Vishing - VoIP Scam

From software to hardware, breakthough to disaster, it all belongs here!

Moderator: CricketMX Forum Moderators

Post Reply
User avatar
moongirl
Moderator
Moderator
Posts: 19016
Joined: Mon Jan 12, 2004 8:07 am

June 23, 2006
Phishing Alert: Santa Barbara Trust (Voice Phishing)

Websense® Security Labs™ has received reports of a new phishing attack that targets customers of Santa Barbara Bank & Trust. Users receive an email message that is spoofed and has the subject "Message 156984 Client's Details Confirmation (Santa Barbara Bank & Trust)."

Unlike the most popular form of phishing where users are lured to click on a URL and are directed to a fraudulent site, this lure uses a telephone number. The phone number is in the Southern California area code and was answering at the time of this alert.


When victims dial the phone number, the recording requests that they enter their account number.

The phone response does not mention the bank name, which could be a potential indicator that this number is being used for fraud against other entities.

Recording link:

http://www.websense.com/securitylabs/im ... ishing.wav

Email Message:

Dear Customer,

We've noticed that you experienced trouble logging into Santa Barbara Bank & Trust Online Banking.

After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure.

Call this phone number (1-805-XXX-XXXX) to verify your account and your identity.

Sincerely,
Santa Barbara Bank & Trust Inc.
Online Customer Service


Special thanks for research collaboration by the volunteers at Phishing Incident Reporting Termination (PIRT):
A PIRT Handler (link: http://wiki.castlecops.com/PIRT/) reported a new "telephone only" phish today.
http://www.websense.com/securitylabs/al ... lertID=534
Image
That's not the man in the moon...that's me ;)
User avatar
moongirl
Moderator
Moderator
Posts: 19016
Joined: Mon Jan 12, 2004 8:07 am

Why 'vishing' is the new scam
Justin Cole
Agençe France-Presse
Monday, 24 July 2006

Fraudsters have been sending people emails asking them to phone their bank as part of a novel way of stealing account details known as 'vishing', security experts say.

Internet fraud dubbed 'phishing', where email recipients are directed to a fake website seeking their financial details, has been around for several years.

But government officials and security experts are warning about vishing, after a recent case of attempted fraud against a Californian bank.

As opposed to phishing, vishing relies on Voice over Internet Protocol (VoIP) telephony, a way of using the net to make cheap phonecalls.


The perpetrators take advantage of a quirk in VoIP that allows subscribers to have a telephone number that appears to be based in a city, such as Los Angeles, even though they may be anywhere in the world.

"It's a fairly new phenomenon. We're aware of reports they have been occurring," says Lisa Hone, the assistant director of the US Federal Trade Commission's consumer protection bureau.

The perpetrator or group behind the emails sent to customers of the Santa Barbara Bank and Trust in California last month have yet to be caught, but the bank has alerted its customers to the scam.

The email sent to the bank's customers preyed on potential victims by requesting they call an apparent local telephone number to clear up an account problem.

Any customers who called the telephone number would have heard a recorded message urging them to enter their account number, according to internet security firm Websense.

Dan Hubbard, vice president for security research at Websense, says the group alerted the bank, a unit of Pacific Capital Bancorp.

Pacific Bancorp could not be reached for comment, but the bank's website has alerted its customers to the scheme.

"It's definitely a new trend. It is growing, but it is not nearly as big as the threat of [fake] websites or criminal activity through malicious code; we're talking tens of thousands versus a handful," Hubbard says.

Online auctions affected too
But he says similar scams have been attempted against users of the online payments company PayPal, and on the online auction group eBay.

UK-based internet security firm Sophos issued an alert earlier this month about a vishing scheme targeting PayPal.

"As hackers get smarter we are likely to see them increasingly not only set up fake websites, but 'harvest' messages from corporate switchboard systems to appear even more like the legitimate company," says Graham Cluley, a senior technology consultant at Sophos.

A VoIP-based fraud can be set up fairly simply, according to security experts.

There are relatively few companies that currently offer such internet-based telephone services, and fewer checks are generally required compared to opening an account with a traditional telephone company.

False voicemail
Essentially, a fraudster signs up for a VoIP account, sets up a voicemail recorded message system, mimicking that of an actual bank or other company, then mass emails consumers urging them to call the false number.

Hone says the scam, as in the California case, can appear legitimate to unsuspecting consumers because VoIP accounts can be set up with local telephone codes of a user's choice in a variety of cities or states.

"One VoIP account can have numbers all over the country, the code makes it look more real, and set-up is easy," Hone says.
http://abc.net.au/science/news/tech/Inn ... 694737.htm
Image
That's not the man in the moon...that's me ;)
Post Reply