Congratulations to the AssetMetrix team! Ina Fried at CNET reports that they’ve been bought by none other than Microsoft. AssetMetrix’ software is an asset management system for IT departments. Capable of cataloging every PC and all the installed software on your network, it’s an essential part of the IT managers toolkit.
{ 0 comments }
Here’s a fascinating new development. Cloudmark has announced anti-phishing software for VoIP systems. The latest new criminal scam is to clone a bank’s IVR using Asterisk, or some other inexpensive IVR system, and then send email to users asking them to call the bank’s (er scammers) number, and enter in account and PIN information.
Adam J. O’Donnell, Ph.D., senior research scientist at Cloudmark, says, "We’ve seen two separate VoIP attacks hit our network this week, the first we’ve been able to analyze in detail. In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem." Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN. "The result," O’Donnell surmises, "can be personally financially devastating."
According to this report from PC World, more than 1000 messages were received over a 3 day period targeting a small bank in a large US city. Techweb reports that the messages likely originated from virus infected computers — virtually undetectable trojans.
There you have it.
Cloudmark is wrong to classify this as a VoIP attack. This is a phishing scam plain and simple. Although VoIP likely made it easier to obfuscate the phone number, and inexpensive VoIP equipment was likely used to clone the IVR, the root cause of this attack is the lack of a widely adopted identity and credentialling system. Such a system could be used to thwart more ordinary email based phishing schemes too.
As Dan York puts it:
say a gang of thieves rob a bank and use a beat-up station wagon as their get-away car. The headline is probably going to read
"Local bank robbed by thieves"
Say they do it again, only this time they use a Ferrari as their get-away car. Should the headline now be?
"Local bank robbed by a Ferrari"
{ 4 comments }
