Author: Dan Norman, Research Analyst, ISF
30 Apr 2020

Vishing attacks are a very cost-effective mechanism for manipulating individuals, using the voice to humanise the delivery and make the attacker seem more believable. To ensure success, attackers build up profiles of their targets using a blend of Open Source Intelligence (OSINT) techniques, particularly online.

A surprising amount of information is publicly available to attackers, meaning they do not necessarily have to delve into the Dark Web in every reconnaissance mission. When building these target profiles, attackers typically scour social media platforms, such as LinkedIn, Twitter, Instagram and especially Facebook, to gather as much public information as possible, as well as other associated websites, such as work or sports teams. Information found can range from home addresses to email addresses and even telephone numbers.

By diving a little deeper into social media profiles one can build up a repository of information, such as what college the target attended, what qualifications they have or training they’ve done, what their favourite brands are, recent purchases and recent vacations… Automated screen-scrapers and other targeted machine learning technologies can all speed this process up tenfold.

Social security numbers, bank account details and other more intimate information is slightly harder to find but armed with the right tools and contacts, it is easy. If we reflect upon the sheer number of known data breaches experienced over the last 10 years, the vast sum of personal and sensitive data spread and sold on the dark web is expansive – and that’s only the information we know has been taken! Many organisations would have been hacked and would not even know it yet.

Imagine now the attacker has a 70% complete digital profile of their target. They know from the social media profiles roughly what they’ve bought over the last year and roughly when, indicating potentially when a credit card was used. They can now go to the Dark Web and post questions like: Has anyone hacked X organisation’s customer service platform between this date and this date and do they have account details for X target. By narrowing the search it reduces the price they need to pay for the details as it’s just one key target, rather than buying in bulk. One profile with credit card details or the social security number can range anywhere from $50 – $200 – a small price to pay for access to potentially thousands of dollars.

And there you have it – a full, detailed profile of an individual. Pair this with some skilled social engineering and smooth talking and the attacker can make off with thousands of dollars in an instant.