Vishing

You are currently browsing the archive for the Vishing category.

Scam Soup

March 9, 2009 in Vishing, Web

soup

Lately I have been reading about a veritable alphabet soup of Internet scams.  Some are run-of-the-mill phishing or email scams, but some are rather innovative and utilize new attack vectors that I have not seen before.  In this post I will review some of these scams, including one that targeted me.

Economic Stimulus Scam

Cyber criminals frequently use events that are in the news as an opportunity to trick people into visiting malicious web sites where they can infect their systems with malware.  Recently, criminals have been using the economic stimulus bill being proposed by President Obama as a method to attract unsuspecting users.  One email asks the recipient to provide bank account information in order to receive a government deposit.  Another, which appears to come from a government agency asks the recipient to verify that they qualify for a payment by visiting a web site and inputting personal information.  Of course in both cases the criminals use the information to commit fraud and/or identity theft.  The FTC has about these scams.

Parking Ticket Scam

This is truly an original scam that I thought was rather clever.  In Grand Forks, North Dakota criminals placed on parked cars.  The ticket instructed drivers to visit a website where they could “view pictures with information about your parking preferences”.  When the user visits the web site it attempts to install malware on their computer.  This is believed to be the first scam of its type, however, it is likely that it won’t be the last.  I can imagine leaflets distributed on cars in mall parking lots advertising some bogus product with a URL to a malicious web site.  Expect to see more of this type of scam.

My Personal Vishing Experience

I recently received an SMS message that appeared to be from my bank.  I have pasted the message below (with bank information changed to protect my personal information):

FRM:
MSG:State Bank CU urgent notification:unusual activity,please verify your online information at 877-555-8787.

I was immediately suspicious as I was not aware that my bank had my cell phone number and did not think they would contact me in this manner even if they did.  For fun I called the number in the text message and was directed to a full voice mailbox.  No doubt had the mailbox not been full I would heard a message asking me to leave my bank account information.  This is an example of a vishing attack which I have written about in a previous post.  Don’t be fooled by such attacks.  No banks request your account information by SMS or email.

Scammers are always looking for new ways to get your personal information.  And as I have shown, criminals will find new and innovative ways to obtain it.

V is for Vishing

September 10, 2008 in Vishing

First, a little background on the term vishing.  Vishing is a type of attack that combines voice (i.e. phone services) with traditional phishing techniques.  If you are unfamiliar with phishing attacks, please see my earlier article on this topic for a refresher.  Vishing has become more prevelent in recent years as VoIP services have made them far cheaper to conduct and far less likely that the perpetrator will get caught.  And not only have the attacks become more numerous, they are also becoming more sophisticated as well.

A traditional vishing attack usually starts with an email.  The email will appear to be from a banking institution or credit card company asking you to contact them by phone due to unauthorized charges, card/account reactivation or some other reasonable sounding explanation.  When you call the number provided you are typically greeted with an automated attendant that will request you to authenticate yourself by providing your card number, social security number and potentially other sensitive information.  Of course by doing so, you have just made yourself the future victim of credit fraud and/or identity theft.  Below is an example vishing email:

Recently these types of attacks have become even more complex.  They often leave out the email all together and use either text messaging or actual phone calls.  The calls can appear to be from a local number even though they may originate from anywhere in the world thanks to the magic of VoIP.  Typically these calls will go to your voice mail leaving you a message claiming to be your banking institution and asking you to call them using a number they provide in the message.  When you call you will get the automated attendant asking for authentication via your card number, etc.  You may even be greeted by a real person who may or may not be knowingly involved in the scam.  Some people have been recruited to answer these calls on behalf of what they believe is an actual bank or credit card company which makes the scam even more believable.

And if what I have described above was not alarming enough, vishing scammers have raised the bar to new heights of late.  To make their emails even more believable, vishers have been posting their fake telephone numbers against the names of the legitimate businesses to bulletin boards and other web sites in an attempt to associate those numbers with the customer support numbers for the banks they are targeting.  This combined with search engine optimization poisoning techniques can result in their fake number showing up with the highest ranking in a Google search for the bank’s customer support information.  Thus if someone received a vishing email but was suspicious about the number and decided to perform a search to find the customer service number of their bank or credit card company, they very well may find the fake number listed first in their search results.  Obviously this would give them an erroneous sense of security in the validity of the email as well as the number they are calling.  Very clever indeed.

If you ever receive an email or call of this type, always go to the bank’s web site directly or look in the phone book for their number.  Don’t rely on a search and definitely don’t call the number in the email or voice mail.  It’s the wild west out there, so keep your guard up.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved