69% of IT Departments have been Targeted by Vishing Attacks
Are IT departments victims of social engineering attacks? And if so, how is it done and is it significant? Our experience is that the idea of social engineering is well understood by IT-management, but the risk, that their own department might be the victim, is not generally accepted. We combined external research and statistical sources with data from our customers to answer this question, which is closely linked to data breaches.
Specifically, we looked at the importance of the human factor and phone based social engineering (vishing) as part of data breaches. The importance of credentials /passwords in social engineering is included too.
In this blog we share the surprising results and add some suggestions for remedies!
Here is a Summary of the Key Numbers
- 69% of IT departments have been targeted by a vishing attack (Statista)
- Vishing attacks have grown 550% in 12 months (Agari & Phislabs)
- 78% of IT Service Desk managers fear a criminal can get a password from their supporters (SDI)
- The human factor contributes in 82% of data breaches (Verizon DBIR)
- 25% of Business Email Compromises (BEC) used a stolen password (Verizon DBIR)
- 71.6% shutdown rate on vishing calls after a 4 years’ improvement program (Social-Engineer,LLC)
- 36% of users can’t remember answers to their personal verification questions (FastPassCorp)
- Criminals use passwords for data breaches in 50% of incidents (Verizon DBIR)
- 75% hacker success when combining vishing and phishing! (Group-IB)
Everyone know that our IT-systems are targeted by criminals for financial gains or state purposes, and even government departments and agencies fall victim to vishing attacks. All competent IT-departments invest heavily in people, technology and processes to protect against attacks. New statistics from various sources as presented here, challenge if more attention and investments should be directed to the human risk factor!
The Human Element is a Factor in 82% of all Breaches
What about the human factor? If an employee unknowingly gives away critical information about the IT-system, then this is the key criminals need to open the safe. The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes, is called: Social Engineering in contrast to technical engineering, which is where most security investments are placed.
How much does social engineering scams count for when it comes to data breaches? According to Verizon’s Data Breach Investigation Report 2022:
The human element continues to be a factor in 82% of all breaches. (DBIR 2022 p 33).
It’s important to understand that a data breach almost always requires many elements to be in place for the hacker to make a success. The human factor is just one element of the attack, but still without it, the attack can’t be done. A stronger focus on preventing the human element to help hackers will obviously make a huge difference.
25% of BECs involve use of a stolen password – not phishing!
We might think that stolen passwords are the result of phishing attacks, where the criminal then use the password for his attack. But the hackers have other ways to obtain passwords.
Verizon DBIR 2022: Only 41% of Business Email Compromises (BEC) involved Phishing. Of the remaining 59%, 43% (in total = 25%) involved use of stolen credentials against the victim organizations.
Credentials means passwords in almost 100% of the situations! The question is: “How has a fraudulent operator stolen the passwords for the 25% of the BECs?”
The main methods for social engineering are:
- Phishing: using e-mails to get individuals to reveal personal information such as passwords and credit card details.
- Vishing: making phone calls or leaving voice mails to induce individuals to reveal personal or company information.
- Smishing: an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information.
For the criminals, Phishing and Smishing have the positive characteristic that it is very easy to automate and distribute to millions of users with a very low cost per transaction. This means that you only need a very low positive rate to be successful.
69% of IT-departments Targeted by Vishing Attacks
If you want to hack an IT-system, then the IT-people are the obvious group. They know (or should know) about phishing and are not easy targets for phishing and smishing campaigns. This might explain the strong growth in vishing attacks against IT-departments!
According to Statista 69% of IT departments have been targeted by Vishing attacks in 2021 which is an increase of 54% from 2020 based on 600 interviews.
Source: https://www.statista.com/statistics/1306269/volume-vishing-attacks-organizations/
Does this make business sense – for the hackers? Absolutely! If a hacker is successful in gaining the relevant data from the IT-department, they have the keys to the castle! A hacker only needs to succeed once to make it very profitable.
We think that the 69% who have reported the incident have avoided to be victims. The real victims who have disclosed important information including passwords probably don’t know what happened! We can safely conclude that much more than 2/3 of IT departments have been attacked. We don’t have the numbers for the success rate.
550% Vishing Growth
Is vishing only focused on IT-departments? No, it is much more widespread! A well-known social engineering methods is to call a user and pretend you come from IT-support, and need the user’s password to solve an important technical issue. Other scams include phoning the finance department and impersonate the CEO to get a fast money transfer.
According to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs vishing has grown 550% from quarter 1 2021 to quarter 1 2022!
“By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this may continue through Q1 2022.” https://www.fastpasscorp.com/blog/vishing-cases-increased/
The growth is of a magnitude where much more attention is required from IT-security organizations to come forward with recommendations to protect against vishing attacks.
The IT-staff is generally very important for hackers as they have access to critical It-infrastructure. Obtaining their credentials is much more valuable than getting a password for an ordinary user.
75% Hacker Success when Combining Vishing and Phishing!
What can a competent hacker expect to achieve with a vishing campaign against a specific target? Is it at all realistic that social engineering with phones will get the desired results?
To assess the scope of the problem, Group-IB carried out a social engineering penetration testing project:
“Of the more than 100 social engineering testing projects we conducted in 2020, we discovered that voice calls ("vishing") were more effective than phishing emails with links to fake resources or executable attachments. Vishing, which had a success rate of 37%, is particularly effective because victims do not usually expect these calls”….” Vishing combined with phishing (with both a link to a fake resource and an executable attachment) delivered ultimate efficiency: 75% of our social engineering testing attacks were successful in 2020.
Do we really understand what this 75-percentage means? To me it means that a criminal can get information about critical infrastructure, other employees, and their passwords at a very low cost – and no real risk at this stage. Data breaches is a business now, and the hackers’ efforts are directed where the best price/performance can be achieved. This success rate of 37% or 75% explains the 550% growth of vishing.
50% of Data Breaches can be Attributed to Leaked Credentials
What are the social engineers hoping to get from their activity? Passwords!
Alex Weinert (Director of Identity Security at Microsoft) states: “Remember that all your attacker cares about is stealing passwords...That’s a key difference between hypothetical and practical security.”
The very first summary illustration in the Verizon 2022 DBIR: stated 50% of data breaches can be attributed to leaked credentials (passwords).
This confirms numerous other studies proving that the hackers need passwords as one piece of their puzzle. Password Policies to prevent that users make easy-to-guess passwords are extremely important. But if the hackers use social engineering, then they get even the complex passwords! Protection of passwords must include protective actions against social engineering.
78% of IT Service Desk Managers Fear a Password Breach
A few years back Service Desk Institute (SDI) conducted a survey amongst their members funded by us. 78% of the managers feared that a criminal can persuade their staff to give away a password.
The question: “In spite of your authentication process, do you think it is possible for a criminal (internal or external) to get a password for a legitimate user’s account?
Of those who answered with YES or NO, a surprising 78% say YES. Only 22% are confident that their staff has strong enough procedures and training not to be victims of social engineering
Indeed, 14% had done all they can but realize that the risk remains. This is probably how it is when humans with emotions control a process!
It's worth remembering what the well-known white-hat ethical hacker Kevin Mitnick writes in his book “The art of deception”: “Why should an attacker spend hours trying to break in, when he instead can do it with a simple phone call?”
71.6% shutdown rate on vishing calls after a 4 years’ improvement program
The most recommended mitigation against vishing is training of the employees. The IT security consulting group Social-Engineer,LLC has published a case study from one of their assignments at a customer of app 18,000 employees.
Initially tests found a compromise rate of 46% and a 36% shutdown rate. After 4 years’ engagement dramatic improvements were observed: 28.3% compromise rate and 71.6% shutdown rate. https://www.social-engineer.com/wp-content/uploads/2021/06/A-Case-Study-in-Vishing.pdf
The case illustrates that awareness and training can achieve significant improvements. But it also tells us that a hacker dedicated to the task with persistence can get results. It is extremely difficult to predict and control human interactions.
36% of Users can’t Verify themselves with Answers to Challenge Questions
If a user has access to his corporate network, and you need to verify him on the phone, you can send him an email and ask him to read out the text or number you send. But if he has forgotten the password or claims he has (as in a forgotten password situation) and too is without access to his corporate email, how can the user then verify his identity?
If you ask a supporter in the service desk how often a special method of verification is successful, we have the risk, that the supporter in sympathy for the user “helps” a bit, simply because the supporter wants to help.
We have found objective facts from customers’ experience with self-service of password solutions, where everything is logged in the verification process. We have analyzed more than 32,000 self-service transactions from our customers, to see what the user herself can contribute with in the verification steps. The FastPass self-service solution for password reset in most installations allow the user to select between multiple verification methods – in many cases they must use 2 factors to reset the password.
In the logs we can see if a user tries using a method and then fails. They might then try another test or call the service desk.
We can see that users in 36% of the cases can’t remember the correct answers to their challenge questions.
The use of TOTP tokens has however a success rate of 95%. In most cases the tokens reside on the user’s smart phone. Using a TOTP or a Push based app can be an excellent proof of verification.
It happens however that the user’s phone is lost or forgotten, and you still want them back in work or assist them with important data for their task. Then you have to find other ways to verify them on the phone.
A social engineer will either spoof a phone number or claim it is forgotten, when he calls for passwords or information. So, you must be able to distinguish between the legitimate user and the false user.
Combining dynamic and contextual data from the system not available to any hacker will add a layer of security, which means that we reliable can verify the real users and discard the false. When in doubt call a trusted colleague to verify the person.
Some Real-Life Vishing Attacks on IT-departments
From the above cited statistics, it is obvious that some risk for vishing attacks against IT-departments exist, but do we know of real life breaches? We have some prominent examples of this:
Twitter: Lessons learned from the Twitter Hack of 2020
Robinhood Data Breach: Robinhood Data Breach and
CISCO: CISCO Corporate Networked Breached
...but we believe it to be much more widespread. When a stolen password is part of an attack it is very difficult to research how the hacker has stolen it. The hack might even go unnoticed in some cases, where the criminal “only” steals a few million dollars and then vanishes without a trace.
In BBC News Security Analyst Joe Tidy wrote on the CISCO breach (Sept 2022):
The saying goes in cyber-security that "humans are the weakest link", and once again this hack shows that it was an employee being fooled that let the criminals in.
Although the saying is true, it's also extremely unkind.
The fuller picture emerging here shows that this hacker was highly skilled and highly motivated.
As we saw with recent breaches of Okta, Microsoft and Twitter, young hackers with plenty of time on their hands and a devil-may-care attitude can persuade even the most careful employees into making cyber-security mistakes.
This form of hacking through social engineering is even older than computers themselves - just ask infamous former hacker Kevin Mitnick, who was sweet-talking his way around telephone networks back in the 70s. https://www.bbc.com/news/technology-62925047
We note that the list only includes IT-companies and Internet based business. It is unlikely that these are the only verticals to be attacked. It might however be so, that they are open and disclose their findings. Considering the facts in this blog there must be many more organizations who have been victims of vishing attacks. They might prefer to keep quiet about it, or they might not even know it has happened!!
Summary
- Criminals use passwords for data breaches in 50% of incidents (Verizon DBIR)
- The human factor contributes in 82% of data breaches (Verizon DBIR)
- 25% of Business Email Compromises (BEC) used a stolen password (Verizon DBIR)
- Vishing attacks have grown 550% in 12 months (Agari & Phislabs)
- 69% of IT departments have been targeted by a vishing attack (Statista)
- 71.6% shutdown rate on vishing calls after a 4 years’ improvement program (Social-Engineer,LLC)
- 36% of users can’t remember answers to their personal verification questions (FastPassCorp)
- 78% of IT Service Desk managers fear a criminal can get a password from their supporters
- 75% hacker success when combining vishing and phishing!
- Many well-known companies have been hit by vishing attacks against the IT-department.
Conclusion
What can we learn from the above facts?
In general terms then vishing is growing very fast because it works, and is very difficult to prevent, as social engineering is about human behavior and emotions.
The IT-department itself, who has the responsibility for IT-security, is a target too because they have the most valuable assets = the credentials!
Passwords are a necessary piece in the puzzle for the hackers, and they can get the passwords from the IT end-user service centers through phone-based social engineering = vishing.
- Criminals phone the IT-departments for passwords because it gives them the necessary results at the lowest cost.
- User verification must include IT-workflow with multiple verifications
- IT-service desks are not prepared for vishing attacks
IT management can decide to do something about it now and protect their assets before the hackers start calling in. Or wait and be surprised when it happens.
Remedy: Awareness and Intelligent Workflow
What is the remedy against vishing attacks? We see a need for a combination of human involvement and forced IT-workflow:
- Everyone in an organization can be the target of a vishing call. Education, training, information, and controls are necessary elements in preparing the organization against vishing (as well as phishing) attacks. Experience shows that it helps – but as it still continues and grows then the hackers find it efficient!
- Where you have resources within your organization that have access to critical data and are expected to assist colleagues, you must implement a forced IT-workflow. If you just rely on “common sense” the hackers will ultimately find a way to succeed! Having a forced IT-workflow in place will take emotions out of verification, and it will prevent any data breach at the service desk and will ensure the hacker goes elsewhere.
Within the IT-service desk environment, the service desk supporters are there to assist users reset passwords. Even if they have a good written procedure today, a good social engineer can persuade the supporter to bypass the process in many ways “just for me today”! The intelligent IT workflow will instead verify the identity of the user based upon contextual and dynamic data and decide whether to provide a password or not. The consequence is that it is not necessary for the service desk analyst to have access to the administrative password reset tool – only the workflow has these privileged rights. The same process should be used in all situations where data or important resources are made available to users.
FastPassCorp
FastPassCorp has developed the end-user / employee identity verification management tool. The tool ensures that users are verified based on data not on emotions. Part of the solution is to take away privileged access to password reset tools for the supporters. The tool can be used by any department, such as HR and Finance, not just by the IT department. It is certified by ServiceNow and can easily be integrated with other process tools. For more information: FastPass Identity Verification Manager
Finn Jensen, Founder of FastPassCorp
