In recent months, Web site compromises have become the most prevalent problem that threatens Internet users from all over. While this trend continues to dominate today’s security issues, let’s not forget about other threats that, although may be not as massive as these attacks, have equally serious ramifications against the victims.
Remember vishing? Well, here’s a refresher.
Vishing is a type of phishing attack that involves Voice over Internet Protocol (VoIP) technology in stealing user’s sensitive information, usually financial in nature. Like certain types of phishing attacks, it usually persuades users into divulging personal data by sending them legitimate-looking messages (via email, text message or sometimes even via telephone call), warning them that their account is supposedly to be suspended or has expired and instructing them to contact the number provided to prevent the suspension or to renew their accounts. Upon calling the number, users are directed to an automated voice mail system that prompts them to dial in their credit card numbers and PINs.
Earlier sightings of vishing attacks has been reported in 2006 and has been slowly and silently increasing its momentum since then. Last January, FBI’s Internet Crime Complaint Center (IC3) announced that the number of vishing-related complaints it received is rising at a considerably “alarming rate.” Trend Micro also noticed this movement as a couple of vishing attacks has been reported, among others, earlier this year (see A Growing Sophishtication and Phishers Raise their Voices).
And speaking of “growing sophishtication,” vishing attacks have seemingly followed the footsteps of Web site compromises and advanced phishing techniques by using toolkits in sending vishing-related SMS. Donald Smith of Sans Internet Storm Center came across SmssmtpSender, an automated toolkit that can be used for SMS spamming and vishing.
“SmssmtpSender consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords.”
It is bad enough that these vishing attacks are difficult to trace due to the nature of VoIP (which makes it easily to spoof the Caller ID), now attackers are employing more sophisticated techniques in launching them at a large scale.
Certainly, more rigid security measures should be implemented, not just within targeted financial institutions or businesses, but within individuals as well. Refer to this issue of Trend Micro First Line of Defense for best practices against phishing and vishing, and learn how you can avoid becoming a victim of these threats.