Cyber-criminals switch to VoIP 'vishing'
Traditional web-based phishing attacks are evolving into sophisticated phone scams as cyber-criminals attempt to keep one step ahead of detection, security experts have warned.
Secure Computing reported today that its engineers have been tracking news group sites and open disclosure discussion groups which are buzzing with talk about a VoIP telephony version of phishing dubbed 'vishing'.
The new technique has been used by criminals to harvest details of the three-digit CVV security code, expiration date and other essential ID information in addition to the user's credit card and account numbers.
"Consumers need to be made aware of this new threat as it hits the UK," said Paul Henry, vice president of strategic accounts at Secure Computing.
"Like most other social engineering exploits 'vishing' relies on the 'hacking' of a common procedure that fits within the victim's comfort zone.
"Specifically this methodology takes advantage of what has become a normal practice for US credit card users when calling a credit card provider.
"Users are asked to enter the 16-digit credit card number before speaking to a representative. Consumers therefore need to be extra vigilant when giving out their information on the phone."
According to Secure Computing, 'vishing' scams usually begin when the criminal configures a war dialler (sequentially dialled regional phone numbers) to call numbers in a given region.
When the phone is answered, an automated recording is played to alert the consumer that their credit card has suffered fraudulent activity and the consumer should call a phone number immediately.
The phone number is often an 0800 number with a spoofed caller ID of the financial company it is pretending to represent.
When the consumer calls the number, it is answered by a typical computer generated voice that tells the consumer they have reached 'account verification' and instructs them to enter their 16-digit credit card number on the key pad.
Once the consumer enters the number, the 'visher' has all the information necessary to place fraudulent charges on the consumer's card including telephone number, full name and address (from a simple reverse phone number look up) and credit card number.
The information can then be used to harvest additional details such as security Pin, expiry date, bank account number, date of birth etc.
"Common sense is the first line of protection," said Henry. "Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account."
He added that it is important never to call a telephone number provided in a phone call or an email regarding possible security issues with any credit card or bank account.
Only the phone number on the back of your credit card or on your bank statement should be called to report the matter.
If anyone calls purporting to be a credit card provider and requests a card's three-digit CVV, the card owner should immediately hang up and call the phone number on the back of the credit card and report the attempt.
Reproduced from an article published by vnunet.com
© vnunet.com
The original article can be viewed here:
http://www.vnunet.com/vnunet/news/2160004/cyber-criminals-talk-voip
Permalink Bookmark Digg this story
