Armorblox is now part of Cisco

Threat Research | 11 min read

Hello From The Bother Side: Tech Support Vishing Attacks


Lauryn Cash
Lauryn Cash

This blog highlights two vishing (voice phishing) attacks impersonating Geek Squad and Norton. The emails attempted to steal credit card details by including phone numbers to call for processing returns to fake subscriptions.

Over the past year, we have observed a consistent rise in vishing (voice phishing) attacks, particularly those that replicate existing email workflows. When the world was in lockdown, many of our daily processes happened over email and phone rather than in person - such as speaking to an accountant, tech support representative, tax specialist, and even doctor. The FBI 2020 Internet Crime Report highlighted over 15,000 tech support fraud complaints received in 2020, with losses increasing 171 percent over 2019.

In today’s Blox Tale, we will look at two billing / tech support vishing attacks - one from Geek Squad and the other from Norton AntiVirus. Both attacks attempted to steal victims’ credit card details by sending fake order receipts and including phone numbers to call for processing order returns.

Before we go through the attacks in greater detail, a brief description of vishing for the uninitiated: vishing (or voice phishing) is a type of scam where malicious actors steal personal information from victims over the phone or by leaving fraudulent voice messages. Armorblox recently reported on an Amazon vishing attack that you can read here.

Now let’s focus on the attacks at hand:


Org mailboxes: ~25,000

Email security bypassed: Exchange Online Protection (EOP), Proofpoint

Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail address

Both email attacks bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to both emails. This means the emails skipped spam filtering because Microsoft determined they were from a safe sender, to a safe recipient, or were from an email source server on the IP Allow list.

1. Geek Squad Vishing Attack

This attack impersonated Geek Squad, the services subsidiary of Best Buy, to steal victims’ credit card details. The email was sent from a Gmail account and was titled ‘Order Confirmation’, carefully treading the line between vagueness and urgency-inducing specificity. The email contained HTML stylings similar to genuine emails sent from Geek Squad, and included a renewal confirmation for an annual protection service.

Instead of including any links, the only call to action in the email was a phone number of the ‘Billing Department’ that the victims could call to process order returns.

A snapshot of the email is given below:

Geek Squad vishing email Fig: Email impersonating Geek Squad sharing a subscription renewal confirmation

The Armorblox research team called this number from a disposable Google Voice number, and were met with an endless ringtone at first. A few hours later, the number seemed to have been taken down.

Geek Squad vishing email 2 Fig:  The Geek Squad email includes a phone number to call for processing order returns

2. Norton Vishing Attack

This attack impersonated communications from Norton AntiVirus to steal victims’ credit card details. Like the Geek Squad email, this one was also sent from a Gmail account and had the same curiosity-inducing title: Order Confirmation. This email didn’t have any HTML stylings and was more plain-text compared to the Geek Squad email.

Just like with the other vishing email, this email also did not contain any links or other conventional payloads. The only payload was a phone number included in the mail body, inviting victims to call the number if they wanted to cancel their subscription.

A snapshot of the email is given below:

Norton vishing email Fig: Vishing email impersonating a Norton AntiVirus order confirmation

Near the top of the email, notice the ‘N0RT0N PR0TECTI0N’ with zeros instead of the letter O. This is a simple but effective technique used by attackers to slip past any deterministic filters or blocklists that check for brand names being impersonated.

Calling the number listed on this email was also met with a now deactivated number, like the first vishing attack. It’s important to note that the technique here matters as much as (if not more than) the outcome. If the number here was taken down, it’s very easy for the attackers to stand up another number and repeat the attack flow, because they know the email is getting past traditional email security controls.

Recap of techniques used

These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.

  • Social engineering: The email titles, sender names, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to come from legitimate companies, and a sense of urgency because they contained information on expensive software or service subscriptions that the victims hadn’t made, and thus would be eager to reverse.Both emails included the victims’ email addresses in the mail body as well, further adding to the legitimacy of the conversation.
  • Brand impersonation: The Geek Squad vishing email is replete with company branding and follows a structure similar to real order confirmation emails from Geek Squad.
  • No URLs or conventional payloads: Both emails didn’t include any links or other conventional calls to action, which enabled them to bypass any detection controls that block known bad links. Including phone numbers as the payload is effective because a phone number is not an IOC that the security community tracks in a structured, shareable manner right now (and might never be, due to the fungibility of phone numbers, random numbers generated through Google Voice, etc.).
  • Replicating existing workflows: The context for both email attacks replicates workflows that already exist in our daily lives (ordering subscriptions and services online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
  • Using Gmail address: Both emails were sent from a Gmail address, allowing them to successfully pass email authentication checks. Attackers regularly bypass email authentication controls by sending malicious emails from Gmail, Yahoo, and Hotmail accounts.

Guidance and Recommendations

1. Augment native email security with additional controls

Both emails highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of -1. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or vishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is Geek Squad sending an email to my work account, why are none of the CTA buttons in the email working, etc.).

3. Be wary of sharing any sensitive information over the phone

Be very suspicious of any caller who asks for your PII or other sensitive information over the phone. If you suspect the call you’re on is a potential vishing conversation, immediately hang up and don’t feel obliged to carry on speaking or replying to questions out of politeness. If the caller provides a call-back number, avoid calling that number and instead search for a publicly available number of the company (in this case, Geek Squad and Norton respectively) and call that number.

4. Follow MFA and password management best practices

Although we didn’t observe the entire vishing flow for these attacks, vishing call scripts often include attempts to extract victims’ account credentials in addition to their credit card details.

If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use a password management software to store your account passwords.
  • Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
  • Don’t repeat passwords across accounts or use generic passwords such as ‘password123’, ‘YourName123’ etc.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.

Join Mailing List

Experience the Armorblox Difference

Get a Demo