|
Security
Vishing
Joins Phishing as Security Threat
By Andy Patrizio
Just as Internet surfers have gotten
wise to the fine art of phishing, along comes a new
scam utilizing a new technology.
Creative thieves are now switching
their efforts to "vishing," which uses Voice over
Internet Protocol (VoIP) phones instead of a
misdirected Web link to steal user information.
Phishing is the
sneaky art of sending an e-mail to people
pretending to be from a bank or major online
merchant, such as Amazon (Quote)or EBay (Quote),
asking them to click on a link and verify their
account information.
The user is then directed to a fake
site that collects the login and password
information.
Repeated efforts on the part of security firms have
educated users to be cautious about clicking on
links from unknown senders.
But now, the criminal element has
shifted from asking people to click on links to
placing a phone call instead. Only the number isn't
to a bank or credit card, it's to a VoIP phone that
can recognize telephone keystrokes.
The thieves don't even use an e-mail blast, they use
a war dial over a VoIP system to blanket an area. A
recorded message tells the person receiving the call
that their credit card has been breached and to
"call the following (regional) phone number
immediately."
When the user calls the number,
another message is played stating "this is account
verification please enter your 16 digit account
number." The rest is academic.
Secure Computing, which specializes
in secure connections over networks, sent up the red
flag over this new method. Secure Computing
engineers have been tracking news group sites and
open disclosure discussion groups discussing vishing.
"This is just a natural evolution of
phishing itself," said Paul Henry, vice president of
strategic accounts for Secure Computing.
"Simply put, people are becoming
more aware of the fact that an e-mail containing a
URL could be malicious in nature. So hackers are
moving away from the URL and using something victims
are more familiar with like calling a number."
Henry said Secure Computing raised the issue over a
year ago, but the first recorded incident took place
last month, involving a Santa Barbara bank, then a
second incident in early July involving Paypal.
Henry said there is no real preventative technology
solution. Caller ID spoofing is very simple, and
VoIP providers like Skype allow customers to pick
not only their area code but the prefix as well, so
it's possible to pick a phone number in the same
area code and prefix of a major bank.
To that end, Henry thinks the VoIP
companies could help with the issue by being a
little stricter in their signup process, but doesn't
think they will.
"These VoIP companies are in the
business of producing value for their shareholders,
so they are trying to drive down transaction costs.
They want establishment of a new account to be as
fast and painless as possible," Henry said.
At this point, common sense is your best defense,
said Henry. "If you receive an e-mail that would
direct you to a telephone number, don't use that
number. Contact your credit card provider or whoever
with a known number that's good."
Daniel Hong, senior voice business
analyst for Datamonitor, concurred that users need
to be educated all over again.
"There's definitely vulnerability, because this is a
completely new approach, especially in terms of
customer behavior and customer psyche," Hong said.
There's been a lot of education on
Internet scams, but there hasn't been a lot of
awareness concerning the phone. So if there's an
automated phone prompting you, it seems more
credible than getting an e-mail blast from hackers
out there."
More stringent measures for VoIP account activation
could help, but in the end, education might be the
best solution. "If the hacker is able to get to the
consumer," said Hong, "then education will make the
difference."
|
