing 0300 111111 and 0300 111130 for example, we can start to look at the numbers in-between. Normally fax machines are revealed and also the telephone numbers for different departments. Using tools designed for this purpose, we can record and analyse the response to our calls – including human responses into further Vishing campaigns.
Make contact today to discuss any of these options.
Further reading can be found in our informational PDF