By Antone Gonsalves
A security firm on Tuesday reported discovering a phishing scheme in
which the scammers used Internet telephony to copy a bank's automated
voice system in order to steal customers' passwords, account numbers
and other personal information.
In the attack that occurred last week, con artists sent spam disguised
as coming from a small bank in a large East Coast city, Cloudmark
Inc., a messaging security firm, said. The message asked the recipient
to dial a telephone number to talk with a bank representative.
The number went to an automated voice system that asked for an account
number and personal identification number, or PIN, in order to access
the caller's finances. The number was obtained through a regular
provider of voice over Internet protocol services.
There was no indication that the VoIP provider was aware of the scam,
said Cloudmark, which declined to name the company and the spoofed
bank.
The incident reflected a mutation in the tactics used by phishers to
snare victims. More traditional schemes involve spam asking the
recipient to visit their bank's Web site through a link in the
message. At the bogus site, the visitor is asked to input personal
information.
The latest scheme, however, is the first Cloudmark has seen using
Internet telephony. An investigation by the San Francisco security
firm showed that the scammers had used open-source software called
Asterisk to convert a computer into a PBX, or private branch exchange,
running an automated telephone information system. The voice system
sounds exactly like the bank's phone tree, directing the caller to
specific extensions, Adam J. O' Donnell, senior research scientist at
Cloudmark, said.
O'Donnell believes it's likely the phishers were using virus-infected
computers that had been commandeered to take calls over the Internet.
The use of VoIP is a natural mutation of phishing, since it involves
Internet technologies that crooks operating on the Web are familiar
with, O'Donnell said. In addition, obtaining a VoIP telephone number
is easy and inexpensive and calls can be directed to any IP
address. In the latest attack, the phishers used the same pitch in the
emails, but used three different telephone numbers.
"Through the economics of using VoIP, phishers reap the same benefits
of any small business," O'Donnell said.
It's not known how popular VoIP technology will become with
phishers. That would depend on how successful it is at trapping
victims
"This is very early on, and we haven't seen a spike," O'Donnell
said. "Our main purpose at this point is to tell consumers before they
fall victim."
Copyright 2006 CMP Media LLC.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more news headlines of interest, please go to:
http://telecom-digest.org/td-extra/newstoday.html
Antone Gonsalves (techweb@telecom-digest.org)