Exploiting VoIP for Scam Campaigns: Insights from Cisco Talos
TL;DR
Cisco Talos has revealed that attackers increasingly exploit Voice over Internet Protocol (VoIP) phone numbers within scam emails as an indicator of compromise. The use of VoIP facilitates high-volume and low-cost scams that are challenging to trace, with phone numbers often recycled across various deceptive campaigns.
Main Analysis
Cisco Talos has expanded its threat intelligence framework to include phone numbers as a critical indicator of compromise in scams, particularly focusing on VoIP numbers. The research indicates that the simplicity of acquiring VoIP numbers through API-driven provisioning has made them the tool of choice for attackers. This infrastructure allows scammers to execute high-volume campaigns, often employing sequential blocks of numbers that rotate to maintain operational continuity. The typical lifespan of these VoIP numbers is about 14 days, effectively allowing actors to bypass reputation-based security measures.
The analysis highlights that threat actors maximize their outreach by reusing phone numbers across various contexts and associated lures, which may include different subject lines or file attachment formats like HEIC and PDF. This strategic overlap not only allows them to project multiple identities but also helps establish a misleading sense of legitimacy to potential victims.
Researchers can unveil the underlying infrastructure of these scam operations by focusing on phone numbers rather than just email addresses. By utilizing clustering techniques that connect these seemingly disparate campaigns centered around shared phone numbers, defenders can significantly enhance their understanding of how organized scam operations function.
Defensive Context
Organizations tasked with monitoring phishing and scam activities should prioritize tracking phone numbers used in these campaigns. Businesses within sectors frequently targeted by such scams should particularly focus on this intelligence. VoIP numbers are particularly relevant to industries operating in customer service or finance, where impersonation can lead to significant breaches of trust and financial loss. Organizations not directly interfacing with customers or lacking an online presence may find this information less pertinent, as they represent lower-risk targets for such scams.
Why This Matters
The rise of VoIP in scam campaigns represents a tangible risk to organizations reliant on telecommunication for customer interaction. The ability to obscure the origins of calls and messages complicates the identification of malicious actors, increasing the likelihood of successful scams against unsuspecting individuals.
Defender Considerations
Defenders should actively monitor VoIP numbers associated with known scams and consider developing centralized databases tracking high-risk phone numbers. Enhanced analytics that can correlate these numbers across different campaigns can further strengthen defensive strategies without relying solely on traditional email metrics.
Indicators of Compromise (IOCs)
Although specific phone numbers were not provided in the study, Talos identified 1,652 unique phone numbers within their analysis period. Attackers reused approximately 3.4% of these numbers within a span of consecutive days, indicating the operational tactics employed.
