Vishing scams making a return

by Steve Ragan - Oct 10 2009, 16:00

In an ISC Diary update on Friday, Handler Rob VandenBrink reported a new Vishing scheme making its way across AT&T, Sprint, and T-Mobile’s networks. Vishing is the often underutilized cousin of Phishing, but if this latest attempt is any indication, it’s still a viable method of attack.

The recent attack starts with a text message that reports a problem with the victims account. They’re instructed to dial a toll-free number ending in 7649, which will prompt them for a credit card number, expiration date, and PIN. ISC posted an example of the recording here. If you notice, the recording sounds like a Speak & Spell or an old computer, making it a rather crude attempt at stealing information.

In the recording, should you listen, you’ll hear the credit card number 4111 1111 1111 1111 being used. Interestingly enough, the recording confirms this as valid. According to the ISC Diary, using sixteen random numbers will be rejected, suggesting real-time processing of the account information.

As mentioned, the Vishing attack has been confirmed targeting mobile numbers for AT&T, Sprint, and T-Mobile subscribers. Several security professionals are working to have the number taken down.

Vishing is no different than Phishing when it comes to the overall goal. The object is to get you to part with information or money, sometimes both, by calling a number. The main difference is execution. Phishing attacks, like Vishing attacks, can start with email, but one will end on a fraudulent website while the other with a toll-free call. Vishing attacks will also use text messages, and target specific carriers and regions.

One notable example of a Vishing scam where one carrier and region were targeted dates back to last March. Customers of the Motorola Employees Credit Union, in Schaumburg, Illinois, who were on Cingular’s (AT&T now) network, started seeing text messages related to account problems at the CU. Those who fell for it lost valuable account information, as well as money in some cases.

Other Vishing attacks originated with emails that were reported to have originated from the IRS. Like similar IRS related scams, the emails notified victims of pending refunds, and instructed them to call a toll-free number. The refunds were to be sent to “only to Visa or MasterCard debit cards” so when the number was called, the caller was asked for the card number, expiration date, PIN, and since it was the IRS after all, they were instructed to enter their SSN.

Earlier the same year, the IC3 issued a warning as they started to notice a growing trend in Vishing attacks. In their warning, the Internet Crime Complaint Center said that the attacks were persuading “…consumers to divulge their Personally Identifiable Information (PII), claiming their account was suspended, deactivated, or terminated. Recipients are directed to contact their bank via telephone number provided in the e-mail or by an automated recording.”

“Upon calling the telephone number, the recipient is greeted with ‘Welcome to the bank of ...’ and then requested to enter their card number in order to resolve a pending security issue.”

Vishing has been around since 2006, and like Phishing there are kits that help criminals construct and automate attacks.

Donald Smith, who is with ISC, discovered such a kit. Dubbed SmssmtpSender, “…the kit consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised POP accounts that had weak passwords,”  Smith wrote.

Some details from Smith’s ISC Diary entry are here.

Like all scams, Vishing is just an attempt to violate trust in something. If you get a email or text message from your cell provider or bank reporting issues, do not call the number in the message. Instead call the number on the back of the card, or the local bank branch directly.

Most times the best bet is to just delete the message and forget it ever appeared.

Around the Web