Cloudmark, Inc., the proven leader in messaging security solutions for service providers, enterprises and consumers, has identified and begun blocking phishing attacks carried out over voice over IP (VoIP) systems to spoof an unwitting target´s financial institution. Scammers posing as banks are emailing people to dial a number and enter personal information needed to gain access to their finances. Cloudmark warns that VoIP services can reduce the costs associated with conducting such attacks, providing the perpetrators with less risk of discovery, and urges recipients of suspicious messages to notify their service providers immediately.
By combining a global threat detection network leveraging real-time reporting by trust-rated users with a unique fingerprinting methodology, Cloudmark is able to identify and begin blocking new spam, phishing and virus attacks within moments, versus hours or days required with competing solutions. Noted for industry-leading speed in detecting and deterring new threats, Cloudmark is uniquely capable of accurately identifying and blocking these spoofed-number attacks. The company detected two new VoIP-specific attacks this week. As a precaution, Cloudmark advises against dialing phone numbers received in emails from institutions and to double-check and dial the numbers printed on ATM cards instead.
Adam J. O´Donnell, Ph.D., senior research scientist at Cloudmark, says, “We´ve seen two separate VoIP attacks hit our network this week, the first we´ve been able to analyze in detail. In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem.” Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR system that sounds exactly like their own bank´s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN. “The result,” O´Donnell surmises, “can be personally financially devastating.”
Traditional content and identity rules based on volume analysis for capturing spam do not work for phishing threats: phishers move quickly, using and breaking down multiple sites to launch the same attack. VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers. The Cloudmark Collaborative Security Network´s use of unique fingerprinting algorithms is able to identify the phone numbers used in VoIP phishing attacks. The CCSN first spotted and began to block these threats last week. It is characteristic of the network to automatically stop threats without the research team having previously identified them, and thus likely that the CCSN has been stopping VoIP-based attacks for some time.
Dr. Jose Nazario, a senior security engineer within the Arbor Security Engineering & Response Team (ASERT) at Arbor Networks Inc., a network security leader for global business networks, notes, “Cloudmark´s large customer base gives them a unique position to detect and prevent phishing attacks, which are highly sophisticated, targeted, transient and dynamic, thereby making it far more difficult to uncover and capture the perpetrators. Leveraging their unparalleled data helps Arbor by enabling its customers to track and stop phishers mid-attack.”
Rapid, Intelligent Detection
Cloudmark offers two distinct services to thwart phishers, including an anti-phishing data service that provides confirmed phishing URLs to its customers. The Cloudmark anti-phishing engine fits within the service provider´s infrastructure to provide filtering protection at the messaging gateway from fraudulent email. It scans each message and computes a set of fingerprints on the message, a process that is automatic, lightweight and highly scalable for large volumes of email. Cloudmark´s approach consistently proves faster and more accurate than competitive methods of relying on fingerprinting algorithms to analyze the structure of messages sent by phishers and block new attacks in advance of receiving URL reports.