Phishing is an attack against data privacy whereby the victim himself gives out his personal data, after biting the bait. Not very different from 'fishing'! Phishing over VoIP is becoming so rampant that a special term has been assigned to it: vishing.
In this article we look at:
- How phising works
- Examples of phishing attacks
- VoIP and phishing
- How VoIP makes phishing easier
- How to prevent and avoid phishing
How Phishing Works?
Phishing is an type of attack that is gaining popularity nowadays, and is an easier way for data thieves to obtain what they want. Out of the millions, there still is an important bunch of naive users who get hooked!
Phishing works like this: a data thief sends you an email message or a voice mail making it seem like it is an official message from a company you have financial or other interests with, like your bank, PayPal, eBay etc. In the message, you are informed about a problem which puts you in alarm and are requested to go to a site or phone a number where you have to give your personal data like credit card number, passwords etc.
Some users are so easily lured that attackers trick them into giving their credit card number, expiration date and security code, which they use to make transactions using the credit card or make cloned credit cards. That can be finaicially devastating.
Examples of Phising Attacks
Here are examples of ways in which you can be attacked if you are a phishing target:
1. You get an email from PayPal, eBay or companies of their like, informing you of some irregularity on your part, and stating that your account is frozen. You are told that the only way to free your account is to go to a given link and give your password and other personal information.
2. You get a voice mail from your Internet banking department saying that someone has tried to tamper with your password, and that something has to be done quickly to save your account. You are requested to phone a given number and give your credentials so that you can change your existing account credentials.
3. You get a phone call from your bank saying that they have noticed some suspicious or fraudulent activities on your bank account, and asking you to either phone back (because most of the time the voice is pre-recorded) and/or give your bank account number, credit card number etc.
As a concrete example, some time ago, a person was informed about the suspension of his account in Bank of America because is was supposedly used to purchase "obscene or certain sexually oriented goods or services. The message went thus: "We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." The victim was asked to enter certain information, including his bank PIN, in these words, "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities."
VoIP and Phishing
Before VoIP became popular, phishing attacks were made through spam email messages and PSTN landline phones. Since the advent of VoIP in many homes and businesses, phishers (how about phishermen?) turn to making phone calls, which makes people more accessible, as not everyone uses email as phones.
The question arises as to why phishers did not use phones using PSTN before VoIP. The PSTN is maybe the most secure modern means of telecommunication and has maybe the most secure network and infrastructure. VoIP is more vulnerable than PSTN.
How VoIP Makes Phising Easier
Phishing is made easier for attackers using VoIP for the following reasons:
- VoIP is cheaper than PSTN and is now quite widely available.
- With VoIP, attackers can tamper with the caller ID that appears to the users and make it appear as if their bank or any other trusted organisation is contacting them.
- VoIP software for PBXs, like the very popular open-source Asterisk, gives so much power to the programmer that now, people with minimum skills can achieve what only nerds could before. Any programmer with basic knowledge of VoIP can manipulate its deployment and make a bank of fake numbers that they can use to dupe their victims without compromising their own identities.
- VoIP hardware, like IP phones, ATAs, routers, IP-PBXs, have become affordable and the software that accompany them are more user-friendly, thus facilitating the task for manipulators. These devices are also very portable and could be taken anywhere.
- VoIP hardware and their easy intergration with PCs and other computer systems (like with voicemail) makes it easy for vishers to record phone calls of numerous victims who have been hooked, without having to be there themselves for the work.
- Unlike for PSTN, VoIP numbers can be set up and destroyed in a matter of minutes, it is nearly impossible for authorities to track vishers down.
- With VoIP, vhishers can send one message to thousands of recipients at one go, instead of having to type one single number for each vishing call.
- Using VoIP, an attacker can create a virtual number for any country. He can then use a local number and forward the calls overseas, thereby emulating popular financial institutions in Europe or the US.
Read more on how to prevent phishing and avoid being trapped.