The Register® — Biting the hand that feeds IT

Feeds

FBI rings warnings over VoIP phishing cons

'Alarming' rise in vishing

By John Leyden, 21st January 2008
  • print
  • alert

Ensure Ease of Recovery with Asigra’s Agentless Software

Fraudsters are turning to VoIP systems to craft more convincing phishing attacks. The FBI's Internet Crime Complaint Centre (IC3) warned last week of an "alarming" rise in the volume of so-called vishing attacks targeting US financial institutions and consumers.

Phishing attacks commonly take the form of forged emails that attempt to trick consumers into disclosing their online banking login credentials to fraudulent sites in response to bogus warnings that prospective marks need to respond to a "security check".

Vishing (voice phishing) attacks involve variations on the theme. In both cases, prospective marks are warned that their accounts will be suspended or cancelled unless they respond.

Vishing messages, unlike traditional email phishing attacks, can arrive as a text message or phone calls in addition to email. Also, vishing attacks are designed to con concerned users into handing over credit or debit card details to fraudsters in calls routed through a cheap VoIP-based answering system.

"Recipients are directed to contact their bank via telephone number provided in the email or by an automated recording. Upon calling the telephone number, the recipient is greeted with 'Welcome to the bank of...' and then requested to enter their card number in order to resolve a pending security issue," the FBI's cybercrime clearing house reports.

One recent variant of the attack involved a text message that claimed the recipient's online bank account had expired. Prospective marks were encouraged to "renew their online bank account" by using the link provided, which directed the credulous to a mobile phone-friendly fraudulent website.

IC3 advises that since criminal methodologies are evolving, the only safe response is to be wary of all emails, telephone calls, or text messages requesting personal finance data.

Consumers with security concerns would do better to contact their banks directly using phone numbers included in statements or telephone books. Recipients of vishing attacks, or other similar hoaxes, are invited to file a complaint with IC3 via its website. ®

Cloud based data management

COMMENTS

House Rules Send Corrections
All Reader Comments (17)
Latest Comments
Anonymous Coward
Anonymous Coward

The bankers and the PC industry are at fault!

PC security is a mess! But we have known that for a while...

The Trusted Computing Group ( http://www.trustedcomputinggroup.org ) and its member companies have solved the problem of "strong authentication" with the use of the Trusted Platform Module (TPM) that today ships on virtually all enterprise class PCs (notebooks and destops). The solution to phishing and vishing exists today.

Where the blame comes in is that the OEMs have not yet implemented this technology into consumer platforms: It is a shame and it borders on corporate irresposibility.

I have made my bank aware of the Trusted Computing technology and have advised them that I will use all the legal possibilities should my data (identity) ever be compromised due to the lack of TC implementation.

0
0
Anonymous Coward

My bank was entirely happy when...

... I asked them to prove who they were when they called me unexpectedly, on a couple of occasions. They said phone back on the usual number, they'll do the usual security game, you then ask to talk to department (whatever) and off we go, no problem.

So it can be done right (this bank has UK only call centres, which might or might not be relevant).

0
0
SImon Hobson

ISDN & Caller ID

This is for BT lines, other providers may vary ...

As far as I can recall, on ISDN you can use any of the numbers assigned TO THAT LINE as your outbound ID - as long as your equipment supports it. To use other numbers you have to go through a process which I assume validates the number is actually yours to use (it's not something I've done).

On incoming calls, on an ISDN line, there is a flag to indicate what part of the number is customer supplied. At my last place I was used to seeing caller IDs of the form 01234567x890 where the 890 was the customer supplied part of the number.

Unfortunately, the switch we had didn't support setting the outbound ID on DASSII trunks and we couldn't justify the cost of upgrading the system to I421. I know that at our warehouse, it worked fine on the I420 ISDN-2 lines they had.

0
0

More from The Register

1,000 O2 staff chose redundancy over Capita
Betrayal, or just decent terms?
48
breaking news
Pttow! Ofcom kicks hams out of MoD bands
Geet off my land, you, you ... 'secondary user'
30
breaking news
Now you can use your phone instead of your wallet at the ATM, too
Blimey, these little paper towels out of the vending machine are really expensive
47
breaking news
UK.gov's £530m bumpkin broadband rollout: 'Train crash waiting to happen'
Whitehall whispers of damning watchdog report next month
30
Google launches broadband balloons, radio astronomy frets
A careless Loon could blind the square kilometre array
46
breaking news
MySpace zaps millions of teens' tearful rants, causes wave of angst
'Your crappy redesign SUCKS, I wanna read my blogs' screech users
53
breaking news
Microsoft Office 365 on iPhone NOW: No, we're not making this up
Word, Excel, Powerpoint for your pocket-stroker
83
Vodafone Oz launches '100 Mbps' 4G service
Nice speed if you can get it
7
breaking news
Clearwire board to shareholders: Go on, grab that Dish cash
Sprint looks on in dismay
3
EU signs off on eCall emergency-phone-in-every-car plan
GPS and a mobe in every car - do you suppose the NSA would fancy that?
100