VoIP and phishing

mis at seiden.com mis at seiden.com
Thu Apr 27 16:12:43 EDT 2006 

the other point that should be made about voip is that
callerid is trivial to spoof.  

so if you are counting on the calling party being who they say the are,
or even within your company, based on callerid, don't.

i predict a round of targeted attacks on help desks and customer
service, as well as more general scams with callerid set to (say) 
"Visa  Security".

does anyone know if time ANI from toll free services is still unspoofable?

some of my clients have been receiving targeted phishes recently that correctly name
their bank and property address and claim to be about their mortgage.
this is information obtainable from public records.



On Thu, Apr 27, 2006 at 12:07:20PM -0400, leichter_jerrold at emc.com wrote:
> >From Computerworld:
> 
> 
> New phishing scam model leverages VoIP
> Novelty of dialing a phone number lures in the unwary
>       News Story by Cara Garretson
> 
> APRIL 26, 2006
> (NETWORK WORLD) - Small businesses and consumers aren't the only ones
> enjoying the cost savings of switching to voice over IP
> (VoIP). According to messaging security company Cloudmark Inc., phishers
> have begun using the technology to help them steal personal and
> financial information over the phone.
> 
> Earlier this month, San Francisco-based Cloudmark trapped an e-mailed
> phishing attack in its security filters that appeared to come from a
> small bank in a big city and directed recipients to verify their account
> information by dialing a certain phone number. The Cloudmark user who
> received the e-mail and alerted the company knew it was a phishing scam
> because he's not a customer of this bank.
> 
> Usually phishing scams are e-mail messages that direct unwitting
> recipients to a Web site where they're tricked into giving up their
> personal or financial information. But because much of the public is
> learning not to visit the Web sites these messages try to direct them
> to, phishers believe asking recipients to dial a phone number instead is
> novel enough that people will do it, says Adam O'Donnell, senior
> research scientist at Cloudmark.
> 
> And that's where VoIP comes in. By simply acquiring a VoIP account,
> associating it with a phone number and backing it up with an interactive
> voice-recognition system and free PBX software running on a cheap PC,
> phishers can build phone systems that appear as elaborate as those used
> by banks, O'Donnell says. "They're leveraging the same economies that
> make VoIP attractive for small businesses," he says.
> 
> Cloudmark has no proof that the phishing e-mail it snagged was using a
> VoIP system, but O'Donnell says it's the only way that staging such an
> attack could make economic sense for the phisher.
> 
> The company expects to see more of this new form of phishing. Once a
> phished e-mail with a phone number is identified, Cloudmark's security
> network can filter inbound e-mail messages and block those that contain
> the number, says O'Donnell.
> 
>  							-- Jerry
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list