Mar 15 2008
By Jim Reavis
Take a look at this posting by Brian Krebs at the Washington Post, “Anatomy of a Vishing Scam“. Krebs details some recent vishing (voice phishing) attacks against cell phone users. Phony text messages purportedly from the cell subscriber’s bank alert the user that their account has been suspended due to fraudulent activity, and they immediately need to call an 800 number to reactivate the account. Of course when they call the number, the automated attendant drains them of all their account information, including PINs.
I’ll bet anything that a lot of the victims of this scam are the same people that know better than to fall for phishing emails. However, an old attack coming from a new attack vector can be vexing and no doubt has an increased success rate. When you consider that the area codes by and large are still associated with a particular geography, you have the ability to launch locale-relevant attacks, and I think this type of scam is ready to erupt.
Remember the Do Not Call Registry? That is completely irrelevant here: medium-sleazy telemarketers vs ultra-sleazy organized crime. The VoIP technology the Vishers can hide behind is so slick that you can’t catch them and they will only get better at impersonating someone you trust. I am waiting for the Visher that texts me from my wife’s mobile number needing the credit card number. Although as the old joke goes, if the bad guy spends less than my wife, maybe I won’t care.
Email is a real pain with 90% of the messages being spam. What is life going to be like when cell phones are equally useless?
Related posts:
Posted by Jim.Reavis on Saturday, March 15th, 2008, at 6:28 pm, and filed under Articles, Future Forecast.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
admin | 17-Mar-08 at 9:43 am | Permalink
Add to this the fact that most people take Caller ID as the literal truth and something that can always be trusted (when in fact it can trivially be spoofed to read anything you want) and you have a recipe for disaster, people won’t even be able to properly screen calls.
Larry J. Hughes, Jr. | 26-Apr-08 at 10:44 pm | Permalink
I was the recipient of a vish in March. It read:
“Free VZW msg. UR on track 2 incur charges for Minute, Data or Message usage. Call 888-453-1922 NOW to discuss options! 2 stop txt msgs from VZW, reply X”
Knowing it wasn’t Verizon I phoned the number anyway (with caller ID blocked) to see what would happen.
Visher: Hello?
Me: Is this Verizon? I got a text message about using too many minutes.
Visher: Uh, yeah. What’s your social security number?
Me: [click]
I phoned Verizon to report it, and the poor woman I spoke with didn’t have a clue what to do about it.
I just tried the number again and got a recording that Verizon is closed and to try again during business hours. Either Verizon has seized the number and is now using it for real (!), or Visher has pilfered their voice message and was out celebrating on somebody else’s credit card.