UPDATED 14:00 EDT / OCTOBER 13 2017

WOMEN IN TECH

Vish-ious attack: Your Instagram posts could put a ‘hack me’ sign on your back

We’ve all heard of phishing — the use of fraudulent electronic exchanges by hackers seeking sensitive information like usernames and passwords. Now cybercriminals have expanded their repertoire to include vishing — basically voice phishing by phone. And the mere act of posting photos online could turn users into victims.

“I can just bypass every security protocol you’ve set up. I don’t even need a technical hacker,” said Rachel Faber Tobac (pictured), associate user experience researcher at Course Hero Inc.

Tobac would know — she’s a white-hat hacker and visher helping companies understand their vulnerabilities and strengthen their defenses. At the yearly Def Con hacking conference, Tobac competes in white-hat vishing competitions.

“I’ll call them in a glass booth in front of 400 people and attempt to get them to go to malicious links,” Tobac said during an interview last week at the Grace Hopper Celebration of Women in Computing event in Orlando, Florida. She also co-founded SocialProof Security LLC, which educates companies on social media and security risks.

Tobac spoke with Jeff Frick (@JeffFrick), co-host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Grace Hopper event. 

“The biggest tool that I use is actually Instagram, which is really scary,” Tobac said. About 60 percent of the information she needs to vish a company, she culls from Instagram via geo-location. The mother lode is often a picture with a computer or workstation in the frame. “I can get their browser, their version information, and then I can help infiltrate that company by calling them over the phone.”

Femme fatale phoning

A visher might call a company posing as a company insider or some other innocent individual. Tobac revealed that “low-status pretexts” are particularly effective. Assumptions about women’s lack of technical expertise can often help get her inside.

For example, “I call you, and I’m like, ‘I don’t know how to troubleshoot your website. I’m so confused. I have to give a talk — it’s in five minutes. Can you just try my link and see if it works on your end?'” Tobac said. All the person on the other end has to do is click the link, and the hypothetical hacker is in his or her computer.

To avoid being vished, Tobac advises to never let anyone on the phone authenticate themselves with information about your browser or computer. And don’t take pictures with your computer in the shot.

“If you do, I’m going to see that little line at the bottom, and I’m going to see — exactly — the browser, version, OS and everything like that,” she concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of Grace Hopper Celebration of Women in Computing.

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU