Phishing Techniques: Similarities, Differences, and Trends: Part III: Vishing
For Part I, which discusses Mass Phishing and which sets the objects of examination in this paper, please check here.
For Part II, which discusses Targeted Phishing, please check here.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Vishing
Vishing (Voice phishing) is a type of phishing —a social engineering technique, whereby the scammer is not aiming to collect the victim's sensitive information via email, SMS, instant messaging or website but attempts to extract the information through a voice communication – almost always by contacting the victim via his phone (landline or cellular).
The vishing attack can be performed through voice email, VoIP, or through phone but vishers mostly choose VoIP systems. They frequently use auto dialers or war dialers to call numbers in a sequential or a random manner (if they do not have a prepared list of phone numbers) or as stolen or retrieved from a phonebook, the Internet, financial institution or another entity (if they have list(s) of phone numbers at their disposal).
These calls to the potential victims may serve as initial bait that explains the "situation" to the prey and, in a sense, orders them to call an 800 number that will then request the sensitive information. Moreover, electronic messages (e-mails, SMS, etc.) may also serve as initial bait that will point the unlucky people to a number of a call center that they have to dial. However, there could be no initial bait and the whole scam could consist of a single automated or human-made call to random, pseudo-random or targeted individuals.
Auto dialers enable vishers to make multiple calls simultaneously and play pre-recorded messages (robocalls).
They also make possible to display a pre-recorded message that would not necessarily be uttered by the voice of the sender but be recorded via text-to-speech synthesizer which allows vishers to select a voice from a predefined list of voices. For instance, IVONA's text-to-speech currently has a database of 3 British English and 8 American English voices but most auto dialers are equipped with speech engines which transform the text to voice on their own. Thus, the cyber-criminal can select a voice he deems fit to mask his fraudulent message as coming from a well-intentioned person.
In addition, auto dialers usually come with outbound interactive voice response which means that the victim can type on his phone keypad to make choices and enter data as a response to the automated voice's messages. Also, he can, which appears safe to some people, type his bank account number and other sensitive details on his keypad which will be saved and stored during the robocall to be used by the vishers to the victim's detriment. Vishers can store not only touch tones but also speech feedback. Plus, it is possible to personalize the pre-recorded message.
Vishers prefer Voice over Internet Protocol not only because it turns complex automated systems to readily available utilities but also because it facilitates the exploitation of certain tools and features (such as caller ID), the whole operation could be set up and taken down in a short period of time, and because VoIP is linked with low costs and can provide anonymity to the criminals if they possess the necessary knowledge to stay anonymous.
Caller ID spoofing appears to be a possibility for everyone, regardless of their technical knowledge and expertise, but it is illegal in the United States since the Truth in Caller ID Act. If the scammers are planning on using the simplest method (resort to caller ID spoofing service providers), they are most likely going to fall in the hands of the relevant law enforcement authority.
To illustrate, one of the FCC's rules (Federal Communications Commission) is that any person or entity is prohibited from dispersing misleading or inaccurate caller ID data bent on defrauding, causing harm or wrongfully obtaining something of value except if done in an authorized activity from the law enforcement agencies.
Thus, the above mentioned law makes caller ID spoofing service providers like http://www.SpoofCard.com, which is designed for calls with spoofed CID mainly within the USA, pretty much useless for vishers. "Useless" as it can be read in the terms of SpoofCard that the calls you make when using their services may be stored, saved and reviewed to determine whether an applicable law is breached and sent to the relevant law enforcement agency, if necessary. Furthermore, SpoofCard can inform the victim that the call has been spoofed. Otherwise, SpoofCard offers tempting features such as voice changer, option to record the call, add third-parties to the call and the ability to add background noises to disguise the location from which the call has been made besides the spoofing the CID. I, personally, find the stated purposes of such service providers – to "pull a prank on a friend", etc. highly questionable in regards to their legitimacy.
It can be deduced that caller ID spoofing is an essential part of building credibility for vishers and that reliance on third-party service providers for CID may expose the vishers to the relevant law enforcement agencies to which they will be held responsible. So, vishers rather prefer to utilize VoIP systems on their own to build their own call centers using various programs and software. For instance, there are many auto dialers based on the open-source software Asterisk.
Auto dialers based on Asterisk or another VoIP system really make formerly complex automated systems readily available as they provide numerous features that vishers could take advantage of: text-to-speech, call recording, automated attendant, interactive voice response, robo dialer and many more.
Secondly, a Voice over Internet Protocol phone number can be easily created without the visher having to divulge and thoroughly verify his personal information as one must with traditional phone lines.
Thirdly, the cost of such a vishing campaign via VoIP is insignificant compared to traditional landline or cellular phone calls.
If the vishing attack is directed at fewer number of people but with higher emphasis on success rate, vishers may have chosen to contact the victims not through automated calls (robocalls). By actually communicating with them by voice, or by enabling victims to call an "agent" in the robocall further increases the credibility of their scam and gives an additional dose of legitimacy and persuasiveness to their endeavor. Thus, it is a sophisticated piece of social engineering. If so, many auto dialers contain functions implementing variable queue strategies, caller experience and automatic call distributors.
Illustration of vishing with emphasis on the possible sub-techniques the technique embodies
In 2008, PC World explained that vishing attacks usually proceed as follows: vishers utilize a VoIP system to establish a fake call center. After that, they disperse phishing e-mails to deceive the victims into calling it. As soon as they call they are asked for their PII (personally identifiable information). Thus, phishing and vishing can occur simultaneously because this will enhance the "legitimacy" of the scam. The vishers could create a clone website of the original and insert the number to their call center in it. A person in doubt will call this center which will diminish the doubts the potential victim have towards the authenticity of the scammer's messages and identity.
The scammers can even use software vulnerability to perform their scheme. The FBI notified the general public in 2008 that there is a vulnerability of earlier versions of Asterisk that enable vishers to take control over accounts of legitimate Asterisk call centers and possibly generate thousands of vishing calls to clients an hour.
Some vishing schemes may be easy to recognize, such as the Ammyy scams, but they still prove to be effective in tricking people uneducated in basic cyber-crime attempts. Furthermore, bringing these scammers to the authorities may be burdensome or impossible as the telephone number is cloaked in case one tries to trace the location of the vishers. Vishers predominantly try to lure victims from other countries, which means that they do not fall under the jurisdiction of the country of the harmed parties. For instance, a visher in India may call and trick people from the USA and the latter might not be able to do anything about it.
The Ammyy scam's goal is to trick the victims into granting the attackers remote access to their computers and install malware which will give the vishers access to the victims' personal information. Furthermore, the scammers urge the victims to buy fake products from them —anti-virus, an update of Windows, system protection services, subscription for tech support and the fixing of the machine, etc. It can cost them around $300, but probably also serves the purpose of allowing them to store their financial information on their computer after they have gained remote access to it. The vishers can empty the preys' debit/credit cards just in case such information is not already stored on their machine.
The call center is said to have originated in India and presumably the city of Kolkata (or Calcutta), the vishers were calling the victims themselves and impersonating a well-known and genuine company such as Microsoft or Dell. They present themselves as security or tech support persons and declare that they have detected a problem in the victim's machine such as a malware or that there is a new security vulnerability that is affecting his computer and offer to guide the prey through installing a tool that will remove the malware or vulnerability.
Interestingly, the Indians are gathering information for their targets from phonebooks and mention their names and home address during the conversation. This establishes "credibility" and yields good success ratios particularly amongst the elderly and others uninformed of existing frauds. The calls are international but since they are done over VoIP the international part of the call is established through the Internet and it barely costs them a dime.
The Ammyy scammers even attempt to establish further credibility to their malicious endeavors by filling the forums and websites that contain complaints and information about the scam with positive comments about how the "services" of the security or tech support staff helped them. However, these comments appeared to originate from India, and had a poor spelling and grammar skills that could be contrasted with the comments originating from other countries that consist of completely negative feedback.
The vishing scheme affects mostly English-speaking countries (USA, UK and Australia) but is present worldwide. The websites they are using change frequently are they are being shut down as soon as they are found. The vishing scheme derives its name from the software they use to obtain remote access to the prey's computer (Ammyy). It is legitimate software and it is used to establish remote desktop connection between machines. However, it is possible for different software for remote desktop connections to be used as Ammyy is used mostly in the USA whereas LogMeIn or Team Viewer is utilized in different countries.
The vishers prompt the "clients" to open Windows Event Viewer and show them the errors, warnings and criticals of the machine which they claim to be a proof of the existing and unresolved issues with their machine (they may use different means to con you). Afterwards, they point the targets into a remote desktop connection services' website and get them to reveal the code for access generated for them or indicate to them another relevant manner of granting remote access to the vishers so they can "fix" the machine's issues. As soon as they have installed the malware, they will inform the people that their problem is resolved. Moreover, the social engineering techniques involved in the scam may cause so much fear and distress in the innocent party as to make them agree into buying a scareware and even pay for a variety of malware, spyware and grayware.
Vishing Trends
Rod Rasmussen, President and CTO of Internet Identity (extracted from APWG phishing report of the third quarter of 2012), claims that some professional phishers have decided to rely on infecting users with malware in an exploit-style with drive-by downloads instead of employing social engineering techniques to hijack credentials and financial data leaving the victims unaware of the malicious software. Thus, one would expect a decline in vishing as well.
In 2010, bankinfosecurity.com alerted people of vishing attempts that followed a sequence of attacks that affected institutions all across the USA in 2009. These appeared to be random or pseudo-random vishing attempts directed at members of financial institutions – "three credit unions and two banks" as non-members of the institutions were also calling to report about the fraudulent calls. Some of the calls were automated whereas others were performed by people. Bankinfosecurity.com further shows this to be a proof of the escalation of overall phishing during that period of time. The Ammyy scams discussed above were also most active during this period.
However, overall phishing (incl. vishing) seems to be declining, but that does not mean it has been abandoned or eradicated. A recent vishing scam in the USA is the one in which vishers tell the victims that there is a new federal aid program which will pay all their utility bills and prompt them to give their social security numbers and bank credentials and is known as the "Obama utility bill scam".
The main victims of vishing are people who are not tech-savvy and who are unaware of the basic types of frauds linked with technology (such as that spoofing caller ID is possible and not quite cumbersome).
Other types of Phishing
Clone phishing can be quite successful. It consists of the phishers sending a copy of a legitimate, previously delivered email from a genuine company, email with altered attachments and links to make the email malicious in nature and steal sensitive data.
Also, another type of phishing has emerged which may labeled as "reverse-phishing" because instead of the phishers contacting the victims and attempting to lure them, phishers post a fake craigslist job position or by another means wait for the victim to find them. The potential victims contact them because of seductive terms mentioned in the ad, such as high salary, ability to work from home or from wherever you desire, short working hours, etc. and they are asked for sensitive information "before" they start working.
See Infosec IQ in action
References:
- Wikipedia, 'Voice phishing'. Available at: http://en.wikipedia.org/wiki/Voice_phishing (Accessed 3/24/2013)
- Wikipedia, 'Phishing'. Available at: http://en.wikipedia.org/wiki/Phishing (Accessed 4/13/2013)
- Robert McMillan, 'FBI: Criminals Auto-dialing With Hacked VoIP Systems', December 5 2008. Available at: http://www.pcworld.com/article/155074/hacked_voip.html (Accessed 3/24/2013)
- Wikipedia, 'Phone fraud'. Available at: http://en.wikipedia.org/wiki/Phone_fraud (Accessed 3/24/2013)
- Answers.com, 'Voice phishing'. Available at: http://www.answers.com/topic/vishing (Accessed 3/24/2013)
- SpoofCard, Available at: http://www.spoofcard.com/ (Accessed 4/5/2013)
- Asterisk, http://www.asterisk.org/get-started/features (Accessed 4/5/2013)
- Spamlaws.com, Available at: http://www.spamlaws.com/voice-and-spear-phishing.html (4/13/2013)
- David Harley, 'AMMYY Warning against Tech Support Scams'. Available at: http://www.welivesecurity.com/2012/08/24/ammyy-warning-against-tech-support-scams/ (Accessed 4/13/2013)
- Andy O'Donnell, 'Beware of the "Ammyy" Security Patch Phone Scam'. Available at: http://netsecurity.about.com/od/securityadvisorie1/a/Beware-Of-The-Ammyy-Security-Patch-Phone-Scam.htm (Accessed 4/13/2013)
- Charles Arthur, 'Police crack down on computer support phone scam'. Available at: http://www.guardian.co.uk/technology/2010/jul/19/police-crackdown-phone-scam-computer (Accessed 4/13/2013)
- Charles Arthur, 'Virus phone scam being run from call centres in India'. Available at: http://www.guardian.co.uk/world/2010/jul/18/phone-scam-india-call-centres (Accessed 4/13/2013)
- APWG, 'Phishing Activity Trends Report, 3rd quarter, 2012'. Available at: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDgQFjAB&url=http%3A%2F%2Fwww.apwg.org%2Fdownload%2Fdocument%2F84%2Fapwg_trends_report_q3_2012.pdf&ei=hexrUcjfLsSltAbX74EY&usg=AFQjCNHEInLKwwLKSJs2dKW12kmqc5-CdA&sig2=AGREXhjhnQSF2bd5dJDg6g (Accessed 4/13/2013)
- Khadeeja Safdar, 'Obama Utility Bill Scam Falsely Claims Federal Aid Program Will Help Pay Bills', 07/09/2012. Available at: http://www.huffingtonpost.com/2012/07/09/obama-utility-bill-scam-federal-aid_n_1659787.html (Accessed 4/13/2013)