Download our in-depth report: The Ultimate Guide to IT Security VendorsJust as Internet surfers have gotten wise to the fine art of phishing, along comes a new scam utilizing a new technology.
Creative thieves are now switching their efforts to "vishing," which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information.
Phishing (define) is the sneaky art of sending an e-mail to people pretending to be from a bank or major online merchant, such as Amazon (Quote, Chart)or EBay (Quote, Chart), asking them to click on a link and verify their account information.
The user is then directed to a fake site that collects the login and password information.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iRepeated efforts on the part of security firms have educated users to be cautious about clicking on links from unknown senders.
But now, the criminal element has shifted from asking people to click on links to placing a phone call instead. Only the number isn't to a bank or credit card, it's to a VoIP phone that can recognize telephone keystrokes.
The thieves don't even use an e-mail blast, they use a war dial over a VoIP system to blanket an area. A recorded message tells the person receiving the call that their credit card has been breached and to "call the following (regional) phone number immediately."
When the user calls the number, another message is played stating "this is account verification please enter your 16 digit account number." The rest is academic.
Secure Computing, which specializes in secure connections over networks, sent up the red flag over this new method. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups discussing vishing.
"This is just a natural evolution of phishing itself," said Paul Henry, vice president of strategic accounts for Secure Computing.
"Simply put, people are becoming more aware of the fact that an e-mail containing a URL could be malicious in nature. So hackers are moving away from the URL and using something victims are more familiar with like calling a number."
Henry said Secure Computing raised the issue over a year ago, but the first recorded incident took place last month, involving a Santa Barbara bank, then a second incident in early July involving Paypal.
Henry said there is no real preventative technology solution. Caller ID spoofing is very simple, and VoIP providers like Skype allow customers to pick not only their area code but the prefix as well, so it's possible to pick a phone number in the same area code and prefix of a major bank.
To that end, Henry thinks the VoIP companies could help with the issue by being a little stricter in their signup process, but doesn't think they will.