It’s hip2b2

An article in NetworkWorld describes how Phishers are now using Voice-over-IP (VoIP) Technology to enhance their Phishing schemes.

Small businesses and consumers aren’t the only ones enjoying the cost savings of switching to VoIP; according to messaging security company Cloudmark, phishers have begun using the technology to help them steal personal and financial information over the phone.
Advertisement:

Earlier this month, Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing the included number (the Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he’s not a customer at this bank).

The amazing thing about all of this is that the scheme is relatively simple. Phishers send an email to customers telling to dial a telephone number. This telephone number is procured from one of the many VoIP DID and toll-free providers. They attach this number to a Interactive Voice Response (IVR) system which can be built with a PC, open source PBX software (such as Asterisk) and a bit of tweaking. All these VoIP components are readily available. Internet access and VoIP DID/Toll-free accounts can be procured easily without much identification. DID number can even be ordered “while you wait”. Open Source VoIP software is freely available too. This definitely adds a new dimension to phishing scams that aims to add a bit of “professionalism” to their scams.

As with ordinary phishing scams, it is difficult to tell if this is a valid or invalid call. There are obvious steps that can be taken to prevent being victims of these scams. Ignoring the problem cannot always be the solution as there maybe valid reasons for these.

• Check if you have an account in that service. This is the most obvious check. If you don’t have an account then this is probably a scam.
• Validate Claim. If a phishing site claims to be undergoing a major activity check the company’s website or ask somebody you know if the claim is true. Banks don’t just tell you to provide user information out of the blue. You might even want to call somebody you know in the bank to validate this further.
• Validate Called Party. Most banks have your contact information in their databases already. So users can have the bank callback for security reasons. Phishers might not have this information at hand. You might also want to check the number provided if that is an official number provided by the bank. Major banks have vanity toll-free numbers which are hard to spoof.
• Try not to give personal information out to IVR systems. In extreme cases, it might be better to request for a human operator before giving out personal information. The personal touch is always best.

Try to pay extra attention when the notification comes over email. There is no catch all solution to the problem of phishing. But, the bottom line of all of this is to “Be Vigilant”.

This entry was posted on Friday, April 28th, 2006 at 12:51 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.