Network News

X My Profile
View More Activity

The Anatomy of a Vishing Scam

A series of well-orchestrated wireless phone-based phishing attacks against several financial institutions last week illustrates how scam artists are growing more adept at fleecing consumers by exploiting security holes in seemingly unrelated Internet technologies.

The scams in this case took the form of a type of phishing known as "vishing," wherein cell-phone users receive a text message warning that their bank account has been closed due to suspicious activity, and that they need to call a provided phone number to reactivate the account. Victims who called the number reached an automated voice mail box that prompted callers to key in their credit card number, expiration date and PIN to verify their information (the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down).

According to Lawrence Baldwin, the security forensics professional who was called in to help investigate, the attacks went down like this: The scammers targeted customers of multiple financial institutions, sending the text message lures solely to mobile numbers assigned to customers who lived in the geographic regions served by the individual institutions. For example, one scam targeting Motorola Employees Credit Union was sent only to Cingular mobile numbers assigned to consumers in the Schaumburg, Ill., area, where Motorola is headquartered. Yet another vishing attack sought Qwest customers in the Boulder region who may have belonged to the Boulder Valley Credit Union.

A third vishing attack, against the Bank of the Cascades, produced an unusual response from the institution. In a message on its home page, Bank of the Cascades urges people who have received the messages to "Call your cell phone service provider immediately to alert them of the fraud and discuss their recommendations for handling scam text messages." Here's the only recommendation Bank of Cascades customers need: "We didn't send it, just delete it or ignore it. If you fell for the scam, give us a call or come on in."

The first stop in setting up this vishing volley was the compromise of a Web site called The attackers broke into the site by exploiting an ancient flaw (in Internet time) in Horde, a free Webmail utility. Once there, they installed a bunch of scripts on the Web server; several of the scripts contained millions of provider- and region-specific phone numbers that would receive the vishing messages, while another listed the credentials needed to log into and send e-mail from dozens of outside e-mail servers.

The attackers had previously compromised those e-mail servers by hijacking the accounts used to receive "abuse" complaints for those servers. The scammers were able to use those abuse inboxes to blast out spam because the administrators of those servers had failed to select even halfway decent passwords for the accounts.

For example: One of the e-mail accounts used in the attack was "," the abuse complaint box for a Brazilian government portal. Just what was the awesomely bad password (now changed) that was assigned to that account? Wait for it... "123456." Another abuse account used in the attack belonged to a Canadian beer company. The password for its abuse account? You guessed it: "abuse".

Ah, the irony. Here we have the very accounts these entities use to respond to complaints about fraudulent activity being used to perpetrate fraudulent activity.

As these attacks show, cyber criminals will go to a great deal of effort to construct their fraud schemes. Don't do them any favors by providing them virtual safe houses that can be used to facilitate these scams: If you run a Web site and/or e-mail server, be sure to update those with the latest security patches, and choose non-obvious passwords for accounts used to access these services.

Update, Mar. 16, 6:03 p.m. ET: Modified text in the second paragraph from "1-800 number" to "a provided phone number." While many vishing scams indeed employ toll-free numbers, none of the numbers used in these scams were toll-free.

Update, Mar. 17, 11:24 p.m. ET: Baldwin said records indicate these phishers have been at this for several months now. He was able to gain access to a digital copy of one of the servers that these crooks used to accept incoming calls for this scam from Jan. 13, 2008 to Feb. 21. During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN, Baldwin found.

By Brian Krebs  |  March 15, 2008; 5:54 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Ukrainian CyberCrime Boss Leads Political Party
Next: Hannaford Breach May Presage '08 Trend


"the abuse complaint box for a Brazilian government portal. Just what was the awesomely bad password (now changed) that was assigned to that account? Wait for it... "123456.""

Brazil uses Linux, so at least they had to remember how to count to six. Windows would remember it for them.

Posted by: GTexas | March 16, 2008 4:07 PM | Report abuse

Well, if Brazil uses Linux, perhaps they also use Autopsy and Sleuthkit to Analyse Breaches, but if the pass word was 123456, or abuse, what good is either program?

Posted by: brucerealtor | March 16, 2008 10:37 PM | Report abuse

How bad is that "123456" password? Let me count the ways...

Posted by: Pete from Arlington | March 17, 2008 11:51 AM | Report abuse

Well the internet revolution is well under way... in fact we're long passed the revolutionary stage at this point (as big advances can happen on an almost daily basis now). We have, more aptly, entered the "War of 1812" stage (to keep the war thread rolling).

Much like the British tested America's resolve then, the evil doers we face now are always testing, testing, testing our limits in both technology and social intelligence.

In the end, for this situation, just plain common sense should have been enough to alert intended victims that something wasn't right. Prudence, if nothing else should have caused the vast majority to check first before acting, and getting caught in the trap.

After all the groups targeted consisted of folks I would consider to be highly intelligent and possed of at a bit higher degree of social skills.

Or maybe common sense just isn't that common any more?

Vic Fichman

Posted by: Vic Fichman | March 17, 2008 3:54 PM | Report abuse

See also
Introduction to Vishing

Posted by: Michael Horowitz | March 20, 2008 5:09 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company