The Anatomy of a Vishing Scam
A series of well-orchestrated wireless phone-based phishing attacks against several financial institutions last week illustrates how scam artists are growing more adept at fleecing consumers by exploiting security holes in seemingly unrelated Internet technologies.
The scams in this case took the form of a type of phishing known as "vishing," wherein cell-phone users receive a text message warning that their bank account has been closed due to suspicious activity, and that they need to call a provided phone number to reactivate the account. Victims who called the number reached an automated voice mail box that prompted callers to key in their credit card number, expiration date and PIN to verify their information (the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down).
According to Lawrence Baldwin, the security forensics professional who was called in to help investigate, the attacks went down like this: The scammers targeted customers of multiple financial institutions, sending the text message lures solely to mobile numbers assigned to customers who lived in the geographic regions served by the individual institutions. For example, one scam targeting Motorola Employees Credit Union was sent only to Cingular mobile numbers assigned to consumers in the Schaumburg, Ill., area, where Motorola is headquartered. Yet another vishing attack sought Qwest customers in the Boulder region who may have belonged to the Boulder Valley Credit Union.
A third vishing attack, against the Bank of the Cascades, produced an unusual response from the institution. In a message on its home page, Bank of the Cascades urges people who have received the messages to "Call your cell phone service provider immediately to alert them of the fraud and discuss their recommendations for handling scam text messages." Here's the only recommendation Bank of Cascades customers need: "We didn't send it, just delete it or ignore it. If you fell for the scam, give us a call or come on in."
The first stop in setting up this vishing volley was the compromise of a Web site called whitehousechronicle.com. The attackers broke into the site by exploiting an ancient flaw (in Internet time) in Horde, a free Webmail utility. Once there, they installed a bunch of scripts on the Web server; several of the scripts contained millions of provider- and region-specific phone numbers that would receive the vishing messages, while another listed the credentials needed to log into and send e-mail from dozens of outside e-mail servers.
The attackers had previously compromised those e-mail servers by hijacking the accounts used to receive "abuse" complaints for those servers. The scammers were able to use those abuse inboxes to blast out spam because the administrators of those servers had failed to select even halfway decent passwords for the accounts.
For example: One of the e-mail accounts used in the attack was "email@example.com," the abuse complaint box for a Brazilian government portal. Just what was the awesomely bad password (now changed) that was assigned to that account? Wait for it... "123456." Another abuse account used in the attack belonged to a Canadian beer company. The password for its abuse account? You guessed it: "abuse".
Ah, the irony. Here we have the very accounts these entities use to respond to complaints about fraudulent activity being used to perpetrate fraudulent activity.
As these attacks show, cyber criminals will go to a great deal of effort to construct their fraud schemes. Don't do them any favors by providing them virtual safe houses that can be used to facilitate these scams: If you run a Web site and/or e-mail server, be sure to update those with the latest security patches, and choose non-obvious passwords for accounts used to access these services.
Update, Mar. 16, 6:03 p.m. ET: Modified text in the second paragraph from "1-800 number" to "a provided phone number." While many vishing scams indeed employ toll-free numbers, none of the numbers used in these scams were toll-free.
Update, Mar. 17, 11:24 p.m. ET: Baldwin said records indicate these phishers have been at this for several months now. He was able to gain access to a digital copy of one of the servers that these crooks used to accept incoming calls for this scam from Jan. 13, 2008 to Feb. 21. During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN, Baldwin found.
March 15, 2008; 5:54 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0
Save & Share: Previous: Ukrainian CyberCrime Boss Leads Political Party
Next: Hannaford Breach May Presage '08 Trend
Posted by: GTexas | March 16, 2008 4:07 PM | Report abuse
Posted by: brucerealtor | March 16, 2008 10:37 PM | Report abuse
Posted by: Pete from Arlington | March 17, 2008 11:51 AM | Report abuse
Posted by: Vic Fichman | March 17, 2008 3:54 PM | Report abuse
Posted by: Michael Horowitz | March 20, 2008 5:09 PM | Report abuse
The comments to this entry are closed.