From Bytes to Bait: Navigating Phishing, Smishing, and Vishing with Sama Manchanda
Sama Manchanda: I stumbled into cybersecurity by accident. I actually switched majors six times in college and happened to find a class that was an intro to cybersecurity class. It was an elective called From Hackers to CEOs, Intro to Information Security. And I was like, ooh, that sounds fun. I took the two-unit elective and the rest is history. I absolutely fell in love with it and that completely changed the trajectory of my life.
David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence, insights, new threat actor TTPs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. [ Music ] I'm your host David Moulton, director of Thought Leadership for Unit 42. In today's episode, I'm going to talk with Sama Manchanda. Sama is a consultant at Unit 42. She's hyper competitive in the videogame Just Dance and will take on anyone with the song Rasputin. Sama, where are you recording from today?
Sama Manchanda: I am recording from Austin, Texas.
David Moulton: When you and I were thinking about the show, you pitched me on this idea of the ish tales -- the smishing, the vishing, the phishing, and that dual view on social engineering. But help me understand what's going on with those different ishings.
Sama Manchanda: All three of them are different types of social engineering attacks. Phishing being the most common is related to email or usually targeting users to click on a link of some kind. Smishing is similar, just uses texting or SMS instead. And then vishing is over the phone usually. It involves some level of talking to another person and trying to do some actual like interaction with them to gain access or gain information of some kind.
David Moulton: From an offensive security perspective, what strategies or techniques do attackers often employ to make their social engineering attacks more successful?
Sama Manchanda: Some of the tactics that make a lot of these attackers more successful are like more thorough research and the more tailored approach to the environment. So those nitty-gritty details of figuring out exactly what process or what system is in place can help establish that trust, establish that rapport, with the end-user and make them think that this is more believable, or this isn't something of high concern. For example, with phishing, knowing exactly the type of email provider that they're using or VPN provider or something like that and having somebody reset their credentials. If they see like the right logo, if they see the right tool or whatever, they're more likely to fall for that attack and enter their credentials. Versus, you know, if I'm a Microsoft 365 user and, you know, this is a phishing email for Gmail, they're more likely to immediately off the bat recognize something is off. Through phishing, the fact that you know about employees to sort of convince a help desk employee that you are in fact this other employee. And you can say like, oh, okay, I know I'm supposed to have this running on my system, or, you know, I know that Cortex HDR is running on my system, for example, that establishes some level of trust with the help desk person that, oh, okay, this person's actually looking at their laptop and like actually is running, you know, tools that they're supposed to be.
David Moulton: As you were saying this, one of the things that has stuck out to me when I've got a phishing email that tells me that my Windows machine has been infected, I always chuckle to myself, because I only use a little iPad as my personal device. Could you share some insights on the DFIR side, the digital forensics and incidence response, how social engineering attacks like phishing are used as attack vectors in larger networks and intrusion cases?
Sama Manchanda: So we very commonly see things like phishing, vishing, smishing, and mainly we see them as like an initial intrusion vector. And we also sometimes see it as a way for them to move laterally or move around and try and basically spread themselves further in an environment. In the cases of phishing and smishing, we've seen a bunch of large engagements where attackers have done their due diligence with reconnaissance and targeted large numbers of employees with emails or texts, directing them to click malicious links and enter their credentials. On the vishing side, we've seen engagements where attackers have targeted IT support staff and are able to either gain access to user accounts by impersonating users and saying, hey, I need help with my password, can you reset it -- we've seen cases where the attackers are actually able to trick the IT support staff into granting them access as well. And those are really dangerous.
David Moulton: Help the listener understand what is the most important thing that they should be taking away from this conversation.
Sama Manchanda: So continuously training and educating people to be aware and to be alert and to just question, you know, when things aren't quite right is the biggest thing, I think. The sad truth of security is that end-users like people like you and me are the most vulnerable part of any company, and that includes people -- again, even with a lot of training, people still make mistakes. Having a culture where employees feel safe to raise those questions and self-report is I think just as important as having the training in place. If somebody's afraid to report that they have made a mistake or something doesn't seem right, all that creates more time in which an attacker has unfettered access to the environment.
David Moulton: So it sounds like if you're trying to put together a security culture in your organization, find a way to give people the confidence that when they have made a mistake or think they've made a mistake, that it isn't retaliation or punishment.
Sama Manchanda: Yeah, absolutely. [ Music ]
David Moulton: Sama, thanks for joining me today on Threat Vector to share your tales of ishing. We'll be back on on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.