BazarCaller is a new cybercrime gang that uses Vishing to trick its victims into handing over information or access to a device. Vishing is the malicious practice of making phone calls or leaving voice messages pretending to be from reputable companies in order to have individuals give out personal or financial information. Vishing is similar to phishing, but it’s conducted over the phone instead of email.
Vishing Attacks
In recent years, vishing has been combined with website hacks that display a virus warning from “Microsoft” (or other reputable company) asking you to call their support line to remove the virus immediately or suffer dire consequences. This attack typically preys on the elderly and less computer-savvy individuals, costing those consumers millions of dollars. [Editor Note: CyberHoot is aware of at least one family member that has fallen prey to this dastardly vishing attack!]
The problem is that the Caller ID is easy to spoof, allowing hackers to masquerade as reputable companies by spoofing the Caller ID for each potential victim. With that said, relying on Caller ID to ensure a call is safe isn’t recommended. One may be wondering why hackers even use phone calls to lure victims considering most people ignore calls from unknown numbers. The answer is social engineering. Sometimes, being different from what everyone has been told to watch out for is enough to get victims to let their guard down.
Furthermore, many people feel comfortable carrying out risky computer behaviors like installing unknown software if there is an “IT helpdesk” user talking to them at the same time. Social engineering scammers can adapt and respond in real-time to questions or fears that potential victims may raise; keeping those callers on the hook for much longer than if they were left to their own devices (phishing, smashing).
Protecting yourself and your Loved Ones from Vishing
Since Vishing attackers often prey on the elderly, explain to your parents, aunts, and uncles, why they should never hand over control of their computer, or install any software at the request of another computer company. Secondly, never hand over your credit card to someone you called due to a message on your computer screen. When in doubt, have them call you because you read this article and can explain the dangers.
Additional SMB Protections
In addition to being conscious of Vishing attacks, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from Vishing (or similar) attacks:
- Train employees to spot and avoid computer-based vishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Adopt a patch management solution
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years
Listen to what happens when a white-hat hacker exposes a Vishing attacker by hacking them back.
Sources:
Additional Readings: