Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 12th, 2012

    In today’s age of 24/7 connectivity (and threats), it’s tempting to think that “old-fashioned” ways of communicating like phone calls are safer. Unfortunately, that isn’t the case. In increasing numbers, attackers are exploiting phone calls as well in so-called vishing attacks against users. In fact, I’ve been on the receiving end of a vishing call myself: someone pretending to be a bank agent called me, said my accounts could be frozen due to malicious activity, and gave me a number to call. I didn’t fall for it, but less wary users could.

    What is vishing?

    Vishing is the telephone version of phishing and this term is a combination of “voice” and phishing. The victim can be called directly by an attacker, or can receive an invitation (by e-mail or voicemail) to call a false customer support telephone number to fix a problem. Once victims are on the phone, an automated service may ask them to enter their account numbers, personal identification numbers (PINs), or passwords using the telephone keypad or the attacker can ask the victims to confirm some personal information.

    From the point of view of attackers, vishing is essentially a three-step process. The first step is to “select” their targets. Attackers create scripts that automatically dial multiple people and, like any mass phishing attack, cast a wide net that ultimately catches a few unsuspecting customers of the bank they have spoofed. The attackers can download software that allows them to show whatever phone number they want to (and thus, pretend to be from the spoofed bank).

    The second step involves the attackers asking for personal identification numbers of the targets “selected”. Attackers ask victims to provide their credit card numbers and other pertinent account information. The last step revolves around the attackers’ use of obtained information to steal money from the victim.

    Why do cybercriminals use vishing over other more technologically-sophisticated schemes?

    Vishing exploits the weakest link in the security chain: the user. It’s very easy for the attacker to sound reputable and trustworthy, leading users to believe them and hand over valuable information.

    There are other advantages for the attacker as well. These attacks are carried out using Voice over IP (VoIP) providers, making features like Caller ID spoofing, automated attendants, and anonymity much more readily available. In addition, it makes it very hard for legal authorities to monitor or trace these illegal activities.

    I’ve become a vishing victim. Help!

    If you are a victim of vishing, write down what happened and how you first noticed the fraud. Keep all paperwork that you think may be helpful in the investigation. Then, follow the steps below:

    1. Contact your local police and file a police report.
    2. Contact the financial institutions, credit card companies, phone companies, and any accounts you suspect may have been opened or tampered with.

    Take down written notes while you follow the above steps, to ensure there’s no dispute about what was said or heard.

    The number one tip to avoid being a phishing/vishing victim is to remember this: a legitimate company would never ask you to provide your PIN or password over the phone or online. If you receive such a call, hang up and inform your bank right away.


    Phishing has fundamentally changed and its transformation was aided by the blackhole exploit kit. We’ve been blogging about persistent phishing spam runs, including the association of these spam runs with blackhole exploit kits, since earlier this year. We’ve also released a technical paper containing details of our research, which includes the unique insight we have into these events from big data analytics and Trend Micro™ Smart Protection Network™. The paper also includes details about how to effectively protect users.

    We’ve been keeping tabs on these events and it is evident that things have changed in the world of phishing. Cybercriminals are no longer relying on users to submit their personal information and they have increased the success rate of their attacks with new methods. Now, the only thing cybercriminals rely on is for users to open an email and click a link.

    Old Advice for Phishing

    Given this scenario, traditional or “old” advice about phishing are out-of-date and may no longer be enough to protect users. Some of this type of advice includes:

    • “Be suspicious of any email with urgent requests for personal financial information.”
    • “The email states that you should update your information for one reason or another, and they usually provide a link that you can click to do so.”
    • “Avoid filling out forms in email messages that ask for personal financial information”

    What has changed?

    With the advent of exploit kits, cybercriminals have bypassed the step wherein they rely on users to submit their personal information. In 2012, the major method of attack is to place malware on the user’s computer using exploits and vulnerabilities. Malware, such as ZeuS and Cridex, will silently monitor activity on the computer and look for activity such as logins to financial websites. All they need to make this happen is for a user to click a bad link in email that looks legitimate.

    The phishing messages of today have far less urgency and the message is implicit:

    • “Your statement is available online”
    • “You message is ready”
    • “Incoming payment received”
    • “Pending Messages: There are a total of 1 messages awaiting your response. Visit your inbox now”
    • “Password reset notification”

    In many cases these messages are identical to the legitimate messages sent by the legitimate organization. Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link. Read our paper Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs for more information about these threats and help protect users.

    Posted in Exploits, Spam, Vulnerabilities | Comments Off on Blackhole Exploit Kit Transforms Phishing


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice