Introduction

At StealthNet AI we have been building out a fleet of AI Agents to automate penetration testing. We have several types of agents and one of them is capable of automating vishing phone calls. Traditionally phishing has been one of the go to methods for hackers due to its high success rate and low barrier to entry when creating the attacks. However, defenses are getting better thanks to email firewalls, threat hunters exposing infrastructure, built in detections within browsers, and more.  Vishing is another social engineering technique similar to phising but instead of sending emails you make phone calls to trick people into giving up their username and password. According to recent CrowdStrike report Vishing is up over 400% and it is becoming a favorite technique for many APTs and threat actors. This type of attack has typically been done manually but with the rise of highly realistic AI voices we at StealthNet AI have created one of the worlds first AI powered Vishing Agents.

Vishing

Vishing short for "voice phishing"  is a type of social engineering attack where an attacker attempts to deceive a target into providing sensitive information over the phone.

Instead of sending a phishing email, the attacker places a phone call, often pretending to be a trusted figure like an IT support representative, a bank official, or a company executive. During the call, they may pressure or manipulate the victim into revealing confidential details such as usernames, passwords, multi-factor authentication (MFA) codes, financial information, or other internal data.

Vishing attacks exploit the real time, conversational nature of voice communication, making it harder for victims to recognize the deception compared to email based phishing. Also there is a lack of defenses around phone calls, there is no firewall like you have for your email. Attackers often use urgency, fear, authority, or familiarity tactics to prompt quick action from the target before they have time to critically assess the situation.

AnyDesk Download Scenario

One of the most popular attacks threat actors use is to get the target to download a remote monitoring tool such as Anydesk. Since this is a legit tool used by IT it often goes unnoticed by Antivirus software and can blend into network traffic since everything goes though a legitimate tools and domains. Before the attack begins the hackers will typically do some OSINT in order to find employees and their phone numbers, next they will give each employee a call pretending to be from the IT department in order to trick the user into downloading Anydesk thus giving the hacker full access to their computer.

As you can see in the image above this type of attack is very popular with the "Spider" APTs and has a very high success rate.

‍

AI Agents automate Vishing

A year or two ago it would have been impossible to automate Vishing calls but thanks to the rapid progress within the AI voice field it is now possible. AI voices can be extreamly realistic and it can be hard to tell if your talking to AI or an actual person. Here at StealthNet AI we are one of the first to create an AI Agent that can call you on the phone and walk though a vishing script/scenario such as downloading anydesk or giving up your credentials. Check out the phone call below where our agent is used to get the user to say their username and password.

‍

‍

As you can tell from the recording above AI voices sound fairly realistic and can be leverage to automate vishing calls. When manually doing vishing enagements you can only call so many people so most people only call a subset of users. With AI you can call thousands.  Within our platform we have hundreds of scenarios, various voices , multi language agents, voice cloning, and much more. Starting a Vishing enagement is as easy as inputing the users, selecting a scenario, and pressing start. We are the only platform out there that can automate Vishing via AI Agents and realistic voices.

‍

Conclusion

We at StealthNet AI are building out a fleet of offensive security agents to automate penetration testing. Vishing is just one area where AI can be leveraged to 10x a penetration testers capabilities. A year ago Vishing had to be a manual effort but now thanks to realistic AI voices this entire domain can be automate. Within our platform all you have to do is add your targets, select a vishing scenario, and press start. The rest is automated via our AI Agent.