New VoIP Based Phishing Scam

By | December 10, 2006

Secure Computing Corporation, the experts in securing connections between people, applications and networks, today warn that familiar phishing attacks have now evolved into phone scams. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups that have been buzzing with talk about a new technique called vishing.

This new method exploits the low cost of VoIP and combines it with the social engineering aspects of phishing to extract financial information from unsuspecting credit card and banking customers.

The scam is a telephone based version of phishing, hence the name vishing. This new technique enables cybercriminals to harvest details of the 3 digit CVV security code, expiration date and other essential ID information in addition to the customer´s card and account numbers. Paul Laudanski of CastleCops suggests that the visher used a stolen identity to set up a digital voice-response system through an Internet phone company. It´s also possible that the phone number listed in the vish is routing calls to another number which could be anywhere in the world.

“Consumers need to be made aware of this new threat as it hits the UK,” said Paul Henry, vice president of strategic accounts for Secure Computing. “Like most other social engineering exploits, vishing relies upon the ´hacking´ of a common procedure that fits within the victim´s comfort zone. Specifically, this methodology takes advantage of what has become a normal practice for US credit card users. It is a normal procedure when calling a credit card provider to be asked to enter your 16-digit credit card number before given the opportunity to speak to a credit card representative. Consumers need to be extra vigilant when giving out their information on the phone.”

Vishing scams often follow this familiar process: The cybercriminal configures a war dialler (sequentially dials regional phone numbers) to call phone numbers in a given region; When the phone is answered, an automated recording is played to alert the consumer that their credit card has had fraudulent activity and the consumer should call the following phone number immediately xxx xxxx-xxxx. The phone number could be an 0800 number often with a spoofed caller ID for the financial company they are pretending to represent; When the consumer calls the number, it is answered by a typical computer generated voice that tells the consumer they have reached account verification and instructs the consumer to enter their 16-digit credit card number on the key pad.

Once the consumer enters their credit card number, the visher has all of the information necessary to place fraudulent charges on the consumer´s card: Telephone number;

# Full name and address (simple reverse phone number look up); Credit card number.

The call can then be used to harvest additional details such as security PIN, expiry date, date of birth, bank account number, etc

“Common sense is the first line of protection,” said Henry. “Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account.”

Some things to remember if you are targeted by a vishing scam:

* Your credit card company will normally refer by first and last name either in any communication in email or via a phone call. Not being refered by full name should be the first sign that the communication may very well be a vishing call.

* It is important never to call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. Only the phone number on the back of your credit card or on your bank statement should be called to report the matter. If the call was legitimate, your credit card company or bank will have a record and will be able to assist. If the call was in fact a vishing call, the attempt was avoided and the financial institution was alerted to the theft.

* If anyone calls purporting to be a credit card provider and requests the CCV, immediately hang up and call the phone number on the back of the credit card and report the attempt. Again, if the call was legitimate, the credit card provider will have knowledge of it.

* If the attempt has already been successful, it is important that the credit card company be contacted immediately and that the credit card number be reported as possibly stolen. If the credit card company did not make the call, the exisiting credit card number can be closed out and a new card issued, as well as conduct a check to determine if any fraudulent charges have been made on the card since the time of the call.

Leave a Reply