A throwback to the '90s and early 2000's, voicemails are (or, used to be) a relatively safe way to get information from friends and family and colleagues. What could be more safe and secure than someone's voice?
Actually, as it turns out, a lot of things.
What information is the malicious actor after?
A point of clarity: voicemail systems have gone from "a handy lil' box on your desk with a tiny cassette tape in it" to, you guessed it, "the cloud." This means that in order to hear a voicemail (that isn't in your phone) you have to log in to somewhere in order to hear it.
So! According to our data, most malicious actors are trying to go after your login credentials. Because voice messages are often on a platform that requires you to log in, a malicious actor can impersonate a real login site and trick you into giving your credentials. Another type of attack is to trick you into opening a malicious file. The attacker may also use a prerecorded message with malicious content. This recording may contain, among other things, a message requiring you to take action, such as calling a malicious number or providing sensitive information by email. This type of attack impersonates an authority, a senior manager, or a known service provider (such as, for example, Microsoft IT support - which seems to be a common phishing lead).
Malicious attachments
Almost all fake voicemails come with a malicious attachment. The names of the attachments are often HTMLs, meaning that you're most likely to see (but not exclusively gonna see) Voicemail.html, Audio.html, 22/01/12_15:92:02_voicemail.mp3.html, Missed_voice.wav.html and so on. Those with even a passing knowledge of the ol' internet will recognize that HTML files are actually web pages and open in a browser instead of a voice application.
There's also file spoofing, which is a roundabout way of tricking your computer into thinking (for example!) that an HTML file is actually a .WAV file. It's best not to interact with any file that you receive in a voicemail message. Just call the person back. Even better, tell them about this blog post!
What’s inside the file
Let's say you accidentally opened one of these files. You won't get a voicemail. You'll get something that looks like the above.
Files can contain anything and the more targeted the attack, the more dangerous they often are. However, based on our data, we see a very high number of password phishing pages. The attachments can either have the entire phishing site embedded or a file that redirects you to the malicious page. In some cases we have also seen that the site sends all button clicks directly to the malicious actor. So if mistakenly you have even typed in your username and password you should change them immediately even if you have not pressed the submit button on the page.
Files and links are personalized
Because it is very easy to customise the links and files sent by machine, they are almost always associated with personalised information such as email address, name, and organisation. This increases the credibility of the attacker and allows the attacker to gather information about who opened the link or file and how they acted. The most common method is to hide personal information in base64 encoded format. Here is an example of an encoded record.
Plain text: thomas.anderson@hoaxhunt.com
Base64 encoded string: dGhvbWFzlmFuZGVyc29uQGhvYXhodW50LmNvbQo=
This makes it easy to parse the first name, surname and likely the organisation.
Exploiting genuine services and authors
The most challenging style of scam to verify is to use a pre-recorded message that says, for example:
Hi, this is Bob your supervisor, can you call me at this number as soon as you hear this message +XXX XXXX XXXX XXXX.
or
Your annual Geek Squad license has been renewed for 349.99. If you wish to cancel your subscription please call +XXX XXXX XXXX.
These aren't easy to figure out! A lot of people just call the number and pay the money, not knowing that a hacker (or gang of hackers... a "hackery", if you will) is getting their money.
Your organisation should have processes in place to deal with such situations. For example, how to verify the accuracy of information and what are the correct telephone numbers and email addresses for your company employees.
Staying off the hook
- Never open unknown attachments
- Always log in to known services by typing the address into your browser yourself
- Ensure the authenticity of information such as phone numbers and email addresses
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt