A security staffer at one targeted organization who asked that WIRED not use his name or identify his employer described a more wholesale approach: At least three callers appeared to be working their way through the company directory, trying hundreds of employees over just a 24-hour period. The organization wasn’t breached, the staffer said, thanks to a warning that the company had received from another target of the same hacking campaign and passed on to its staff prior to the hacking attempts. “They just keep trying. It’s a numbers game,” he says. “If we hadn’t had a day or two’s notice, it could have been a different story.”
Phone-based phishing is hardly a new practice for hackers. But until recently, investigators like Allen and Nixon say, the attacks have focused on phone carriers, largely in service of so-called “SIM swap” attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession. They’d use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.
The Twitter hack’s use of those same phone-based social engineering methods shows how those phishers have expanded their target lists beyond telcos, says Unit 221b’s Nixon. She posits that while this might be due to phone carriers hardening their defenses against SIM swaps, it’s more likely spurred by companies becoming newly vulnerable during the Covid-19 pandemic. With so many firms hastily shifting to remote work, she says, phone-based social engineering has become far more powerful.
The same hackers who honed their skills against telecoms have found other industries that are less well prepared for their tricks, Nixon says. “All of a sudden you’ve got these people that are highly trained, highly effective, efficient, and organized, suddenly hitting a bunch of soft targets,” she says. “And that’s probably a big reason why there’s such a problem right now.”
Despite the apparent youth of the hackers involved, Nixon says the ongoing attacks seem well coordinated, with multiple collaborators working together and hiring independent hackers offering specialized services from reconnaissance to voice acting. “Need someone that has experience with social engineering over call, great pay,” wrote one OGUser forum member in March named “biggas,” as captured in a collection of OGUser messages leaked on Telegram in April. “Looking for a social engineering god that is from USA and has a clear & normal adult voice. No little kids,” the same user wrote back in November.
In their social engineering calls with victims—including in one recorded call reviewed by WIRED—the hackers typically use a VoIP service that allows them to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers. In some cases, they’ll even ask the victim to confirm that they’re a “real” IT person, suggesting they look up their spoofed identity in the company’s directory or its collaboration software. When the victim seems convinced, they ask them to navigate to a fake login page address—usually for a single sign-on portal like Duo or Okta—and enter their credentials.
Another member of the hacking group immediately obtains those details and enters them into the real login page. The real login page then prompts the victim to enter their two-factor authentication code. When the user is fooled into typing that code into the fake site, it’s also relayed to the second hacker, who enters it into the real login page, allowing them to fully take over the account. The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.