Phishers Add VoIP (and ASTERISK) to Bank-Scam Arsenal

If only they would use their Asterisk powers for good instead of evil…

Walaika K. Haskins,
Fri Apr 28, 12:50 PM ET

Phishers have added a new component in their efforts to gain their victims’ bank account information – Internet telephony. A San Francisco-based security firm disclosed that it has discovered a phishing con in which the grifters use Voice over IP (VoIP) technology to record data from banks’ automated voice systems.

According to messaging-security firm Cloudmark, the swindlers send out e-mails in which they pose as a victim’s bank. The messages claim that there is a problem with the user’s bank account and provide a number to call to enter personal information about the account.

“We’ve seen two separate VoIP attacks hit our network this week, the first we’ve been able to analyze in detail,” Adam J. O’Donnell, senior research scientist at Cloudmark, said in a statement.

Targeted victims who call the number included in the e-mail are connected via VoIP to a computer running an automated voice-answering system that sounds just like a bank’s phone tree.

Better Scam

VoIP phishing attacks are effective, according to Cloudmark, because the phone system identifies itself to the victims as the financial institution and prompts them to enter account numbers and personal identification numbers (PINs). The scammers then have complete access to all the financial records attached to the account.

Heretofore, phishers have relied almost exclusively on attracting unsuspecting consumers to phony versions of financial Web sites. VoIP services can reduce the cost associated with conducting such attacks, providing the perpetrators with less risk of discovery, according to Cloudmark.

The schemes represent an unprecedented alteration in phishing tactics that the company said might already have been occurring for some time. The risks posed by the scam are serious because there is no evidence that the VoIP providers are even aware of the scam, Cloudmark reported, although the security firm has declined to name the particular VoIP service used in this latest scheme.

The company did indicate, though, that the malefactors are using Asterisk, an open-source software platform, to convert a PC into a phone-answering system. O’Donnell said that the phishers probably were using virus-infected computers they had hijacked to make the Internet calls.

Safety First

“I’m not surprised this,” said Lisa Pierce, an analyst with research firm Forrester. Many companies, Pierce said, worry about the security issues associated with VoIP, but some have not safeguarded their networks thoroughly in response.

“The public Internet should not be directly connected without adequate safeguards to any company resource – voice or data – at any site,” she said. “Businesses should verify that they have implemented a secure architecture across all resources.”

Pierce recommend using extreme caution when responding to e-mails seemingly sent from a financial institution. Before complying with the instructions in these messages, she said, everybody should verify that the number they are being asked to call is in fact a bank’s real phone number.

“At this point in time, 800 and [other] toll-free numbers are more immune than regular numbers,” she said.