Voice mail phishing returns in 2019

Email security specialist, EdgeWave has reported a dramatic increase in the number of voice mail phishing cyber attacks using voice messages in emails which carry EML attachments. Unwary users are encouraged to open these emails and click on ‘Listen to your message’ links. They are then directed to a bogus Microsoft account login page that asks for their credentials.

Vishing

Vishing or voicemail phishing is a cyber attack designed to trick its recipient into disclosing confidential information or infecting their computer with malicious software. Email is the most used common transmission vector. Cyber criminals work hard to disguise the real source of their email and convince their victims that the voice message is from a trustworthy organisation or reputable person. Fake caller-ID information is often used to make the calls appear to be from a legitimate organisation or business.

Vishing has been used for many years by criminals who ask their targets to call them and disclose credit card or bank details. Modern cyber criminals have of course automated the process and are looking to harvest larger amounts of the same confidential information.

How a vishing voice message attack works

The EdgeWave blog, Welcome to Phishing 2019, confirms that the attack arrives in the form of an email pretending to be a notification about a voice message with subject lines such as ‘PBX Message’, ‘Voice:Message’ or ‘Voice Delivery Report’. The valid attachment names of VRF_audio-mail.923.e.wav.eml and iRING=voice-mail.923.e.wav (1).eml have both been used.

Disguised and apparently legitimate

For one email investigated, the sending domain, lps.direct, is valid and owned by a London based property services company. The originating IP is 104.238.37.64, and associated with Strong Technology, a legitimate VPN provider from Boston. This is a classic example of the way a cyber criminal will use the tried-and-true technique of using a VPN to mask their true location.

Opening the attached EML file presents multiple options to select links to ‘Preview’, ‘Listen’ and ‘Save Audio’ Each link points to a page on honestypolicy.gq web site hosted in Equatorial Guinea. Domains with .gq are available for free and are known to be associated with other types of cyber attack. To increase the apparent legitimacy of the web site, the Terms of Use link points to the real web site of the voicemail service provider, RingCentral.

EML attachments

EML is a file extension for an email message saved to a file in the MIME RFC 822 standard format by Microsoft Outlook Express and several other email programs. The files can contain plain ASCII text for the headers and the main message body as well as hyperlinks and attachments. EML has known associations with malware. First reported in 2001, the Nimda worm is known to create EML files as part of its infection and transmission processes. It is surprising to hear that 2019 vishing attacks are using EML files which are evading detection from anti-virus and some endpoint detection systems. EdgeWare confirmed that the attack using VRF_audio-mail.923.e.wav.eml did not trigger the defences of the anti-malware software, Virus Total and Malwarebytes.

Preventing voice mail phishing attacks

To prevent attacks using EML attachments, we can recommend that these emails are blocked or quarantined before they arrive in the user’s inboxes. It also makes sense to ‘blacklist’ and prevent any outbound connection to any known suspicious web server domains (e.g. .gq domains).

The Wizard Cyber blog, ‘Protect your business from fake CEO attack’, outlined our approach to the protecting an organisation from the very real threat of voice mail phishing. We strongly advocate the use of technical controls which include the implementation of a Secure Email Gateway and Anti-Spoofing. It also essential to ensure that all staff are trained to identify and report suspicious emails when they receive them. We also advise that organisations contact their voice mail service providers and ask them to implement (if available) multi-factor authentication (MFA) and restrict access to ‘need only’ users.

———–

Wizard Cyber delivers a comprehensive Phishing Security Service solution designed to protect your organisation from cyber attacks that use email phishing. Our services are based on the recommendations of the UK National Cyber Security Centre who advocate a multi-layered approach that includes a combination of technological, process, and people-based cyber security measures.