Adversarial testing to simulate fraud

Voice phishing, or “vishing” (i.e. telephonic social engineering), is an attack tactic which recently drew big headlines owing to its prominence in the ranswomare incident that impacted major entities in the second half of 2023. Vishing often sees cybercriminals gain access to target systems by impersonating an employee found on LinkedIn and other online platforms, and then convincing the target company’s IT support services to reset the employee’s password and/or associated MFA tokens to perform account takeovers against the users in single sign-on (SSO) environments. After gaining internal access to the target company’s applications and/or network via vishing, attackers will often seek to leverage publicly available, legitimate remote access tunneling tools to enable nefarious remote control of impacted systems. Once full control is achieved, these actors will leverage their access and the data they’ve retrieved to commit fraudulent activities.

Threat actors go to great lengths to conceal their identities during a vishing attack; examples include:

• Spoofing caller ID and/or using a disposable VoIP phone number within the area code of the target end user
• Using voice-to-text synthesizers to mask the attacker’s true voice
• Lerveraging stolen PII obtained from Darknet marketplaces to garner trust
• Using retrieval-based voice conversion (RVC) AI models to clone and produce “deepfake” voices in near real-time

A medical institution operates multiple web applications that customers utilize for various purposes, including scheduling appointments, refilling prescriptions, accessing lab results, and entering medical history and personal information. An attacker identifies several vulnerabilities within these web applications. Although these vulnerabilities are not critical individually, they can collectively result in the leakage of small portions of customer information.

In past breaches, an attacker identifies vulnerabilities such as the ability to enumerate valid usernames in one application, obtaining phone numbers and email addresses through a leak in another application, and capturing mailing addresses from yet another application. After extensive exploration, the attacker discovers a web application that facilitates password resets via security questions. Alarmingly, this application only requires a valid username, email address, and the corresponding security question answers.

Capitalizing on this oversight, the attacker deliberately engages in a slow brute force attack, as the application lacks any rate limiting mechanisms. Over time, the attacker successfully identifies a handful of valid usernames, email addresses, and associated security question answers, leveraging the information gathered from the vulnerable web applications. With this knowledge in hand, the attacker proceeds to reset user passwords, thus gaining unauthorized access to the health and personal data of select customers. The attacker can use this information to impersonate legitimate customers or use it against other systems. By impersonating other users, attackers are able to continue to escalate their access and gain access to highly sensitive and sought after credit card information, insurance information, and social security information. This data can often be sold on the dark web for a profit or can be leverage to commit insurance or medicare fraud.

KPMG offers end-to-end security testing as an outcome-based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust.

Learn more about KPMG Managed Application Security Testing.

Learn more about KPMG AI Security Services.