Proactive IT Security
 

"VISHING" - new technology gives old criminal activities new life

[Malware discussion, Security terms, Social engineering, Trends & predictions]

Security Information Week 32, 2006

Introduction

One of the most popular cracker tools in the early days of computer communication is War-dialling.  The cracker uses a program to make her computer call (through a modem) sequences of semi-random telephone numbers in an area. If a modem responds she may then safely assume that there is a computer behind. The list of modem responses (computers) can then be the target for cracking, to accomplish what she is after.
As modems are not much used any more, Port scans has taken over to accomplish much of the same. From a computer the intruder scans an IP range for computers with special open ports. Those that responds favourably can be the target for further exploration with the attempt to break in to, and eventually take over the computer. It can then be used for what she needs to accomplish (spamming, botnets etc. etc.).

Phishing can be loosely defined as

"a social engineering attack attempting to trick you into revealing personal information like passwords and credit card numbers, with the attempt to commit fraud".

More information about phishing is available from several articles on our web site, e.g. the Security Information for week 15/2005.

Enter Vishing - a combination of the two techniques mentioned above - using Voice over IP and Phishing.

How vishing works

1. Using a computer calling sequences of numbers (the "V" part)

The initial step is to configure a computer using Voice over IP (VoIP) to call lots of telephone numbers in an area.

Unlike the "good old" war-dialling technique, distance is not an issue here, since the telephone cost is not relevant.  As we shall see in item 2 below, however, the language used in the region called may be crucial for the vishing scheme to succeed.

2. Playing a pre-recorded message (the "ishing" part)

Presumably some of the numbers called will answer. The person who has the scheme set into motion will then have pre-recorded a message that consists of the phishing. This can e.g. be a message claiming to be from the bank's credit card fraud department, with instructions to call another number to straighten up some issue.

This pre-recorded message should be in the same language as what is used in the region in which the vishing takes place. An automatic message in e.g. German to people in France claiming to be from the person's bank, is not the most trustworthy, and will only trick the most gullible (which of course could be the target).

3. Getting the "juicy" information

If the scam in 2 above is persuasive, some of those who answered the automated call and listened to the message, will call the suggested number.

In this step several options are available for the visher.

  • She can use her personal social engineering skills and answer the phone herself, attempting to trick the caller to give her some personal information, like credit card number, PIN code, date of birth, address, and so on.
    Personal telephone contact at this step probably has the most success rate. However, the disadvantage is that the visher can only speak to person at the same time.
     
  • She can pre-record another message telling some tale that sound credible and attempt to trick the caller to give up personal information.
    An example could be that the bank's credit card department has had a database breakdown at the same time as some credit card numbers were stolen. Since the database and customer information is not available, would the caller please enter the credit card number and telephone number, and the bank will call back if this credit card is among those which numbers are astray.
    Only the visher's imagination sets limits to the persuation techniques that can be used here. The disadvantage is that it has to be general in such a way that it applies and persuades as many of the callers as possible.

4. Commiting the fraud and/or getting more information

The successful harvesting of information that results from the three steps above can then be used by the visher to commit the fraud itself. In the abovementioned example a credit card fraud, but it could of course be anything.

At this stage the visher can also use the gathered information to obtain even more information - in the ultimate (though rare) scheme - even enabling her to take over another person's identity.

Some general observations

In Norman's Security Information week 10/2005 we discussed the fact that new applications (in that case instant messaging) were being used to spread malware. Our allegation was that this was particularly successful because instant messaging was a new medium and users were not alert in the same way as they are regarding e.g. use of emails to distribute malware.

Vishing can be viewed in exactly the same way. The attention from security origanizations, financial organizations, and the media, about phishing has been quite heavy for some time now. The focus has primarily been on phishing attempts through emails. A new channel - VoIP - as a communication channel for phishing, will for some time have a much higher success rate than phishing through more traditional channels.

This will presumably always be so when new channels are taken into use. The general advice that may be applied regardless of media and technique used by fraudelent persons is:

use intelligent skepticism in any relation where you are asked to divulge something about yourself