An introduction to vishing

This introduction to vishing is offered in the hope that being aware of it makes you less likely to fall for a vishing based scam.

Vishing is short for voice phishing. Voice refers to the fact that the scam is perpetrated over the phone. Phishing is a scam designed to "criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity..." according to Wikipedia.

As people get less trusting (deservedly so) of email, the bad guys hope victims put more faith in phone numbers.

A recent article by Brian Krebs at WashingtonPost.com, The Anatomy of a Vishing Scam, describes a particular scam in detail and offers an education by example. In the case Brian describes, the initial contact with the victim was by text messaging to a cellphone, but it could just as well have been via email or instant messaging.

The crucial point is that just because someone or something says that a phone number belongs to a bank or credit union doesn't make it true.

In the old days, tracing a phone number to its true owner was no big deal. But now, according to Brian "the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down."

The story is likely to be that something bad has happened to your bank account, or is about to happen to it, and unless you call the phone number immediately you can kiss your money good-bye. The scammer hopes the story will scare you to the point that you don't even consider the validity of the phone number.

Call your bank or credit union, but call the number in the phone book or on your statements. If it's a scam, they should appreciate the heads up. They may not, but they should.

See a summary of all my Defensive Computing postings.

[schwartzschwartz]

This is helpful in describing one small aspect of the vishing problem, perhaps a scenario likely to happen to readers of "defensive computing," a tech-savvy crowd. Readers may also be interested in knowing, however, that vishing mostly affects their less-savvy family and friends. The main target of vishing are the elderly, disabled, and less sophisticated users of the traditional hard-wired landline phones: their grandmas.

The way vishing is most profitable is, the attacker uses free open source software that allows him to make millions of internet-based calls (VoIP calls) and to send them to victims at a cost that is not much greater than the cost of sending e-mail spam. He could use, say vonage or another VoIP provider, but probably doesn't, because its cheaper to do it yourself. He has a relationship with some scummy no-questions-asked provider who transmits the attacker's outbound IPcalls to an IP/landline phone "gateway". At the gateway, the call is converted to protocols that allow the call to travel on the conventional old land line phone system. The attacker uses an "auto-dialler" to send automated messages to millions of grandmas in their kitchens, where the grandmas are social engineered to place a second phone call, and, during those outbound calls, they provide valuable information like credit card numbers, ATM pins, etc. The scam works because the attacker's IP-based call to Grandma is hard to trace: most VoIP gateways do nothing to ensure that their customers are transmitting accurate caller ID. Similarly, the number that Grandma calls is disposeable--usually it's a canadian disposable pre-paid cell phone bought for cash, no questions asked. It functions as a forwarding service, forwarding Grandma's call to an automated system or professional con artist who does the swindle on Grandma. The prepaid cell is pitched after a few hours or days, after its work is done, and a new cell phone number is used. Because they are sold for cash, "disposable" cell phones are not traceable. So, the attacker is as safe from detection as most any other e-mail spammer.
.
The beauty and promise of vishing, from the perspective of the attacker, is that, unlike war-weary e-mail users, who have become callous, and often don't open and read even the most enticing of spam but instead sit behind big anti-spam engines, Grandma is a fresh and frail newbie who doesn't even have a computer, let along know about spam. She is trusting. She's relatively easy to separate from her money.

Better still, the landline phone networks do virtually no anti-vishing filtering at the network level. To the contrary, Grandma's phone company facilitates the swindle by transmitting attackers' fake caller ID to Grandma. If Grandma is at all sophisticated, she doesn't like telemarketters, and so, to get rid of them, she buys caller ID service from her phone company for about 6 or 8 dollars a month. The phone companies' advertising (literally ALL of them...) proclaim that caller ID lets grandmas screen calls and enjoy peace of mind. Caller ID is a very profitable product for phone companies: Because people hate telemarketters so much, they are willing to pay a relatively high price for caller ID, and it costs next to nothing for the phone company to provide it. I've not found a single land line phone company who tells their customers that caller ID doesn't work any more.

So--the upshot is that vishing most affects landline phone users who think that, on the traditional phone system, criminals can be traced and stopped, and who are unaware that callerID doesn't work. While she may be weary of telemarketters, grandma doesn't expect criminals to be calling her.

The fix is for phone companies to either not accept calls onto their local networks unless the caller's number is accurately disclosed; or, at the very least, to not deliver mystery packet to grandma's house and assure her she's safe, only to have a wolf spring from the packet and eat her up.