phish by VoIP

Discussion in 'VOIP' started by Rick Merrill, May 2, 2006.

  1. Rick Merrill

    Rick Merrill Guest

    "Typically phishers email their victims, trying to lure them into
    revealing sensitive information on bogus websites. But instead of
    telling victims to click on a Web link, this attack asks users to verity
    account information on a phony customer support number.

    "Part of the danger here is just the fact that it is novel," senior
    research scientist with Cloudmark, Adam O'Donnell, said. "Most people
    are pretty comfortable calling to a phone number that they think is
    their bank's."

    http://fraudwar.blogspot.com/2006/04/using-voip-to-phish-for-victims.html
    Fraud, Phishing and Financial Misdeeds: Using VoIP to Phish for Victims

    - http://www.arnnet.com.au/index.php/id;267268975;fp;2;fpid;1


    As far as I can tell the "voip" "use" is to make the phisher's phone
    appear to be a US phone, which the victim is supposed to call - remember
    they tell you only give out your information if YOU place the call?!

    Other insights into how to spot this phish?
    Rick Merrill, May 2, 2006
    #1
    1. Advertising

  2. Rick Merrill <> writes:
    > "Part of the danger here is just the fact that it is novel," senior
    > research scientist with Cloudmark, Adam O'Donnell, said. "Most people
    > are pretty comfortable calling to a phone number that they think is
    > their bank's."


    Hopefully something good will come of this. It is amazing how much
    information folks give to complete strangers over the phone.

    I recall a few years ago when I got a snail mail message from a credit
    card company about a newly issued credit card. The message was call
    us *NOW* at this number. The implication was they were worried about
    fraud. The person I talked to was very annoyed when I refused to give
    my "mother's maiden name", ssn, card expiration date etc. "But you
    called us sir. You know who you called." I pointed out I had no idea
    who I called. All I knew was the person I called had access to a
    laser printer and could generate a reasonable-looking letter from a
    credit card company. Unless they could validate themselves to me I
    wasn't giving them any private information. They of course threatened
    to turn off the card and I pointed out that would work as validation.
    If I noticed that card stopped working I'd call them back. They
    finally decided that form of validation wasn't in their interest
    either.

    The problem still remains, unless one only calls the credit card
    company's phone numbers physically printed on the card, one has
    nothing to validate them by. They really need to fix that.

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
    Wolfgang S. Rupprecht, May 2, 2006
    #2
    1. Advertising

  3. Rick Merrill

    Rick Merrill Guest

    Wolfgang S. Rupprecht wrote:

    > Rick Merrill <> writes:
    >
    >>"Part of the danger here is just the fact that it is novel," senior
    >>research scientist with Cloudmark, Adam O'Donnell, said. "Most people
    >>are pretty comfortable calling to a phone number that they think is
    >>their bank's."

    >
    >
    > Hopefully something good will come of this. It is amazing how much
    > information folks give to complete strangers over the phone.
    >
    > I recall a few years ago when I got a snail mail message from a credit
    > card company about a newly issued credit card. The message was call
    > us *NOW* at this number. The implication was they were worried about
    > fraud. The person I talked to was very annoyed when I refused to give
    > my "mother's maiden name", ssn, card expiration date etc. "But you
    > called us sir. You know who you called." I pointed out I had no idea
    > who I called. All I knew was the person I called had access to a
    > laser printer and could generate a reasonable-looking letter from a
    > credit card company. Unless they could validate themselves to me I
    > wasn't giving them any private information. They of course threatened
    > to turn off the card and I pointed out that would work as validation.
    > If I noticed that card stopped working I'd call them back. They
    > finally decided that form of validation wasn't in their interest
    > either.
    >
    > The problem still remains, unless one only calls the credit card
    > company's phone numbers physically printed on the card, one has
    > nothing to validate them by. They really need to fix that.
    >
    > -wolfgang


    If you will share the phone number you called, I can pass it along to
    the Postal Inspectors who are checking into this sort of thing.
    Rick Merrill, May 2, 2006
    #3
  4. Rick Merrill <> writes:
    > If you will share the phone number you called, I can pass it along to
    > the Postal Inspectors who are checking into this sort of thing.


    Actually, I do believe it *was* my credit card company. The person
    did eventually open up a bit and tell me which purchase I had made
    that sent up a red flag. We both cautiously read some of the digits
    of the purchase to each other. In this way we both did manage to make
    sure that each of us was looking at my last bill.

    It would be good if there were a more official way for the user and
    the credit card company to mutually authenticate each other.

    Although, come to think of it, there is still the possibility that the
    scammer uses voip and 3-way calls the real credit card company. This
    way they can record all the validation information and use it at a
    later time for some mischief of their own.

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
    Wolfgang S. Rupprecht, May 2, 2006
    #4
  5. Rick Merrill

    Bill Kearney Guest

    > The problem still remains, unless one only calls the credit card
    > company's phone numbers physically printed on the card, one has
    > nothing to validate them by. They really need to fix that.


    Indeed, tell the card holder to call the number listed on their card and
    then a specific extension to route them right to the proper call center.

    But good point, don't just call someone back because they claim to be from a
    given organization, check the numbers you've already got FIRST.
    Bill Kearney, May 3, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. anthonyberet

    drowning the phish

    anthonyberet, Jun 11, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    527
    Blinky the Shark
    Jun 12, 2005
  2. Joel Rubin

    One way to deal with phish websites

    Joel Rubin, Jul 16, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    686
    =?ISO-8859-1?Q?R=F4g=EAr?=
    Jul 16, 2005
  3. Re: Your favorite phish show

    , Jan 29, 2004, in forum: Digital Photography
    Replies:
    4
    Views:
    814
    Dennis M. Hammes
    Jan 30, 2004
  4. Re: Your favorite phish show

    , Jan 30, 2004, in forum: Digital Photography
    Replies:
    0
    Views:
    804
  5. Jay Calvert

    Phishers Use eBay Site to Phish

    Jay Calvert, Feb 13, 2005, in forum: Computer Security
    Replies:
    0
    Views:
    435
    Jay Calvert
    Feb 13, 2005
Loading...

Share This Page