It's happened three times in the past six months. Due to "irregularities" on my credit card account, I've received voice mails asking me to call my bank at a telephone number mentioned in the voice mails. Do I call that number? Not with the rise of phone phishing. As users grow wiser about traditional email-based phishing scams, the bad guys add nasty new twists, the latest being phone phishing. These techniques, which borrow ideas from traditional phishing, phone-based social engineering and the emerging widespread deployment of low-cost VoIP, take two forms. Enterprises that help their users cope with phone phishing now will be better prepared to defend themselves when the attacks evolve into more serious phone-based spear phishing attacks.
In its most common incarnation today, phone phishing involves an attacker sending spoofed spam email that appears to come from a bank, financial services institution or government agency, claiming that the user's account has been frozen due to fraudulent activity. The email tells users to call a phone number included in the email to reactivate their credit cards or other financial accounts. When a user calls this number, a friendly voice message claiming to be a financial institution prompts the user to enter an account number and/or PIN. The reassuring voice explains that the account has been reactivated. Unfortunately for the unwitting user, a fraudster has just harvested vital account information.
Another form of phone phishing is even more insidious, bypassing the spam email all together. In these scams, attackers use automated scripts to initiate VoIP calls to phone numbers in a targeted area code. The script uses the wide-open nature of most VoIP services to spoof caller ID, so that each call appears to come from a legitimate bank. When the script encounters a user's voice mailbox (either through a plain old telephone service line or another VoIP number), it leaves a voice message saying that the user's account has been frozen, and exhorts the user to call a given number to provide the account information, which, of course, the attacker harvests. Given that voice messages are now being spewed out spam-style, some people refer to this voice mail spam as SPIT (Spam over Internet Telephony).
It gets even worse. Attackers can gather some account information in advance, such as a name, credit card number and/or phone number. They pilfer this information from an e-commerce site, buy it on the black market or retrieve it by other means. The phishing attacks, then, are a means to complete the information for the account. Attackers gather the expiration date, three-digit security code, PIN and/or billing address by tricking the user into giving it over the phone. With this full account data, an attacker can more easily make fraudulent transactions and create a cloned credit card, a more valuable commodity on the black market than a mere list of account numbers. Thus, the phone phishing voice mail may include the user's credit card number, duping the user to call back and provide the remaining account information.
Why are attackers turning to phone phishing? Because it's easy and it works. Attackers rely on plentiful and disposable VoIP service, along with free, open-source PBX software, such as Asterisk, which can be used to set up those annoying but professional sounding interactive voice prompts. Thus, phone phising is also cheap. Using these technologies, attackers can establish a virtual phone presence from any country in the world using a local telephone number with VoIP forwarding the call overseas, mimicking the features of a legitimate financial services institution located in the United States or Europe.
In the near future, the stakes for enterprises might rise even higher, as phone phishers begin to borrow another idea from traditional phishing, namely spear phishing. Today, email-based spear phishing attacks are increasingly popular, using targeted emails directed to one organization attempting to trick its users into installing software or releasing sensitive information in a focused compromise. With the anticipated rise of phone spear phishing, attackers will trick enterprise users with emails that contain a phone number to call or even voice messages urging some action. Using VoIP, the attackers can pretend to be inside the organization itself by using a nearby phone number, when the attacker is really located across the planet. Phone spear phishing is essentially targeted, automated, phone-based social engineering on a mass scale.
To protect your organization against phone phishing, start by augmenting your user awareness program to advise your users about this threat. Explain how it affects them personally and how they can protect themselves. Tell them that they should never blindly trust email, especially emailed requests to call phone numbers. And, they shouldn't blindly trust voice mails, especially those that appear to come from their bank or other financial institutions.
Furthermore, tell your users never to give sensitive information over the phone to unexpected callers, even if they already have some of the user's personal information. Tell your users to hang up and call their financial services institution using the number on the back of their card, which they should write down and keep in a safe place other than their purse or wallet. The phone number can also be found on a recent statement or the institution's Web site.
You should check whether your enterprise PBX or call manager software has any capabilities for detecting and filtering repeated calls from an outside number scanning your own phone numbers. These features, originally created to combat the scourge of war dialing and aggressive telemarketers, can now help detect and prevent phone phishing in enterprise environments. Often, PBXes have these capabilities, but they are shut off by default. Turn them on, at least as an experiment, to try to detect these kinds of attacks against your organization.
Next, update your corporate policies and user awareness program to address targeted phishing attacks. Specifically, make sure your employees know that certain information, such as passwords, should never be sent via email or discussed on the phone, no matter who asks for it. Tell employees who receive such email or phone calls to call the contact number for your organization's incident handling team, who should review such incidents on a regular basis. Because some employees have difficulty differentiating between incident handling teams and help desks, make sure you train help desk personnel to forward any instances of such activity to your incident response team.
And finally, to help bring the bad guys to justice, you can report suspicious email and voice mails to the FBI (via the Internet Crime Complaint Center at www.ic3.gov) and/or the Federal Trade Commission at firstname.lastname@example.org. Alternatively, report phishing to the Anti-Phishing Working Group at email@example.com. This group does a wonderful job in reporting on phishing-related fraud, as well as getting phishing sites taken down.
About the author
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity, Ed answers your questions relating to threats.
This was first published in January 2008