Vishing Villains and Voter Vigilance
Sama Manchanda: There are three main parts to a phishing attack. There's the bait, the hook, and the catch, the bait being the preparation, the juicy bait that someone falls for. With the hook, the attacker has got the information that they need to get the attention of the user, and then get them to do something, and this is the catch part. Whether it's performing an action, clicking the link, something like that. Once the user has actually clicked and fallen for the hook, that's when the actual attack happens. The bait, the hook, the catch. [ Music ]
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats, cyber-resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, we'll discuss the evolving landscape of social engineering attacks, particularly focusing on vishing and smishing. As we approach the election season, the relevance of these threats has never been higher. We'll discuss how these techniques have adapted and grown more sophisticated over time, the psychological tactics behind them, and the specific challenges they pose to both individuals and the integrity of the democratic process. Joining us once again is Sama Manchanda, a seasoned expert in cybersecurity from Unit 42. Sama will shed light on the latest trends and provide insights into how to protect yourself and your organization from these insidious threats. Here's our conversation. [ Music ] Sama Manchanda, welcome back to Threat Vector. It's been a while since you've joined us on the pod, and we're back today to talk about vishing, smishing, kind of an update to our original smish tales, especially as we're looking at the election season coming up.
Sama Manchanda: Glad to be back, and it's - thank you for having me back. Always excited to talk about social engineering, you know, the vishing, phishing, smishing.
David Moulton: Sama, before we jump into that, and I want to say, are you still working on your guitar skills? The last time we spoke, you were learning to shred.
Sama Manchanda: Yeah, I'm still - still learning to shred. I wouldn't say I'm quite - quite there yet, but we're - we're working on it.
David Moulton: What else you got going on? What's new this summer?
Sama Manchanda: Other than that, living out my - my dream rockstar fantasy in my head. I've been playing a ton of tennis, outside in the hot sun, which is a choice, I suppose.
David Moulton: Oh, not - not the pickleball, but the actual tennis.
Sama Manchanda: Yeah, the - the real sport.
David Moulton: That's awesome. Getting out there and getting some sun, playing a little bit of tennis, rocking the guitar. Sama, you live - you live the life. Let's get into this conversation. We were talking about elections, and vishing, and some of the dangers that are lurking on your phone, and maybe we start out with this idea of, what is smishing, and how does it differ from maybe traditional phishing or even vishing?
Sama Manchanda: Yeah. So smishing in general is the SMS form or, you know, message form of phishing, and we've talked about phishing before. Phishing really is a social engineering scam, where an attacker usually convinces or deceives people into revealing some kind of sensitive information or doing something that they weren't, you know, intending to do. Some can be installing malware, it could be getting them to enter credentials, all that kind of good stuff. But very similar to phishing, again, is smishing, where usually phishing we see on an email platform usually of some kind. Smishing is pretty similar, usually it just comes in the form of a text message instead.
David Moulton: Got it. So a pressure campaign get you to - tricked into doing something that you didn't intend to do.
Sama Manchanda: Uh huh.
David Moulton: And with - with smishing, I would wonder if the rise of mobile devices and usage of mobile devices has really influenced an increase in smishing attacks?
Sama Manchanda: Absolutely. We're seeing, you know, every single person, you know, whether you're a kid to, you know, an adult that's working to, you know, someone's, you know, your grandparents, everyone's got a phone in their hand. It's a smartphone, and you've got the ability to, you know, navigate the internet, you know, click on things. The world is your oyster with that phone, right? Because everybody has, you know, a device that's capable of doing these things, and we're so desensitized, also, to things like, you know, clicking a link or, you know, hitting a button, especially on a phone, it's so much more, I think - that's - especially, you know, as we advance as a society, that really influences an increase in smishing attacks because yeah, where people are not paying attention, people are, I think, there is a lot more awareness around phishing per se, you know, with clicking emails. It's something that we've all sort of heard, that like, oh, you know, spam emails or things like that. We've become a little bit more used to hearing about those, but smishing and vishing generally, people don't talk about them as much, even though they're pretty similar, obviously.
David Moulton: Yeah, as you're talking about it, one of the things that comes to mind for me is my phone feels really personal, right? It's the - it's the computer in my pocket.
Sama Manchanda: Uh huh.
David Moulton: It's always there, and there's a layer of protection inside of email. There's a - a lot of filters, the ability to hover on the link before you click on it, all those things that security awareness training.
Sama Manchanda: Right, yeah.
David Moulton: Has embedded or ingrained in us as a behavior. But on the phone it's a little harder, right? You can't really hover, right?
Sama Manchanda: Uh huh.
David Moulton: You can't look at the link in the same way. Let me ask this, something I've been curious about, is there a variance in smishing by region?
Sama Manchanda: Yeah, to some extent. I think it just - I think one of the big variances is mostly the - I guess the platform upon which maybe the smishing comes in. I think in the - here in the U.S., obviously there's a lot of built-in SMS and iMessage. We get a lot of text messages in general with a lot of this information. I think with a lot of other countries, I think a lot of other countries heavily depend on third party messaging apps sometimes, so things like WhatsApp, and so a lot of the trends remain the same, but it's just that they're using perhaps a different platform.
David Moulton: Okay.
Sama Manchanda: But by and large, again, tactics, their goals, methods, most of those remain the same.
David Moulton: Okay, so like the - the basics of social engineering are platform-independent, but then you might have a delivery message that's in Apples Messages or over SMS. Maybe that's a problem in the U.S.
Sama Manchanda: Right.
David Moulton: WhatsApp may be something that.
Sama Manchanda: Yeah.
David Moulton: You know, listeners would look at anywhere in the world, but particularly outside the U.S. and say, okay, same training, same sort of thoughtfulness. Slow down, don't click that. Sama, can you walk us through the typical phishing attack and its objectives real quick?
Sama Manchanda: So, there are three main parts to a phishing attack. There's the bait, the hook, and the catch. So the bait being the preparation and, you know, the juicy bait that someone falls for. Whether it's, you know, the attacker doing their research properly and kind of figuring out what to target a user with. Again, the better the bait, the more likely a user is to actually get hooked then, which is the next phase. And with the hook, that's - the attacker has got the information that they need to, you know, get the attention of the user, and then essentially get them to do something. And this is - that's the catch part, whether it's, you know, performing an action, clicking a link, something like that. And once the - once the user has actually sort of clicked and fallen for the - fallen for the hook, that's when the - the catch sort of happens, and the actual attack happens. Whether it's entering credentials, downloading malware onto a system, that's kind of like when the user actually kind of gets compromised at that point. So the bait, the hook, the catch. That's the.
David Moulton: Perfect.
Sama Manchanda: How I would describe phishing, yeah.
David Moulton: Yeah, and it's bait, hook, and catch, and I think that gives us, like, three points in that attack where you could protect yourself, but it's easy to really see the cascade, like once you're - once you're baited and hooked, you're - you're in some trouble. How sophisticated are phishing attacks becoming in terms of mimicking legitimate sources?
Sama Manchanda: So you see - you see a whole range of, I think, sophistication. You have the very easy, low-hanging, just mimicking a normal, like, login page type of thing. Those are - those are fairly simple. You also get the very - the very complex, with all the recon sort of built in. And it - it just - it depends on a lot of things. I think it depends, A, on the - the attacker, certainly, what their motives are, what their intention is. And it also depends on the victim that they've chosen. If the attacker's motive is perhaps something financial, and they're just kind of trying to, what we call spray and pray, where they're basically just trying to get anybody to fall for their attack, their attack may not be as sophisticated because their goal is to just try it against as many, you know, people or organizations as possible. We also do see the opposite side of the spectrum too, where attackers want either a specific piece of information or they're going after maybe like an important person or an important organization. So in that situation, they're bound to be a lot more careful in their beginning stages of their attack, during their - you know, when they're crafting their bait. They're going to try and make it more attractive because it's higher stakes for them. They want to put in more effort, they want to put in more research, and they want to, you know, make it look more real, and there are a lot of tools that, you know, they can use to do this. So, again, lots of different open source information that they can use to find out information about people, organizations, things like that, from anything from social media to just things that are posted online, to then also we've even seen things like, you know, using AI also to help with making things look more believable, and, you know, making it seem like, oh, this is something legitimate. That's one thing that AI has done, I think, across the board, which is really interesting, is it's let - it's lowered the - the barrier for entry, I'd like to - as I like to call it, for an attacker, where they're - they're able to do - or they're able to make an attack look more real. They're able to sort of make it more believable.
David Moulton: Right.
Sama Manchanda: Than they would have maybe without the AI. [ Music ]
David Moulton: A conversation that I was having with Michael Sikorski back in February, he had the same realization. Bad spelling errors, bad language barriers are all lowered in an era where AI is one of the tools that an attacker can use. We had a hypothesis at the time that vulnerabilities would fall from its number one attack vector in our report to be replaced by, you know, phishing again. And we'll see if that's true. It seems like it is. How do psychological tactics play into manipulating a recipient for a phishing attack?
Sama Manchanda: That's one of the main reason it's so successful, is again, it preys upon the weaknesses of people, and just in general, there's a lot of common tactics that we see across the board. So things like scare tactics or, you know, creating a sense of urgency hones in on the user's fear of something happening that's not supposed to happen, like oh, this is super urgent, somebody needs something, and you know, I don't want to get in trouble because of this. It could also be, again, just playing into, you know, someone not noticing that something is off or different.
David Moulton: Right.
Sama Manchanda: Because maybe they're in a rush. That's one of those things where smishing, I think, is particularly successful, where it's again, like, you're on your phone, and like we mentioned earlier, it's not - it's a lot harder sometimes when you're on a phone to be thinking about, like, oh, maybe I should hover over this link and really think about where it's going. On an email, it's much easier to do that. So you're just like, oh, I'm in the middle of doing something, and this came up, and I just was distracted. So - and I think, yeah, and again, attackers, they're really good at their job also, at the end of the day. This is what they specialize in. So they - they've got a good handle on using people's weaknesses against them. That's the entire premise of social engineering, is finding different things that, you know, people will fall for and what ultimately is successful enough for them to get their foot in the door.
David Moulton: In what ways do vishing attacks exploit voice communication, and what makes those particular dangerous?
Sama Manchanda: So with phishing, similar to smishing, like we said, it's really hard to verify on a phone what is necessarily authentic and what may not be. And there are a lot of new technologies out there that are helping attackers to make their voices sound maybe like what somebody else sounds like. And so that - and that's really the only sort of check that a person might have over the phone. If I'm talking to somebody that I know what their voice sounds like usually, right?
David Moulton: Sure.
Sama Manchanda: But again, with this technology, it's really easy for me to pretend that, like, oh, I am somebody else and I'm calling, and I sound like the person that - that they're supposed to be talking to. So automatically, like, you know, they're - they're -- like, they're not automatically on edge, or they're not automatically, like, aware that something is off.
David Moulton: Right.
Sama Manchanda: So that's definitely, like, that - that really makes it harder, especially for users to even realize sometimes that, you know, vishing is at play.
David Moulton: So if you're getting a call and you think to yourself, the voice sounds authentic but maybe a little off, the conversation is different, the - the language that somebody's using, the specific words that they're using, those things are off, you should probably listen to your gut and say, let me call you back, or verify that this is actually the person. Maybe use a different communication method. I know that when I was talking with Billy Hewett and Tony Huynh on Episode 20 about deep fakes and adversarial AI, they got into how difficult it is to upgrade the human defenses. Right, we have our - our hearing, we have our - our sight, you know, and we don't have a patch that - that we can put on those to make them even stronger, and we don't necessarily have a technology that we can put between our eardrum and the phone when somebody calls us and says hey, it's Dave, and you say, yeah, that sounds like Dave. So this is a particularly tricky one, I think, for people to defend against. But again, I think, Sama, that you'd go back to that same thing around slowing down, verifying, maybe being a little bit more cautious or suspicious, especially if something feels just a little off, slow down, take a moment, take a breath.
Sama Manchanda: Right, yeah.
David Moulton: And don't hand over information, don't hand over your credentials, don't send that money right away. Those sorts of things seem like that's been the advice here. So let's get into some of the impacts on the election season. Right, we're - we're right in the middle of the summer here, and I'm wondering, why does smishing, vishing, and phishing attacks spike right now, during election season?
Sama Manchanda: So, with elections in general, again, people are more likely to be getting information from, like, legitimate campaigns as well. People who are campaigning are trying to get their message out. They're trying to, you know, get donations from voters. They're trying to, you know, interact with their audience, certainly, at this time. This is - this is the peak time for that. And I think that's, again, that's what makes it really easy for attackers to sort of step in at this time as well.
David Moulton: Yeah.
Sama Manchanda: Because users are already used to, like, you know, the volume of texts that are coming in, or calls that are related to campaigns, donations, things of that nature, or you know, collecting information. And they may just not really when it's a legitimate source versus somebody who might be masquerading as - as, you know, as a legitimate source.
David Moulton: How do attackers leverage current events and misinformation to enhance the effectiveness of their attacks?
Sama Manchanda: That's, I think - that's, again, that's one of the ways that they stay relevant. They use information that's going on to help them build credibility, and come across as a legitimate source, rather than just, again, trying to go straight for the information. That's part of, like, their bait, is saying, like -- for example, like, there's a hurricane that's coming in, right? And they, you know, they can use that as, like, a - oh, okay, like, whether as an attacker they're spreading misinformation or they're, you know, trying to get the user to do something, and like, donate money or, like, put their money somewhere type of thing. Using something that's, like, a current event, again, that just really lowers the - people are used to that. People are used to.
David Moulton: Yeah.
Sama Manchanda: You know, elected officials, people are campaigning, using events like this to sort of - to further their own goal. Whether that is spreading information of some kind, or influencing the voter in some way about, maybe, a person, a candidate, or about the process in general, or also - it could also be, again, masquerading to get a donation. This is, again, a very popular time for campaigns to be soliciting donations and reaching out to all, you know, people from everywhere. So they're just not as, maybe, aware that, again, attackers are also doing the same thing, and they're just - they're hoping that a person doesn't notice, essentially.
David Moulton: Yeah.
Sama Manchanda: That they're maybe putting their money somewhere where they're not supposed to be, or they're sharing information with a source that they shouldn't be. [ Music ]
David Moulton: So it sounds like big events, elections, tax season, Black Friday, those types of things. There's a hurricane coming in off the coast, there's a fire burning, and we need donations, we need help.
Sama Manchanda: Uh huh.
David Moulton: You can disguise your phishing campaign or your social engineering campaign inside the noise and the communications that are already occurring from legitimate sources, and the victims, the targets have a lowered level of suspiciousness and/or a - a heightened willingness to engage, to send information.
Sama Manchanda: Right.
David Moulton: Money, those sorts of things.
Sama Manchanda: Right.
David Moulton: And that makes them just primed for a successful social engineering campaign.
Sama Manchanda: Absolutely.
David Moulton: So let's move on. What unique risks do these cyber threats pose to the integrity of elections and voter confidence?
Sama Manchanda: A successful phishing attack could undermine the whole process, from the voter's faith in a candidate or an elected official, to the whole system in general. And so, one of the interesting things there is, I mean, with a phishing attack, it depends on the attacker's goals, right? They could be doing anything from just spreading misinformation about, maybe, a candidate who's campaigning, to also, you know, trying to influence the voter in some way. So that's definitely a big, you know, a big threat and a big part of the integrity of the process. The other thing is also, again, the attackers are known to target the actual election infrastructure, as well, that we have, whether it's, you know, the government entities that sort of are in charge of collecting votes, that kind of thing as well.
David Moulton: Can you talk about some high-profile smishing, vishing, phishing attacks related to elections?
Sama Manchanda: So one of the more recent ones that I think I've - I heard of was, back in March, the UK actually recently disclosed that Towering Torus, which is also known as APT31, they're a Chinese threat actor group, they almost certainly conducted reconnaissance against email accounts of UK parliamentarians during the 2021 election. So the UK actually announced that there were also some unspecified threat actors that compromised the electoral commission of the UK from 2021 to 2022, and were likely exfiltrating electoral register and email data. And so, there was also reports of phishing targeting journalists, and that's kind of how - especially journalists who were, you know, focused specifically on politics and national security, that kind of stuff. And that's kind of how they were able to sort of get their foothold in. And this particular threat actor group, Towering Torus, they - they're known for doing or conducting espionage operations against political officials, activists, things of that nature. They're publicly attributed to the Chinese Ministry of State Security as well. So we've seen, actually, back in 2020 also, there are reports that this particular threat actor group did target President Biden's campaign, and targeted election campaign staff from both parties in 2020. So definitely a group that's done this before, they've done it historically. Again, it's - it's a very, very common, you know, trend that there are these groups that are out there doing these kinds of things, and likely that they will continue to do so in the future, both in U.S. elections as well as elections going on in other countries.
David Moulton: So Sama, thinking about U.S. elections, I'm curious how what happens here in the states influences the global landscape when it comes to elections, and how smishing, vishing, and - and phishing, these social engineering campaigns, are defended against or thought about?
Sama Manchanda: Globally speaking, there's a lot of attention every time there is a U.S. election. It kind of comes with the territory of being a, you know, a hegemon and kind of being a global leader. So there's a lot of other countries that are invested in how our election turns out. What we see, a lot of times, in the U.S. elections again, like - like I mentioned with this - with this past incident, with Towering Torus, again, targeting UK elections, it's the same group that did it with the U.S. elections. So we a lot of times with the trends that we see in the U.S. elections, we then see them - we see a lot of these similar trends of, like, attacks being conducted, or reconnaissance and phishing, things like that. We see that in other countries as well.
David Moulton: Of course. So how can voters and the general public protect themselves from these type of attacks, especially during the election season?
Sama Manchanda: One of the big, big takeaways, with - always with phishing and social engineering of any kind, is just generally being aware and being careful. If you ever have a doubt, you're not 100% sure of the source of something, and it's - it - and again, it's hard. It's hard, especially, you know, when our instinct is, you're surrounded by links being sent to use 24-7, like click this, do that, this will take you here. Put your payment information there. And it's - it's - sometimes it's hard to fight that instinct. But generally speaking, if - if - especially when it's coming to, you know, election or information, again, regard it with a sense of caution. Always do a double check or do a - you know, do your research ahead, like, if you can. Go to the source yourself. Don't rely on a source to come to you.
David Moulton: That's great advice. So what are some things that people should do if they feel like they've been targeted by one of these attacks?
Sama Manchanda: So there are a lot of reporting measures in place. If it's financial of any kind, you can report sources, and you can say something doesn't look right. Definitely do that as well if it's on a corporate system or something like that. Raise a flag to somebody that, you know, within your company. Again, if not, this is not something to be ashamed of. Obviously, I know it's - it's not a great feeling if you ever do find that you - you do fall victim to something like this, but again, the faster that you act on it, the fact that you say something is wrong, something looks wrong here, the better chance it is that somebody else down the line, you know, is saved from making the same mistake.
David Moulton: Sure, yeah.
Sama Manchanda: So, no shame in the game of saying, something looks weird, let me report this.
David Moulton: Absolutely. So looking ahead, what predictions do you have, or do you have any emerging trends that you foresee in the evolution of cyberthreats targeting elections?
Sama Manchanda: I think, you know, we're seeing this become more and more common. This is becoming a big topic every single election season, both in our general elections, our midterm elections, local elections, everything. And the fact that, you know, this is becoming more and more common, and more and more prevalent, I don't think it's going to stop anytime soon. This is where we see things happening here in the U.S., we tend to see the same patterns in other countries as well. It's especially important to educate people that, again, to just be aware. Knowing that these threats are out there, knowing that maybe everything that you see on the internet isn't always true, and not taking everything at face value, I think those are lessons that go a long way. Being a little bit skeptical, maybe, but not too skeptical.
David Moulton: Sure.
Sama Manchanda: Is usually a good - usually a good practice.
David Moulton: Sama, what's the most important lesson a listener should take away from our conversation today?
Sama Manchanda: My - my big takeaway is, if you're not sure, don't click it. [ Music ]
David Moulton: Sama, thanks for coming back on Threat Vector today. As always, it's a pleasure to talk to you. Hope the tennis game continues to be fun over the summer, and I know our listeners are, like me, really interested in this topic, and grateful that an expert like you would share your - your insights and opinions on - on this super important topic.
Sama Manchanda: No, thank you so much for having me. It's always a pleasure chatting with you. [ Music ]
David Moulton: As we wrap up today's episode of Threat Vector, I find myself reflecting on the important points Sama Manchanda and I discussed. Smishing, phishing, and vishing are growing more sophisticated and taking advantage of our reliance on our mobile devices and voice communication. Our phones have become extensions of ourselves, and with that, the lines between personal and professional communication blur. This makes it easier for attackers to exploit our trust and familiarity with these devices. The psychological tactics used in these attacks are another crucial point. By creating a sense of urgency or fear, attackers manipulate our natural responses, compelling us to act quickly, without fully considering the consequences. This is the essence of social engineering, exploiting human psychology to bypass technical defenses. The election season adds another layer of complexity. Campaigns have been ramping up their outreach and flooding our inboxes. This increased volume of legitimate communication provides the perfect cover for attacks. The urgency and importance of election-related information makes us less likely to scrutinize these messages, making it even easier for attackers to succeed. And it's not just the election season that's drawing our attention. Supreme Court rulings, events like hurricanes are all legitimate reasons that we might receive emails or text messages. However, these same newsworthy events can disguise malicious attacks. It's a sobering thought that something as routine as opening a link in a message about a campaign event or a weather alert could lead to a security breach. So, how do we protect ourselves? It comes down to vigilance and verification. Always take a moment to double check the source of any communication, especially when it feels urgent or unexpected. Verify the sender's information, and when in doubt, don't click the link. [ Music ] That's it for Threat Vector today. Thank you for joining, and stay tuned for more episodes. If you like what you heard, please subscribe wherever you listen to your podcasts, and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. I want to thank our executive producer, Michael Heller. I edit the show, and Elliott Peltzman mixes the audio. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]