Vishing or Phishing

E-mail is the preferred method used by hi-tech criminals when delivering spam, as well as viruses and phishing messages – in which an e-mail and/or website purports to be that of a bank or financial institution.

Some criminals are now using net phone systems in a bid to make their invites look more legitimate and convince people to hand over useful details such as credit card numbers, bank account details or personal information.

The scam has been dubbed “Vishing”.

Vishing as defined by Wikipedia is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. When in doubt, calling a company’s telephone number listed on billing statements or other official sources is recommended instead of calling numbers from messages of dubious authenticity.

The criminal either configures a war dialler to call phone numbers in a given region or accesses a legitimate voice messaging company with a list of phone numbers stolen from a financial institution.

Typically, when the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.

When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account. The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.

Vishers generally prefer to use automated responders and war diallers. There have been reported instances where human operators have played an active role in trying to convince the victims to part with important personal information. Data collected from a study done in the United States in 2009 by Federico Maggi found that the most recurrent words used in automated, recorded scams are different from those leveraged by human scanners.

For example, automated voices frequently contain words such as “press” (a button) or “number”, while humans typically resort to more complex social engineering techniques.

In a common variation, an email “phish” is sent instead of war-dialling – the victim is instructed to call the following phone number immediately, and credit card or bank account information is gathered.

 

Phishing and Spear Phishing

In case you have no idea what phishing is, Wikipedia defines it as ”the act of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity.”

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, defines ‘spear phishing’ as:

“Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an existing relationship with,” Stephens said. “For example, a spear-phishing message might address you by name.

Alternatively Spear phishing is an attack predicated on targeting a specific person, or group of people with a malicious email that encourages them to open an attachment.

Phishers tend to send an email pretending to be someone or some business you recognize and, as the definition above states, get you to reveal private data. Usually, if you’re reasonably suspicious, these attempts are easy to spot and avoid being taken in but often we click on the email out of natural curiosity.

Recently I received a direct message on Twitter from a follower:

Hey this person is making up dreadful posts that are about you http://xxxx????

The idea that someone would be making up “terrible posts” about me seemed far-fetched but that someone would inform me in this way was even more of a give-away. But not so for the link which takes you to a Web site, via a couple of redirections and looks exactly like the Twitter login page with the message “Your session has timed out, please re-login.”

If you just came from Twitter by clicking on the link in the direct message you might well think that such a thing was normal and provide your login credentials which would be, given that the site is in China and obviously fraudulent, a very bad idea.

The link resolves to http://twitvter.com/log.in/h/?&session_timed_out (I recommend you DO NOT visit this link, there may be other exploits involved) and while the root of the site, http://twitvter.com/, is identified by Chrome as a phishing site and a warning immediately displayed, the full link is not identified!

What happens to the information that is collected in this manner is certainly not being used for your benefit. Your personal information could be used for many reasons and one of them could be to ensnare more victims.

The more sophisticated and alluring these phishing attacks become the more people will get tricked. Remember that whilst the current messages are poorly written they are effective. To quote the Sergeant from Hills Street Blues “be careful out there”.

 

Protecting Yourself From Phishing Attacks

Phishing attacks — online trolling for personal information in order to raid your financial accounts — are soaring. According to cyber-security experts at RSA, phishing attacks jumped 37 percent last year and have proven to be exceptionally costly, with the average attack resulting in $4,500 in stolen funds.

There are still 5 simple ways to catch a phishing attempt before it catches you (Source Kathy Kristof) . Specifically:

Don’t click. If your bank or credit card company sends a warning message saying that your account has been compromised and you need to click through an emailed link to “verify your account information,” don’t. Banks and credit card companies don’t communicate that way. Neither does the IRS. If there’s a problem with a bank or credit card account, they’ll call you.

Go direct. If you get one of these emails and are worried that there may be a real problem with your account, open up a new browser window, go directly to your bank site and sign in there. Chances are, you’ll see something along the lines of: “(Your bank) DOES NOT send emails instructing you to click on a link to enter your personal information.” When you sign on without trouble and there’s no other message from your bank saying that your account is compromised, you know that it’s not. Delete the email that caused you to worry, but remember it — and the fact that it was a scam — for next time.

 Don’t try to “win” anything. Phishing is done with more than emails. Contests are big: “Win a free iPad!” or “Get a $500 Target Gift Card!” The come-ons are all over the web. All you have to do supposedly to get this awesome swag is click on a link that is likely to take you to a toxic site. Increasingly, these toxic sites embed a virus into your computer that allows the crook to capture your every keystroke. That means it gets all your passwords and user IDs for your bank and brokerage accounts. You know you’re really not going to get something for nothing, right? So don’t pretend you will. When you see the word “free,” think “danger.” Don’t go there.

Don’t panic. The other brilliant scam that can pull you into the vortex of a toxic site is the pop-up warning: “Your computer has been compromised! Click here to download a security fix!” When you click, you open the gates of your computer to all sorts of nasty viruses. If you don’t panic, you won’t click and you won’t regret it later.

Get security. If you don’t have security software on your computer, now is the time to invest in it. Good services like SentryBay will set you back about $30 a year for 3 licences. If you compare that to the $4,500 you could lose in a phishing attack, it’s a bargain.

 

First IBM PC

1981 - IBM 5150 PC

I recently came across an article that was reflecting on the very first IBM PC and thought that it might be of interest. If IBM had never developed the Personal Computer and we had continued to work with mainframes would we be experiencing the current Phishing and Malware attacks today? We can never answer this question but I am sure that the Cyber – Criminals would still be trying to “steal” our personal information in some form or another.

Here is some text from the original article:

“The system has much to commend it, both for serious and fun applications, since it can grow from a fairly expensive cassette-based configuration to a full-blown twin disk/colour graphics machine that offers the competition a fair run for its money. It almost goes without saying that the computer is well made, keeping up IBM’s legendary reputation for quality.”

IBM kept their plans to launch a personal computer very quiet and swore key people and companies to secrecy. Microsoft were very involved from the very beginning and initially the PC was only sold in the US. At the time IBM were not able to comment on whether or not the PC would be sold in Britain.

IBM also mentioned that “the whole design is very pleasing and all the parts clearly belong together. Everything is designed with a first-time user in mind. IBM has gone overboard to make the system as easy as possible to configure and use.”

The author made some final comments mentioning that this was probably the most professionally put-together system that they had ever seen. the only thing that they felt was missing was a wide selection of packages but they felt that the whole world and it’s grandmother would be frantically trying to fill that gap.

We have certainly come a long way since 1981 what with Smart Phones and Tablets being all the current rage and we are more and more reliant on these products for our day to day lives.