July
11, 2006 -- Just as Internet surfers have gotten wise to
the fine art of phishing, along comes a new scam utilizing
a new technology.
Creative thieves are now switching
their efforts to "vishing," which uses Voice over Internet
Protocol (VoIP) phones instead of a misdirected Web link
to steal user information.
Phishing is
the sneaky art of sending an e-mail to people pretending
to be from a bank or major online merchant, such as Amazon
or eBay, asking them to click on a link and verify their
account information.
The user is then directed to a fake
site that collects the login and password information.
Repeated efforts on the part of security
firms have educated users to be cautious about clicking
on links from unknown senders.
But now, the criminal
element has shifted from asking people to click on links
to placing a phone call instead. Only the number isn't to
a bank or credit card, it's to a VoIP phone that can recognize
telephone keystrokes.
The thieves don't even use an e-mail
blast, they use a war dial over a VoIP system to blanket
an area. A recorded message tells the person receiving the
call that their credit card has been breached and to "call
the following (regional) phone number immediately."
When the user calls
the number, another message is played stating "this is account
verification please enter your 16 digit account number."
The rest is academic.
Secure Computing,
which specializes in secure connections over networks, sent
up the red flag over this new method. Secure Computing engineers
have been tracking news group sites and open disclosure
discussion groups discussing vishing.
"This is just a natural
evolution of phishing itself," said Paul Henry, vice president
of strategic accounts for Secure Computing.
"Simply put, people
are becoming more aware of the fact that an e-mail containing
a URL could be malicious in nature. So hackers are moving
away from the URL and using something victims are more familiar
with like calling a number."
Henry said Secure
Computing raised the issue over a year ago, but the first
recorded incident took place last month, involving a Santa
Barbara bank, then a second incident in early July involving
Paypal.
Henry said there
is no real preventative technology solution. Caller ID spoofing
is very simple, and VoIP providers like Skype allow customers
to pick not only their area code but the prefix as well,
so it's possible to pick a phone number in the same area
code and prefix of a major bank.
To that end, Henry
thinks the VoIP companies could help with the issue by being
a little stricter in their signup process, but doesn't think
they will.
"These VoIP companies
are in the business of producing value for their shareholders,
so they are trying to drive down transaction costs. They
want establishment of a new account to be as fast and painless
as possible," Henry said.
At this point, common
sense is your best defense, said Henry. "If you receive
an e-mail that would direct you to a telephone number, don't
use that number. Contact your credit card provider or whoever
with a known number that's good."
Daniel Hong, senior
voice business analyst for Datamonitor, concurred that users
need to be educated all over again.
"There's definitely
vulnerability, because this is a completely new approach,
especially in terms of customer behavior and customer psyche,"
Hong said.
There's been a lot
of education on Internet scams, but there hasn't been a
lot of awareness concerning the phone. So if there's an
automated phone prompting you, it seems more credible than
getting an e-mail blast from hackers out there."
More stringent measures
for VoIP account activation could help, but in the end,
education might be the best solution. "If the hacker is
able to get to the consumer," said Hong, "then education
will make the difference."