VoIP may help cut costs and improve communication efficiencies but this popular technology is also being used to launch phishing attacks against unwitting companies.
Cloudmark, an anti-spam company, put the word out about a new type of email phishing scam targeting banking customers. These fake emails do not provide a URL for you to click—you are much too smart for that. Rather, they provide a phone number, which calls into a voice mail system that asks for your account number…
A number of companies such as Cloudmark are hoping to curb this growing trend by identifying and blocking phishing attacks carried out over VoIP systems to spoof a target’s financial institution.
Scammers posing as banks are emailing people to dial a number and enter personal information needed to gain access to their finances. Cloudmark, a provider of messaging security solutions for service providers, enterprises and consumers, warns that VoIP services can reduce the costs associated with conducting such attacks, providing the perpetrators with less risk of discovery, and urges recipients of suspicious messages to notify their service providers immediately.
According to Cloudmark, what is new here is the criminal use of VoIP and PBX (private branch exchange) software to set up a voice-mail system that sounds like your bank. The process is cheap and easy, thanks to VoIP and open-source PBX software such as Asterisk. The same low-cost setup that is enabling small businesses to sound professional is enabling small-time scam artists to do the same.
In the attack that occurred recently, con artists sent spam disguised as coming from a small bank in a large city on the East Coast of the US, Cloudmark said. The message asked the recipient to dial a telephone number to talk with a bank representative.
The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller’s finances. The number was obtained through a regular provider of voice over internet protocol services.
There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank.
The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank’s website through a link in the message. At the bogus site the visitor is asked to input personal information.
Adam J. O’Donnell, Ph.D., senior research scientist at Cloudmark, says, "We have seen two separate VoIP attacks hit our network this week, the first we have been able to analyze in detail. In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem."
The latest scheme, however, is the first Cloudmark has seen using internet telephony.
Callers are then connected over VoIP to a PBX running an IVR system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN. "The result," O’Donnell surmises, "can be personally financially devastating."
O’Donnell believed it was likely the phishers were using virus-infected computers that had been commandeered to take calls over the internet.
By combining a global threat detection network leveraging real-time reporting by trust-rated users with a unique fingerprinting methodology, Cloudmark is able to identify and begin blocking new spam, phishing and virus attacks within moments, versus hours or days required with competing solutions.
Cloudmark is capable of accurately identifying and blocking these spoofed-number attacks. The company detected two new VoIP-specific attacks this week. As a precaution, Cloudmark advises against dialing phone numbers received in emails from institutions and to double-check and dial the numbers printed on ATM cards instead.
Cloudmark offers two distinct services to thwart phishers, including an anti-phishing data service that provides confirmed phishing URLs to its customers. The Cloudmark anti-phishing engine fits within the service provider’s infrastructure to provide filtering protection at the messaging gateway from fraudulent email. It scans each message and computes a set of fingerprints on the message, a process that is automatic, lightweight and highly scalable for large volumes of email.
Traditional content and identity rules based on volume analysis for capturing spam do not work for phishing threats: phishers move quickly, using and breaking down multiple sites to launch the same attack. VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers. The Cloudmark Collaborative Security Network’s use of unique fingerprinting algorithms is able to identify the phone numbers used in VoIP phishing attacks.
Cloudmark’s approach consistently proves faster and more accurate than competitive methods of relying on fingerprinting algorithms to analyze the structure of messages sent by phishers and block new attacks in advance of receiving URL reports.
The CCSN first spotted and began to block these threats last week. It is characteristic of the network to automatically stop threats without the research team having previously identified them, and thus likely that the CCSN has been stopping VoIP-based attacks for some time.
Just like we warn you against clicking a URL in an email, we warn you against calling a phone number included in an email. Just like you’re to enter your bank’s Web site through the front door, O’Donnell says to only call the number on the back of your ATM card.
"The convergence of the Internet with the phone system allows someone with VoIP to do what the big boys used to do," says O’Donnell.