ID SECURITY

Phishers Latch Onto VoIP Systems

Print Version
E-Mail Article
Reprints

By Erika Morphy
TechNewsWorld
04/28/06 2:48 PM PT

It is not surprising that phishers have turned their attention to VoIP connections, Ron O'Brien, security analyst with Sophos, told TechNewsWorld. "We do consider it an emerging threat."


Rackspace is the expert when it comes to delivering hosting solutions. From building out Windows and Linux servers and highly complex configurations to managing and supporting network environments, mail solutions, storage, data backups and far more, Rackspace is here to make your life easier. Learn more.

Phishers are targeting potential victims through yet another channel: voice over IP systems.

Cloudmark, a provider of messaging security applications, this week discovered two separate e-mail schemes that direct recipients to VoIP systems in an effort to steal their personal data.

The scam works like this, according to Adam J. O'Donnell, senior research scientist at Cloudmark: "The target receives an e-mail Learn how you can enhance your email marketing program today. Free Trial - Click Here., ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem."

Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR (interactive voice response) system that sounds exactly like their own bank's phone tree and directs them to specific extensions.

The fake phone system then prompts the caller to enter his or her account number and PIN.

Consumers should not dial phone numbers received in e-mails from institutions, Cloudmark advises -- just as they shouldn't click on links provided by banks and other financial service providers in e-mails.

The Next Thing

The scam is particularly ingenious because it is so cheap for the phisher to run. One reason for VoIP's rapidly growing adoption, after all, is its low cost. As Cloudmark points out, VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers.

It is not surprising that phishers have turned their attention to VoIP connections, Ron O'Brien, security analyst with Sophos Latest News about Sophos, told TechNewsWorld. "We do consider it an emerging threat," he said.

"Anytime you have an open port, you have a vulnerability -- and there will always be someone willing to try to capitalize on that vulnerability."

Same Pattern

While the this particular type of attack may be novel at the moment, O'Brien said other scam artists with a technical bent are likely to follow suit.

"These things tend to follow the same pattern," he noted. "One or two people try it out, meet with reasonable success, and then it eventually becomes another way for criminals to generate revenue."

Consumers have to learn to think of all electronic peripherals as potentially vulnerable -- if not from phishers, then from hackers intent on stealing data they could not otherwise trick a user into revealing, O'Brien cautioned.

This wariness is necessary "especially at the end point," he said. "There are a number of devices that link with PCs, and it is essential to protect those vulnerable areas."

Over the last few years, proof of concept viruses and other malware have specifically targeted mobile phones and other handheld devices via instant messaging systems. Now VoIP joins the list of compromised channels.

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Erika Morphy   RSS

Related News Alerts

Sophos Activate Alert | Search Archives

Related Resources

Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]