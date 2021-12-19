Learn what vishing is and how to avoid it. (photo: Infotechnology.com)

Currently, cybercriminals use bots as a tool to carry out phone scams, commonly known as ‘vishing‘. Using voice bots often helps convince unsuspecting users that this is a legitimate call and is used to obtain a one-time password (OTP) or verification code, also known as two-step authentication. .

Thus, Cybercriminals gain access to user accounts on services such as PayPal, Amazon, Coinbase or banks, among others.

What is vishing

The word vishing is derived from a combination of ‘voice’ and ‘phishing’, which means that it includes phishing attacks that involve voice, be it robot or human. In it, attackers can communicate with victims through phone calls, such as a company’s call center, or by leaving messages on voicemail. In addition, among the favorites chosen by criminals for these communications, there are references to economic or security issues of our computer or mobile device, or pretend to be a relative or acquaintance, etc.

To understand an example of what vishing is, imagine that after a long day at work, you receive the following voice message on your mobile phone: “Hello, my name is José Torres and I work in the company in charge of securing your computer. We will stop providing our services next week and will reimburse you $ 500. Call this number Monday through Friday during business hours. “

This example describes what vishing is, a dangerously effective attack based on social techniques and in which the offender communicates by phone or voice message posing as a business or organization , with the intention of deceiving the victim and persuading him to act against his interests.

Vishing. (photo: OSI)

How Cybercriminals Vish

When a company or department experiences a data breach, that information is often for sale at a later date or even posted for free on underground forums, and contains information identifying the user or others.

Once cybercriminals have the username and password of the account they want to compromise, enter the phone number along with the command and the name of the selected service or account; for example: Amazon. The bot will then call the victim, posing as this service under a pretext, such as a suspicious action. At one point in the conversation, the bot asks the victim to verify their identity by entering a code that they will receive on their phone. The victim enters the password and the attacker automatically recognizes it through the tool.

These bots are traded in the chats of Telegram or Discord, and they can be obtained for between USD $ 100 and USD $ 1000 for a single subscription. Also, some offer global reach. Its use shows once again how criminals are looking for new ways to commit fraud, and it seems that its popularity is constantly increasing.

Incoming call posing as your trusted bank. (photo: Cloud Computing Magazine)

Forms of deception where vishing is used as a method

As a type of attack similar to phishing, the use of images as resources by criminals can be seen in various fraud schemes. Some of the most common could be:

– Financial problems / Legal problems / State agency identity theft:

It is perhaps one of the most prominent forms of exhibition. Here, the attackers do not use the resources of having great computer skills, but instead posing as the voice of an entity such as the police, a bank, or a law firm to report a problem or fraudulent act involving the victim.

For this reason, attackers request personal information and, in some cases, even access the user’s computer, which may have confidential login information on some important platform.

Example of a bot’s voice memo. (photo: MyComputer)

– Refund for computer service:

On this occasion, the criminal makes an initial phone call to report an alleged refund for a service that a user purchased years ago and that the company allegedly discontinued. The scammer then convinces the victim to install remote access software on their computer first, which will allow them to access the victim’s information. A) Yes, then it will request that you access the bank account from your computer and, in parallel, simulate the actual transfer to the wrong website or from the same operating system terminal.

By simulating this fake money transfer, they allow the user to enter the amount that they have been asked to return, and after entering the figures, criminals quickly change the amount to make it look like the user made a mistake, Well, supposedly he entered a different value, and transferred more money than his due.

– Technical support / Infection with a malware:

In this scam model, anyone who contacts a victim pretends to belong to a company with a generic name, which is said to specialize in computer security, assuring victims that they are protecting their equipment.

Through social engineering, the attacker convinces the individual to allow him to access his computer through remote access tools, such as TeamViewer, allowing you to even take control of the device you are accessing at all times, even when the owner is away.

Then by running commonly factory-installed applications on the victim’s computer or viewing the supposedly corrupted files, false indications of infection will be shown to you.

Once the attackers believe that the user is sufficiently concerned, They threaten to buy a similar purpose antivirus software or a solution for a large amount of money to solve the problem.

Characteristics of an uninfected computer. (photo: welivesecutiry)

Recommendations not to be a victim of vishing

In addition to monetary losses, vishing attacks can have consequences that are not so obvious for the victim, such as the use of their identity for future deception of other users.

The Head of the Research Laboratory of ESET Latin America, Camilo Gutierrez Amaya, advises the following: “the main recommendations to avoid being a victim of this type of fraud are: upon receipt of a suspicious call, verify its source. It is also important to distrust the origin and in case of being somewhat doubtful, end the communication as soon as possible. If the person who contacted us claimed to be from a company with which we are associated, it is advisable to communicate with the company through official communication channels. “

