US cybersecurity researchers have released new case studies detailing the activities of fraudsters using voice messages in recent campaigns to con users into parting with personal and financial assets.

“Vishing” – a specialist form of phishing attack

Phishing campaigns typically involve insidious messages sent using SMS, social media networks, email and other platforms using a text-based format. They can appear to be sent from banks and building societies, government organisations, business colleagues and commonly used online services like Amazon and PayPal, or may simply try to lure their victims in using promises of prize winning and tax rebates.

Many of these malicious messages contain harmful attachments designed specifically to unleash malware, or to lead targets to fake websites where their private passwords and usernames are stolen by threat operators.

Dubbed “vishing”, this newly detailed attack form is a phishing subset named by combining the word “voice” and the term “phishing”. The attack vector sees victims cold-called out of the blue, or may involve emails infected with voice notes, phone numbers, and fake messages, with the overall aim of the assault being to steal private data.

Scammers will often cast a wide net in many cases sending out emails and now the same technique is being employed to exploit voice over internet protocol (VoIP) tech, with hackers spoofing their own identities and caller IDs.

Vishing attacks under the microscope

In two separate studies posted by Armorblox, researchers highlighted two different vishing attacks focused on stealing Amazon customer payment card details, and illustrated how the use of voice message technology is enabling attackers to bypass security spam filters.

The first vishing study showed an attack that had reached around 9,000 inboxes and originated from a basic Gmail account. The malicious email’s subject began “Invoice ID” with an invoice number following and content using the specific colour markers employed by Amazon for authenticity.

The body copy of the message states that an order for media equipment has been placed with a value of about $100, and requests that the recipient should phone them if the order has any errors, using the number given.

Researchers tested the number and spoke to a scammer impersonating Amazon’s customer service. They requested personal and payment details along with the order number, and after receiving them, cut the call and blocked the research team’s phone number.

The team discovered that the email had managed to circumnavigate protective filters including Microsoft Defender and Microsoft Exchange Online Protection by replacing the letter ‘O’ in Amazon with a zero.

The second vishing attempt successfully arrived in around 4,000 email inboxes and also bypassed both Microsoft security programs using a spoofed email address for Amazon. The body copy of the email used a similar technique, with recipients asked to contact a specific number to make a return request, but this time the amount of money involved was over five time as much. The email was believed to have bypassed the protective filters because no malicious links or attachments were used in the message, as none were necessary for the scam to succeed.