≡ Menu

Phishing with VoIP

Here’s a fascinating new development.  Cloudmark has announced anti-phishing software for VoIP systems.  The latest new criminal scam is to clone a bank’s IVR using Asterisk, or some other inexpensive IVR system, and then send email to users asking them to call the bank’s (er scammers) number, and enter in account and PIN information. 

Adam J. O’Donnell, Ph.D., senior research scientist at Cloudmark, says, "We’ve seen two separate VoIP attacks hit our network this week, the first we’ve been able to analyze in detail. In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem." Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN. "The result," O’Donnell surmises, "can be personally financially devastating."

According to this report from PC World, more than 1000 messages were received over a 3 day period targeting a small bank in a large US city.  Techweb reports that the messages likely originated from virus infected computers — virtually undetectable trojans. 

There you have it. 

Cloudmark is wrong to classify this as a VoIP attack.  This is a phishing scam plain and simple.  Although VoIP likely made it easier to obfuscate the phone number, and inexpensive VoIP equipment was likely used to clone the IVR, the root cause of this attack is the lack of a widely adopted identity and credentialling system.  Such a system could be used to thwart more ordinary email based phishing schemes too.

As Dan York puts it:

say a gang of thieves rob a bank and use a beat-up station wagon as their get-away car. The headline is probably going to read

"Local bank robbed by thieves"

Say they do it again, only this time they use a Ferrari as their get-away car. Should the headline now be?

"Local bank robbed by a Ferrari"

{ 4 comments… add one }

  • Aswath April 27, 2006, 3:17 am

    Except there is a difference. The owner of Ferrari has to go through the same registration process as the owner of the beat-up station wagon. But that is not the case in VoIP. As a PSTN user, I have a certain level of protection when I call another PSTN number: I could hope to track down A responsible person and can have some legal backing as well. But it seems, the VoIP industry has managed to get the interconnection rights without the associated responsibilities. The caller ID scam is an immediate example. Just like the incumbents use unfair tactics to scare away the VoIP industry, the VoIP industry has not been playing staright.

    In this case, the question is how willing a VoIP service provider will be to identify one of their "IN" subscriber? What are my legal rights to get that information? My concerns may well be misplaced, but my perception is that VoIP industry is infantile in the sense that it wants all the rights and none of the responsibilities.

  • Alec April 27, 2006, 3:40 am

    I agree with you Aswath. That was the point of my, perhaps unclear, comments about the need for a credentialling and identity system.

  • Jay April 27, 2006, 5:53 am

    Ah, analogies… If it is PSTN or VoIP there is still the possibility of a stolen transport. Cars get lifted for use in crimes. It's always possible that a stolen cell phone, opened residential NID, simple SIP/IAX voice accouint, PBX, Class 5, soft or otherwise – has been commandeered for nefarious purposes.

    Some might argue this highlights that some form of n-phase authentication is required. Cars have keys but thieves still manage to figure out ways to steal them — and even with a great n-phase authentication system like a fancy key fob, car-jacking is still a concern. If a soft-phone is on a PC that is completely compromised by trojan-worm-ilk, where would the n-phase authentication need to be? As well, if it was there, would the user consider this n-phase authentication a hurdle to using the service in the first place?

  • Vijay April 28, 2006, 8:00 pm

    At the end of the day, Aswath does make a very good point. There are still things that we haven't anticipated when it comes to the security of a VoIP based infrastructure. Thanks to guys like Dan of Bluebox, atleast the focus is slowly shifting towards such things and there are efforts made, but at the end of the day, there is still a long way to go.

    The question comes down to: Do we have to compromise freedom (outside the walls), to security (being inside the walls of the operators)?

    Or Maybe it is just a matter of more companies exploring the ways to make VoIP more secure. Prominent Networks is one such company, apart from the one that is mentioned in the original post.

Leave a Comment

Next post:

Previous post: