Security Experts:

Connect with us

Hi, what are you looking for?



Enterprises Hit With Social Engineering Scheme That Starts With a Phone Call

Researchers at Symantec have reported a wave of attacks that take an interesting approach to social engineering – a telephone call.

Researchers at Symantec have reported a wave of attacks that take an interesting approach to social engineering – a telephone call.

According to Symantec, the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French, and asked the victim to process an invoice they were able to receive in an email.

“The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT),” blogged Symantec’s Security Response Team. “There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email.”

The attacks are currently targeting only French organizations, but have also included subsidiaries that operate outside of France, the firm found.

Just recently, the Internet Crime Complaint Center (IC3) issued an advisory about phishing attacks targeting consumers that begins with a phone call directing the person to log on to a phishing site. The automated calls claim to be from the victim’s telecommunication carrier. Once on the site, the user is offered what appears to be a billing credit, discount or prize ranging from $300 to $500.

“The phishing site is a replica of one of the telecommunication carrier’s sites and requests the victims’ log-in credentials and the last four digits of their Social Security numbers,” according to the IC3, which is a partnership between the FBI and the National White Collar Crime Center. “Once victims enter their information, they are redirected to the telecommunication carrier’s actual website. The subject then makes changes to the customer’s account.”

In the case of the attacks reported by Symantec, the victims tend to be accountants or employees working within the financial department of the targeted organizations. This may not be too much of a surprise for some. According to Symantec’s latest Internet Security Threat Report, the percentage of targeted attacks focused on chief executive or board level employees fell from 25 percent in 2011 to 17 percent in 2012. The most targeted role belonged to employees in the research and development area, who were hit with 27 percent of attacks as opposed to just nine percent in 2011. The next most targeted group was the sales department, which saw 24 percent of attacks in 2012 compared to 12 percent in 2011.

Since the handling of invoices is something such employees would do on a regular basis, the lure is potentially “quite convincing,” Symantec said.

“It appears that the attacker’s motivation here is purely financial,” according to Symantec. “Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organization; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information. “

These attacks are continuing to this day and organizations should be aware of these increasingly sophisticated social-engineering attacks, Symantec added.

“The attacker may have limited information, so asking additional questions on a call may help to determine the legitimacy of the request,” the team warned. “Organizations also need to be aware that personally identifiable employee information that exists outside of your enterprise, even in the form of an invoice, can be used against you if a business associate become compromised.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...