Phishing attacks aren't just for e-mail anymore. Cybercriminals hoping to coax sensitive information from unwitting victims have a new weapon in their arsenal: the telephone.
Recent evidence came last week with news that an attacker sent e-mails that appeared to come from the account verification team at online payment service PayPal, a division of eBay (EBAY). Unlike most phishing schemes, where the recipient is directed to a fraudulent Web site, this scam instructed victims to call a phone number, where they were asked to cough up account information, according to the threat management service company Sophos, which posted news about the PayPal spam on July 7.
Scam artists can make quick work of phone fraud with Voice over Internet Protocol (VoIP), which delivers voice calls quickly and cheaply, using the same technology that delivers e-mail via the Internet. "It's easy to set up a VoIP account with a provider online today and set up an interactive voice response system," says David Endler, director of security research at TippingPoint, a division of the voice and data networking service provider 3Com (COMS).
These "can pop up as quickly in the future as spoofed banking sites are appearing today," he says. For a fraction of the cost, the criminal can set up an Internet phone network that is harder to trace; some VoIP services give the user an unlimited number of calls for a monthly fee, whereas some fixed-line providers charge on a per call basis. Meanwhile, most people are far more likely to trust a phone number than an e-mail, Endler adds.
In some cases, fraudsters use what's known as a war dialer to make one call after another to a host of phone numbers in a given region, explains Secure Computing (SCUR), which issued a warning on July 10. People who answer the calls are told that their credit card has been subject to fraudulent activity and instructed to call a different number to verify an account, and give up key data. "This methodology takes advantage of what has become a normal practice for credit-card users," Paul Henry, vice-president of strategic accounts for Secure Computing, said in a statement. "It is a normal procedure when calling a credit-card provider to be asked to enter your 16-digit credit card number" before speaking to a representative, he noted.
The PayPal case and warning add to concerns over the security of VoIP (see BusinessWeek.com, 6/13/06, "Is Your VoIP Phone Vulnerable?"). Information technology advisory services firm IDC predicts that the number of residential U.S. VoIP subscribers will grow from 10.3 million in 2006 to 44 million in 2010. "I think that this (recent PayPal attack) proves that new and different types of attacks are going to happen" involving VoIP, says Will Stofega, research manager for IDC's VoIP Services program. "This is one of the earlier cases," he adds.
As soon PayPal found out about the scam, the online payment company worked with law enforcement and the phone services provider to resolve the problem. The company that owns the fraudulent phone number shut it down that same day, says PayPal spokeswoman Sara Bettencourt. Apart from confirming that it involved VoIP, she declined to provide further detail about the case.
A couple of similar cases have cropped up recently, according to the San Diego Internet security company Websense. About a week ago a criminal e-mailed spam that directed users to call a phone number to unlock their eBay accounts. Victims who called the fraudulent phone number were prompted to give up their passwords. Websense Security Labs said June 23 that it received another spam e-mail making a similar pitch. This one claimed to come from Santa Barbara Bank & Trust's Online Customer Service.
Till now, phones have virtually never played a role in phishing attacks, says Dan Hubbard, vice-president of security research at Websense. "It's not as easy to set up a (fraudulent) phone number and it's more traceable" than a fake Web site, he explains. Those remain the easiest and most common form of phishing attack.
Even so, what can people do to protect themselves from new phone threats? Most experts recommend the same common sense that will keep you from getting into trouble online: Don't give out your information to unknown sources. Whenever you need to call someone, such as a banker, who would ask you for verification of personal information, make sure you got that phone number from an official directory, card statement, or Web site.
"If someone is calling you unsolicited, the No. 1 advice is to say 'I'm not interested,'" says Michael Gough, a computer security consultant and the author of Skype Me!, a book about the technology behind the San Jose (Calif.) Internet communications company Skype. People who use Skype's services can filter their phone calls so only those they already know can contact them.
Secure Computing also recommends that any time you receive a call from someone purporting to represent your credit-card company, hang up and report the call to the credit-card company.