Phishers Snare Victims With VoIP
Tuesday, April 25th, 2006The latest phishing tactic moves the threat of phishing from the internet to the phone, while using easily accessible Voice over IP technology. From TechWeb.com:
A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank’s automated voice system in order to steal customers’ passwords, account numbers and other personal information.
In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative.
The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller’s finances. The number was obtained through a regular provider of voice over Internet protocol services.
There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank.
The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank’s Web site through a link in the message. At the bogus site, the visitor is asked to input personal information.
The latest scheme, however, is the first Cloudmark has seen using Internet telephony. An investigation by the San Francisco security firm showed that the scammers had used open-source software called Asterisk to convert a computer into a PBX, or private branch exchange, running an automated telephone information system. The voice system sounds exactly like the bank’s phone tree, directing the caller to specific extensions, Adam J. O’Donnell, senior research scientist at Cloudmark, said.
Click here to continue reading the story.