Cybersecurity experts have come up with an alarming pattern with respect to cybercrime. It appears that cybercriminals are progressively integrating ‘vishing’ techniques, a condensed term for voice phishing, with emerging OTP grabber services, further enhancing their bad intentions.
Vishing is a technique where scammers trick people into sharing sensitive information during phone calls. What makes it especially risky is the personal approach they use, which makes victims more likely to trust the caller. These cybercriminals use advanced voice systems, real voice recordings and even tricks that make calls seem like they are from trustworthy companies. All of this is aimed at pressuring victims into giving away their one-time passwords (OTPs).
Shreya Talukdar, the Global Threat Intelligence Analyst at CloudSEK, points out how these cybercriminals have effectively used vishing techniques to their advantage. She explained that by relying on vishing, these criminals managed to acquire employee credentials, gain control over global admin privileges within Azure Tenant, steal data and then held many ESXi hypervisors hostage for ransom.
The situation is further of a concern after an ad was revealed on SpoofMyAss.com (SMA), where services are being offered that substantially facilitate cybercriminals in orchestrating extensive vishing attacks.
SMA’s features include OTP extraction, global calls in multiple languages, personalization, anonymous calls and Bot template creation, all of which strongly suggest their involvement in vishing attacks. Bablu Kumar, Cyber Intelligence Analyst at CloudSEK, shed light on the situation, stating that using service features like Fast SMA, Stream SMA and Transfere SMA, vishers can further craft highly convincing vishing calls.