Who is Christopher Hagnagy?
In order to learn about Vishing, we're going to analyze a real phone call from a professional social engineer named Christopher Hagnagy. Christopher is the founder and CEO of Social-Engineer LLC. He holds the title of "Chief Human Hacker", rightfully so. Social-Engineer offers security awareness training and penetration testing.
Penetration testing is an occupation where companies pay you to find their security related weaknesses. The areas audited may include network security, web application security, phishing awareness, and the physical security of a buildings.
First, some context
In a 1 hour interview with Christopher Hagnagy by Jack Rhysider in an episode of Darknet Diaries , we get rare insight into a real vishing phone call. This clip offers some background information for understanding the phone call next. Take a listen.
When You Can't Breach the Network, Hack the Humans🎙Darknet Diaries Ep. 69: Human Hacker
Stealing credentials
Christopher began his phishing awareness program for one of his clients by sending phishing emails to all the client's employees. This amounted to over 1000 emails being sent out claiming to be a company sponsored iPhone giveaway.
"From this e-mail alone, Chris got 750 people to click the link and then go to his website and enter in their work username and password." - Jack Rhysider
Making employees willingly install malware
As stunning as this is, this wasn't the end. Part of Christopher's goal in this engagement was to get access to the clients internal network. This means that Christopher must get remote access to a computer connected to the companies network.
He accomplished this by pretending to be an employee within the clients IT department to provide computer cleaning software in response to the employees clicking a phishing email.
When You Can't Breach the Network, Hack the Humans🎙Darknet Diaries Ep. 69: Human Hacker
How to protect against vishing
- Verify the caller
- Don't install unknown software.
Christopher called the employees claiming to be someone within their IT department. This allowed him to leverage this position of trust to install malware. The employees could have verified they were speaking with the right person by referencing their internal directory containing accurate contact information. If you ever receive an urgent call from a company you trust, it is safer to hang up the call and then call the phone number listed on their website yourself.
The victim of this phone call was told to install a "PC cleaning" software from ftp://update-****.com . This url is not associated with their company website in any way. After opening this in their browser, they are greeted with an executable file to download and run. This should be a dead giveaway. Never download software from untrusted sources, especially not over the phone, through email, text messages, or similar. In most cases, usually those responsible for certain technology at a company have the means of performing these maintenance related tasks remotely.
https://phishing.mrwebmd.com/vishing#social-engineering