With India adding almost 8 million cellphone subscribers per month - and SMS being the largest-used service - hackers find vishing a great tool to target gullible users.
Rakshita Kolaskar (name changed) was pleasantly surprised to receive a SMS recently, announcing her as the winner of a $3 million (around Rs 12.5 crore) prize from the Shell International Mobile Draw.
The message prompted her to mail her claim and asked her to call an international number. However, when her excitement died, she tried hard to recall if she ever used any Shell product or service, as the SMS stated.
She soon realised that she had never done so. So why was this SMS sent, especially, when a Shell official confirmed that it had not issued any such award?
Welcome to the world of Vishing or voice phishing, wherein hackers are using a combination of voice over internet protocol (VoIP), SMSs and the internet to fool and redirect users into dialling a phone number and collect critical information for financial gain. In Kolaskar's case, both mobile spam and vishing were used.
Phishing-related losses have been estimated at $2.8 billion with a single victim losing $1,244 in 2006, compared with $257 in 2005, according to Gartner.
According to some recent reports, phishing attacks on banks have increased since the beginning of the year.
Globally, the first vishing attack was registered in 2006, but there have been reports that these are increasing. Earlier this year, the FBI's internet Crime Centre said it received multiple reports on different variations of vishing. These attacks against US financial institutes and individual users continue to rise.
Many feel that India is a compelling market for this kind of an attack. With almost 8 million subscribers added per month —and SMS the largest-used service —experts feel this could be the best way to target Indian users.
Rohas Nagpal, president, Asian School of Cyberlaw, feels that the above is an social engineering attack could be later used for a fraudulent activity or it could also be the first step towards vishing.
Security experts are of the opinion that more than the technology solutions, it is the ease of database availability from the telecom operators that is responsible for this in India. "If you go to Nehru place in New Delhi, you can get a mobile number database for a few thousands of rupees," says a security specialist.
Many feel that laws should be strengthened. Kartik Shahani, regional director, India, McAfee, says: "Everyone knows that databases are sold by network operators. One can also specify the type of database based on a user's ARPU spend. Besides, the rules and regulations on providing database access to other users are very weak in India."
He also believes that if the attack is taking place from the net, then there are solutions that can help users detect the authentic site. But in case of vishing, it becomes difficult.
Howard Schmidt, president and CEO, R&H Security Consulting and a former special advisor for cyberspace security for the White House, had told Business Standard that with the mobile usage increasing, the next wave of security threats will target handhelds.
He said: "Five years from now, the mobile will be used like we use PC and laptops today. So, the attacks will be using the data on the handheld. The problem is that while solutions are available people are not using it."
Niraj Kaushik, country manager, India and Saarc, Trend Micro, cautions that though vishing is still at a nascent stage, very few operators are providing any security solutions that can control spam on mobile handsets.
The Nigerian scam
Phishing is a common phenomeon on the internet. It is a form of internet fraud that aims to steal valuable information such as credit card details, social security numbers, user IDs and passwords for financial gains.
Several top banks in India have reportedly been hit by phishing. A popular email scam is the Nigerian scam.
The email, in this case, is sent by a prominent official from an African country asking the recepient to help him/her in depositing money into a local bank and also offers to share the bounty.
Showing posts with label vishing. Show all posts
Showing posts with label vishing. Show all posts
Sunday, July 6, 2008
Thursday, June 5, 2008
Phishers Targeting Your Tax Dollars - redmondmag.com - 03 Jun 2008
A new phishing scam is targeting debit-card accounts used to deliver government benefits payments in 15 states.
E-mails, phone text messages and so-called "vishing" voice-mail messages ask recipients to confirm or update EPPICard account data, directing them to a phony Web site. Once the scammers have gathered the account information, they can drain money from the benefits account.
"They are apparently targeting government payments" such as food stamps and child support payments, said Marc Salomon, a researcher at Cloudmark, an anti-spam company in San Francisco that noticed the attacks earlier this month. "It is the taxpayer who is footing the bill," he said, because the compromised accounts are held by states, not financial institutions.
EPPICard is a magnetic-stripe debit card branded by MasterCard or Visa to access benefits accounts. The cards are used by Florida, Georgia, Illinois, Indiana, Mississippi, Nevada, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Texas, Utah and Virginia.
Each state uses the card to deliver the types of benefits payments it chooses. When a payment has been credited to the account, the holder uses the debit card for purchases and the payment is deducted from the account. Holders also can get cash back from a purchase and withdraw cash at banks and automated teller machines.
The e-mails apparently come from the address customeralert@eppicard.com and direct victims to a phony Web site. "They are hosted on servers around the world," Salomon added.
EPPICard has posted a warning on its Web site of phishing and vishing attacks. "We will never request your personal information, such as a Social Security number, card number or PIN through any of these methods," the company said.
Cloudmark has spotted about 20 of the phishing e-mails and said that number is probably just the tip of iceberg. There is no indication the e-mails are specifically targeting EPPICard users, said Adam O'Donnell, Cloudmark's director of emerging technology. But he said this type of attack against a niche target is likely to become more common as larger targets such as banks d services such as PayPal become over-phished.
by William Jackson
E-mails, phone text messages and so-called "vishing" voice-mail messages ask recipients to confirm or update EPPICard account data, directing them to a phony Web site. Once the scammers have gathered the account information, they can drain money from the benefits account.
"They are apparently targeting government payments" such as food stamps and child support payments, said Marc Salomon, a researcher at Cloudmark, an anti-spam company in San Francisco that noticed the attacks earlier this month. "It is the taxpayer who is footing the bill," he said, because the compromised accounts are held by states, not financial institutions.
EPPICard is a magnetic-stripe debit card branded by MasterCard or Visa to access benefits accounts. The cards are used by Florida, Georgia, Illinois, Indiana, Mississippi, Nevada, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Texas, Utah and Virginia.
Each state uses the card to deliver the types of benefits payments it chooses. When a payment has been credited to the account, the holder uses the debit card for purchases and the payment is deducted from the account. Holders also can get cash back from a purchase and withdraw cash at banks and automated teller machines.
The e-mails apparently come from the address customeralert@eppicard.com and direct victims to a phony Web site. "They are hosted on servers around the world," Salomon added.
EPPICard has posted a warning on its Web site of phishing and vishing attacks. "We will never request your personal information, such as a Social Security number, card number or PIN through any of these methods," the company said.
Cloudmark has spotted about 20 of the phishing e-mails and said that number is probably just the tip of iceberg. There is no indication the e-mails are specifically targeting EPPICard users, said Adam O'Donnell, Cloudmark's director of emerging technology. But he said this type of attack against a niche target is likely to become more common as larger targets such as banks d services such as PayPal become over-phished.
by William Jackson
'Untraceable' phone fraudsters eye your credit card - theregister.co.uk - 03 Jun 2008
Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven't given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.
The calls begin with a recording that makes a tempting offer - usually for a lower credit-card interest rate or an extended car warranty - and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.
Your reporter has received three such calls in as many weeks. After taking the bait for a lower interest rate, an agent named Donna said her company, amorphously called Financial Services, uses its clout to negotiate directly with the issuing bank to lower my rate. Eventually, she put a supervisor named Johnny Davis on the line to answer questions like where Financial Services was incorporated and whether it was a member of the Better Business Bureau.
His answer: "That has nothing to do with the purpose of the phone call. Are you interested in us negotiating your interest rates of your accounts?"
Obviously, Davis wasn't the least bit daunted by the questions and neither were any of his colleagues, judging from similar online accounts, in which recipients report getting an abrupt click when seeking such information. Other people report receiving the calls every day at 3 a.m.
The reason Johnny, Donna and the rest of the cabal can't be bothered with maintaining even the appearance of legitimacy is they know they are largely untraceable. The varying phone numbers that appear in recipients' caller id screens are spoofed. There is little that typical users can do to find the real origins of the call.
"I actually pursued it a little bit," said Dan Clements, head of credit card-monitoring service CardCops after he received a call. But because CardCops, a division of Affinion Security Center, is set up to focus on internet-based abuses, he took a pass on one based solely using phone lines. "I couldn't dig in on it," he said.
Identity theft investigators at Consumer's Union say they are unfamiliar with the scam. Officials from the California Attorney General's office the the Federal Trade Commission didn't return phone calls by time of publication.
That's left people to resort to alternate ways of handling the calls. One person, for instance, started Stopping Heather, a site named after the perky voiced operator whose recording graces the beginning of many calls. Participants are encouraged to log as much information about the calls they receive as possible, including spoofed numbers and the scripts of the scammers. Ad-hoc forums on sites such as 800Notes serve much the same purpose. Others report keeping a whistle or an air horn at the ready.
The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.
Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.
The use of live agents at a time when open-source public branch exchanges and similar gear makes number spoofing cheap and simple is a wrinkle that will take time for enforcers to crack down on.
By Dan Goodin in San Francisco
The calls begin with a recording that makes a tempting offer - usually for a lower credit-card interest rate or an extended car warranty - and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.
Your reporter has received three such calls in as many weeks. After taking the bait for a lower interest rate, an agent named Donna said her company, amorphously called Financial Services, uses its clout to negotiate directly with the issuing bank to lower my rate. Eventually, she put a supervisor named Johnny Davis on the line to answer questions like where Financial Services was incorporated and whether it was a member of the Better Business Bureau.
His answer: "That has nothing to do with the purpose of the phone call. Are you interested in us negotiating your interest rates of your accounts?"
Obviously, Davis wasn't the least bit daunted by the questions and neither were any of his colleagues, judging from similar online accounts, in which recipients report getting an abrupt click when seeking such information. Other people report receiving the calls every day at 3 a.m.
The reason Johnny, Donna and the rest of the cabal can't be bothered with maintaining even the appearance of legitimacy is they know they are largely untraceable. The varying phone numbers that appear in recipients' caller id screens are spoofed. There is little that typical users can do to find the real origins of the call.
"I actually pursued it a little bit," said Dan Clements, head of credit card-monitoring service CardCops after he received a call. But because CardCops, a division of Affinion Security Center, is set up to focus on internet-based abuses, he took a pass on one based solely using phone lines. "I couldn't dig in on it," he said.
Identity theft investigators at Consumer's Union say they are unfamiliar with the scam. Officials from the California Attorney General's office the the Federal Trade Commission didn't return phone calls by time of publication.
That's left people to resort to alternate ways of handling the calls. One person, for instance, started Stopping Heather, a site named after the perky voiced operator whose recording graces the beginning of many calls. Participants are encouraged to log as much information about the calls they receive as possible, including spoofed numbers and the scripts of the scammers. Ad-hoc forums on sites such as 800Notes serve much the same purpose. Others report keeping a whistle or an air horn at the ready.
The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.
Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.
The use of live agents at a time when open-source public branch exchanges and similar gear makes number spoofing cheap and simple is a wrinkle that will take time for enforcers to crack down on.
By Dan Goodin in San Francisco
Local College Attacked In New 'Vishing' Scam - NBC10.com - 03 Jun 2008
PHILADELPHIA -- Local college students are getting a lesson in phishing.
Students and faculty at Temple University have fallen victim to online scams set up by computer hackers.
"Computer security says this one went to 300 or 400 people we caught it quickly and we were able to block emails," Ken Ihrer, Temple University's computer security chief, said.
Ihrer said the 'vishing' scam popped up last Thursday morning. Ihrer said he believes the scam originated on the West Coast.
He said it's similar to a phishing scam, but requires you to make a phone call or use your voice, hence the term 'vishing'.
"It asks you to call an 800 number and in this case they wanted you to enter in your credit card data similar to when you get a new credit card," Ihrer said.
"In the past four years I've been here, there's always a new attack and new way to try and get our information This one I haven't heard of before," Mike Giambra, a Temple graduate student, said.
It's the fifth time since April, Ihrer has warned Temple's 66,000 email users about such Internet scammers.
Initially users were asked to confirm their personal information or their account would be disabled. The first phishing email was traced to a Palestinian account, but originated off the coast of West Africa. Seventy-five users replied and the information of 24 people was illegally used.
"It's just an added concern. We have a plethora of other things to be concerned about and to have this added is unnecessary," Thamar Petit, a Temple student, said.
"It's gets frustrating," Sandi Thompson, a Temple librarian, said.
In the latest scam, Ihrer said he has no way of knowing who replied to the vishers or whose information was compromised. But Ihrer said even though he's locking accounts and urging all users to create new passwords, fighting back is an incredible challenge.
"We find accounts, we shut them down and they just go to the next three or four they've found and phish them," Ihrer said.
Ihrer said he believes universities are under attack because of the diverse population from people who rarely use computers to PhDs in computer science. The university is developing an awareness campaign.
For vedio coverage check the link http://video.nbc10.com/player/?id=258855
Subscribe to:
Posts (Atom)