I am surprised nobody has tried to phish on inbound call basis. Call a bank customer, leave an official sounding automated message with a local DID or toll-free number for the customer to call back.
Once they call back, just patch them through to the standard bank IVR line and skim DTMF for account number and phone banking password. Not exactly sure how much damage you can do with this info, but if you record the call you could probably get all other relevant info from security questions posed by the bank CSR... The attack could work on mail-> inbound call or e-mail -> inbound call basis. Just bounce the number through a set of DIDs in several countries, and you cover your tracks or at least make it complicated for law enforcement to track you down. Use disposable credit cards to pay the bills and presto... you are invisible. But maybe I'm just more evil than the average bear :) -----Original Message----- From: Alan Cohen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 2:27 PM To: Asterisk User Group Subject: [Bulk] [on-asterisk] RE illegal to fake CID FYI: I recently was contacted by The TD Bank Fraud Prevention Dept -- except it wasn't TD who called me: it was a fraudster. He was very slick. He covered all the bases including his callerID which reported the real number for the Bank Fraud Prevention Dept Sincerely, Alan Cohen email:[EMAIL PROTECTED] website: http://perimeter911.com voice: 416-781-2524 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
