Re: VoIP and phishing
There are two sides to the voice phishing here - - getting the target to call a phone number you've emailed him - using cheap voice calls to call the target with your offer. VOIP doesn't affect the former case much, since the target is paying for the call, but it does separate callee geography from phone numbers, so you can use a plausible phone number (e.g. New York) that's directed to a location with cheap criminal labor, without the effort that used to be required to set up FX numbers or expensive international private lines or locate your call center in the target's country or state. I've received one Nigerian 419 phone call, a few years back, which used a Deaf Relay Operator to relay the call from the scammer, and apparently they used to be heavy abusers of that service. VOIP also makes that more practical, and somebody's coined the term spit to refer to Spam over IP Telephony. But phone calls are cheap enough that labor is the dominant cost of the calls. I receive frequent offers to refinance my mortgage or get credit cards that use presumably-standard phone banks, usually calling from India and claiming to be US banks. For all I know, they really are legitimate rude bankers instead of scammers, but I don't care either way. VOIP may have replaced voice over frame as the transmission medium, but it's often an enabling technology for the telco rather than voice over internet to the end user. I've been at a lot of telecom trade shows recently, and vendors have been showing off session border controllers and various security devices and presence servers, and while there are lots of tools to let the recipient indicate whether he's accepting calls or not, there doesn't seem to be much out there to detect and reject unwanted calls wholesale. Most of what I've seen that's somewhat in that direction are buddy-list tools that let your spouse/boss/etc. reach you directly and divert other callers to voice mail or whatever, but within a year or two we'll start needing to get more sophisticated filters the way we do with email. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
VoIP and phishing
From Computerworld: New phishing scam model leverages VoIP Novelty of dialing a phone number lures in the unwary News Story by Cara Garretson APRIL 26, 2006 (NETWORK WORLD) - Small businesses and consumers aren't the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he's not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they're tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark. And that's where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. They're leveraging the same economies that make VoIP attractive for small businesses, he says. Cloudmark has no proof that the phishing e-mail it snagged was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher. The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mail messages and block those that contain the number, says O'Donnell. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VoIP and phishing
the other point that should be made about voip is that callerid is trivial to spoof. so if you are counting on the calling party being who they say the are, or even within your company, based on callerid, don't. i predict a round of targeted attacks on help desks and customer service, as well as more general scams with callerid set to (say) Visa Security. does anyone know if time ANI from toll free services is still unspoofable? some of my clients have been receiving targeted phishes recently that correctly name their bank and property address and claim to be about their mortgage. this is information obtainable from public records. On Thu, Apr 27, 2006 at 12:07:20PM -0400, [EMAIL PROTECTED] wrote: From Computerworld: New phishing scam model leverages VoIP Novelty of dialing a phone number lures in the unwary News Story by Cara Garretson APRIL 26, 2006 (NETWORK WORLD) - Small businesses and consumers aren't the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he's not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they're tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark. And that's where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. They're leveraging the same economies that make VoIP attractive for small businesses, he says. Cloudmark has no proof that the phishing e-mail it snagged was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher. The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mail messages and block those that contain the number, says O'Donnell. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VoIP and phishing
| the other point that should be made about voip is that callerid is | trivial to spoof. | | so if you are counting on the calling party being who they say the | are, or even within your company, based on callerid, don't. | | i predict a round of targeted attacks on help desks and customer | service, as well as more general scams with callerid set to (say) | Visa Security. To open a trouble ticket with IT where I work, you go to a Web page; or, if you have problems using the network, you can use the phone. When the phone is replaced by one that use VoIP, just how will one report network outages? I can't wait | does anyone know if time ANI from toll free services is still | unspoofable? The last I heard, it was fairly easy to *suppress* ANI (using games that redirected calls the network saw as going to toll-free numbers), but still difficult to *spoof* it. Since ANI drives Telco billing - unlike Caller ID, which is simply delivered to customers - the Telco's have an interest in making it difficult to fake. On the other hand, LD revenues have been falling for years, so the funding to attack LD fraud has probably been falling, too - given how many people now have all you can eat plans, there's less and less reason to worry about them stealing. | some of my clients have been receiving targeted phishes recently that | correctly name their bank and property address and claim to be about | their mortgage. this is information obtainable from public records. I probably get an offer to refinance my mortgage every other week or so. The letters cite real information about me and my mortgage: They know its size, or at least the know the amount at the time I took out the mortgage. In low-income areas, there's a long history of fraudulent refinancing - claiming you are getting a better loan for the person but really getting him deeper and deeper in the hole while you pocket various fees. I wouldn't want bet that all the come-on letters I receive are legitimate! The only difference between some of this stuff and phishing is the medium used. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VoIP and phishing
On Thu, Apr 27, 2006 at 01:12:43PM -0700, [EMAIL PROTECTED] wrote: so if you are counting on the calling party being who they say the are, or even within your company, based on callerid, don't. does anyone know if time ANI from toll free services is still unspoofable? make that real-time ANI - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VoIP and phishing
mis == mis [EMAIL PROTECTED] writes: mis does anyone know if [real-]time ANI from mis toll free services is still unspoofable? No, in general it is not unspoofable. But you probably need the gateway into the PSTN to use SS7 and IMT trunks; and that probably means a CLEC license in the US, or similar elsewhere. That presumably means more substantial civil and criminal penalties for spoofing with criminal intent, not to mention the potential loss of the operating license for doing so. So although it is certainly doable, it'll be expensive and likely beyond the means of small-time players. In short, if you have direct SS7 access, there isn't much you cannot do to screw over other providers and their customers. Hense all of the rules and regs for getting such access. -JimC -- James H. Cloos, Jr. [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
