>From Computerworld:
New phishing scam model leverages VoIP
Novelty of dialing a phone number lures in the unwary
News Story by Cara Garretson
APRIL 26, 2006
(NETWORK WORLD) - Small businesses and consumers aren't the only ones
enjoying the cost savings of switching to voice over IP
(VoIP). According to messaging security company Cloudmark Inc., phishers
have begun using the technology to help them steal personal and
financial information over the phone.
Earlier this month, San Francisco-based Cloudmark trapped an e-mailed
phishing attack in its security filters that appeared to come from a
small bank in a big city and directed recipients to verify their account
information by dialing a certain phone number. The Cloudmark user who
received the e-mail and alerted the company knew it was a phishing scam
because he's not a customer of this bank.
Usually phishing scams are e-mail messages that direct unwitting
recipients to a Web site where they're tricked into giving up their
personal or financial information. But because much of the public is
learning not to visit the Web sites these messages try to direct them
to, phishers believe asking recipients to dial a phone number instead is
novel enough that people will do it, says Adam O'Donnell, senior
research scientist at Cloudmark.
And that's where VoIP comes in. By simply acquiring a VoIP account,
associating it with a phone number and backing it up with an interactive
voice-recognition system and free PBX software running on a cheap PC,
phishers can build phone systems that appear as elaborate as those used
by banks, O'Donnell says. "They're leveraging the same economies that
make VoIP attractive for small businesses," he says.
Cloudmark has no proof that the phishing e-mail it snagged was using a
VoIP system, but O'Donnell says it's the only way that staging such an
attack could make economic sense for the phisher.
The company expects to see more of this new form of phishing. Once a
phished e-mail with a phone number is identified, Cloudmark's security
network can filter inbound e-mail messages and block those that contain
the number, says O'Donnell.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
