the other point that should be made about voip is that
callerid is trivial to spoof.  

so if you are counting on the calling party being who they say the are,
or even within your company, based on callerid, don't.

i predict a round of targeted attacks on help desks and customer
service, as well as more general scams with callerid set to (say) 
"Visa  Security".

does anyone know if time ANI from toll free services is still unspoofable?

some of my clients have been receiving targeted phishes recently that correctly 
their bank and property address and claim to be about their mortgage.
this is information obtainable from public records.

On Thu, Apr 27, 2006 at 12:07:20PM -0400, [EMAIL PROTECTED] wrote:
> >From Computerworld:
> New phishing scam model leverages VoIP
> Novelty of dialing a phone number lures in the unwary
>       News Story by Cara Garretson
> APRIL 26, 2006
> (NETWORK WORLD) - Small businesses and consumers aren't the only ones
> enjoying the cost savings of switching to voice over IP
> (VoIP). According to messaging security company Cloudmark Inc., phishers
> have begun using the technology to help them steal personal and
> financial information over the phone.
> Earlier this month, San Francisco-based Cloudmark trapped an e-mailed
> phishing attack in its security filters that appeared to come from a
> small bank in a big city and directed recipients to verify their account
> information by dialing a certain phone number. The Cloudmark user who
> received the e-mail and alerted the company knew it was a phishing scam
> because he's not a customer of this bank.
> Usually phishing scams are e-mail messages that direct unwitting
> recipients to a Web site where they're tricked into giving up their
> personal or financial information. But because much of the public is
> learning not to visit the Web sites these messages try to direct them
> to, phishers believe asking recipients to dial a phone number instead is
> novel enough that people will do it, says Adam O'Donnell, senior
> research scientist at Cloudmark.
> And that's where VoIP comes in. By simply acquiring a VoIP account,
> associating it with a phone number and backing it up with an interactive
> voice-recognition system and free PBX software running on a cheap PC,
> phishers can build phone systems that appear as elaborate as those used
> by banks, O'Donnell says. "They're leveraging the same economies that
> make VoIP attractive for small businesses," he says.
> Cloudmark has no proof that the phishing e-mail it snagged was using a
> VoIP system, but O'Donnell says it's the only way that staging such an
> attack could make economic sense for the phisher.
> The company expects to see more of this new form of phishing. Once a
> phished e-mail with a phone number is identified, Cloudmark's security
> network can filter inbound e-mail messages and block those that contain
> the number, says O'Donnell.
>                                                       -- Jerry
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to