VISHING 1.

Introduction:
Many of today’s widespread threats rely heavily on social engineering techniques, which are used to manipulate people into performing actions or divulging confidential information to leverage and exploit technology weaknesses. Phishing is the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake website designed to steal authentication details. Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used, each with its own nuances and target audiences. The following threats are all subcategories of the phishing threat:
 Pharming is the manipulation of Domain Name Server (DNS) records to redirect victims.  Spear phishing consists of highly targeted attacks.  Smishing uses Short Message Service (SMS) on mobile phones.  Vishing leverages Internet Protocol (IP)–based voice calling.

This paper specifically examines Vishing and provides an analysis of current and future vectors for this particular attack.

2. What is Vishing?
Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. Vishing is a convincing trick that uses scare tactics to pressure targets into giving up personal information. Identity thieves are eager to use personal information to open accounts, run up debt and ruin the victim’s credit. Thieves might pretend to be from legitimate financial institutions, companies, or

VISHING

1

government agencies. often generated by speech synthesis. passwords and personal identification numbers. 3. bank account. and an automated voice prompts the caller to provide authentication information. the potential victim receives an e-mail like the following: VISHING 2 . The most common method for delivering the initial socially engineered messages is through an Internet e-mail. each of which lends itself to a particular audience and exploit vector. The potential victim receives a message. However. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur". They seek confidential information such as financial account and credit card numbers. the victim dials the number. in this case. mortgage account or other financial service in their name. How Vishing Works? A vishing attack can be initiated using a variety of methods. For example. indicating that suspicious activity has taken place in a credit card account. Social Security Numbers. The e-mails are almost identical to the classic phishing attacks that instruct the message recipient to click on an embedded URL that takes the victim to a fake Web site to steal authentication credentials.

[name of local bank] has locked your account. To secure your accounts and protect your private information. [Name of local bank] Online customer service The socially engineered victim then dials the number. Sincerely.1: The fake e-mail received. We are committed to making sure that your online transactions are secure. Dear customer.Fig 3. We’ve noticed that there have been three unsuccessful attempts to access your account at [name of local bank]. He may hear something such as this: VISHING 3 . Please call us at [phone number with local area code] to verify your account and your identity.

The problem of trust: Vishing mimics the legitimate ways people interact with their financial institutions. and the victim thinks there was something wrong with the service. and the victim is never aware that his authentication was appropriated by the visher. followed by the pound key. please type your bank account number. Alternatively.” At this stage. the vishing attack may redirect the victim to the real customer service line. Now please type your PIN. the automated system prompts him to authenticate himself. we require that you authenticate your identity before proceeding. We will now transfer you to the appropriate representative. because the traceability and cost of landline or cellular phone service VISHING 4 . followed by the pound key.” The caller enters his Social Security number and again receives a prompt from the automated system: “Thank you.” The caller enters his PIN and hears one last prompt from the system: “Thank you. 4. He may hear something like: “The security of each customer is important to us. People trust phone transactions more than they trust the Internet. so victims are more likely to respond without hesitation.“Thank you for calling [name of local bank]. followed by the pound key. Regardless of what the caller presses. To proceed further.” The victim is then presented with the certain options. Now please type your Social Security number.” The caller enters his bank account number and hears the next prompt: “Thank you. the phone call is dropped. So. To help you reach the correct representative and answer your query fully. Your business is important to us. please press the appropriate number on your handset.

A bank never calls asking for such VISHING 5 . and PIN. The following are some of the characteristics of a Vishing attack:  The call or a mail is said to be from a bank and it asks to reveal some sensitive information. war dialing).  Inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses-even matching the on-hold music.make mass phone fraud impractical. The capability to use proxies to route traffic internationally.g. thereby obfuscating the true source of the attacks. The minimal cost to make or receive calls.  Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost. 5. so protection against vishing is up to the user. (Most communications include something that will concern or excite the victim. This is something to be thought upon. The ability to mask or impersonate caller ID information. card expiration date.      The ability to reach any phone number from any location in the world.  Traditional anti phishing tools cannot easily detect a phony telephone number within email text. The reasons for increasing vishing attacks include:  Vishing is very hard for legal authorities to monitor or trace. But VoIP service has rendered that security blanket inoperative.) The toll-free number includes a recorded message that asks the customer to key their account number. The ease of automating calling tasks (e. The calls claim their accounts have been frozen and then direct the cardholder to call a toll-free number to leave their debit card information in order to reactivate any cards. Vishing Characteristics: Cardholders receive computer-generated calls claiming to be from their financial institution..

They call eventually to inform about their special offers or something like that.information. They do this to scare people who receive the call and see to it that the users do not become suspicious and call the authorities. Type of data prone to attack: Although there are multiple vectors for the visher to conduct a vishing attack. but generally vishers can get their job done with the even such data.  Customer loyalty card numbers.2. The only reason the bank will call is for marketing purpose. it is important to understand the types of data that are most easily gained by the attacker leveraging IP telephony services. 5. Data usage by the attacker: VISHING 6 .  Account numbers and their corresponding personal identification numbers (PINs). Some attackers do not ask for the CVV’s of credit card numbers and some others request for only 6 digits of the credit card number.  The type of information requested may appear trivial to the user in some cases.  The user’s name will never be mentioned in the call or mail because they don’t know the names of users. This can be when they can get their purpose satisfied with that information itself. then the name will be known for sure.  Social Security numbers. If it was a genuine mail.  Birthdays. numeric information is more easily submitted by the victim when responding to a vishing attack using a mobile handset.  Most of the calls start with a message telling that this is a secure call and it will be recorded once you start “the verification process”.1. 5.  Passport numbers. Typically. The most valuable information to the visher is likely to be:  Credit card details (including expiration data and card security codes).

especially in collusion with the register operator. costs. but first the bank must speak with the cardholder and verify that he is..  Making applications for loans and credit cards. Card-owner validation: Consumers are frequently asked to validate their presence during a high-value purchase at the checkout. Dumpster diving: The attacker regularly trawls through the trash of local retailers and will often find receipt rolls and voided transaction notes. The following are some of the attacks which amount to great loss of information: 6. Usually the cash register operator is told to dial a bank number to get a transaction authorization number.  Purchasing luxury goods and services. the account owner. for example. 6. cardholders’ names. These receipts already hold a wealth of information. This would VISHING 7 .The most profitable uses of the information gained through a vishing attack include:  Controlling the victims’ financial accounts. such as money laundering. Other attacks: Vishing will inevitably advance beyond the current range of attack vectors that constitute components of a sophisticated and targeted attack.  Obtaining personal travel documents. full or partial credit card numbers.  Transferring funds. all of which can be easily leveraged in a highly personalized phishing attack. It would be a relatively easy task for organized attackers to insert or impersonate this validation process. items purchased.  Identity theft. stocks and securities. transaction dates. in fact.  Receiving government benefits.2. etc.  Hiding criminal activities. 6.1.

or automatically intercepting. as they already have that information on file. The phone is then locked and only able to receive or call numbers owned by the visher. particularly when conducted using VoIP.  Never respond to an email or voice mail that asks you to go to a Web site or call a phone number to resolve an account problem. VISHING 8 . Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity. to verify all recent activity and to ensure that the account information has not been tampered with. Rather than calling a number given in any unsolicited message. using a number that is known to be valid. recording and transcribing the victim’s phone calls to automatically identify confidential information.enable them to obtain additional personal information about their victims. either transparently generating revenue for the visher with each call by the victim. Handset blackmail: The visher may persuade victims to receive or install a software update to their phones.4. a consumer should directly call the institution named. Overcoming Vishing: Vishing is difficult for authorities to trace. etc. which may render sovereign law enforcement powerless. 6.3. the victim must call a specific primary rate number. Financial institutions don’t request identifying information over the telephone. Some security mechanisms that should be followed to overcome these attacks are:  Personal information should never be revealed to the unsolicited mails or calls received. 7. The bank or credit card company is to be immediately reported about the incident. Social Security numbers. vishing scams are often outsourced to other countries. like many legitimate customer services. To unlock the phone. These are never legitimate. 6. Furthermore. Exploit payloads: The visher causes the phone to automatically prefix all calls with a primary rate routing number. birth dates. for example. no matter what the medium or apparent source.

The financial institution is to be contacted first.com/security/article.gc. For example.html VISHING 9 .rcmp-grc. ask the person at the other end of the line to verify a recent transaction you've made. Vishing is an increasingly popular attack vector for phishers because of its ability to reach beyond the computer screen and target a broader range of potential victims and because it is a more effective platform for launching social engineering attacks. when users expect spoofs to be present and are motivated to discover them.  Greet all phone calls and e-mails about your accounts with a great deal of skepticism.php/3619086 www. A thief is not likely to have access to this type of information. Get into the habit of asking for authentication. 8. the assumption that the phone number calling the consumer can be traced back to a (local) billable address will be fully leveraged by phishers for maximum profit gain. many users cannot distinguish a legitimate mail from an unsolicited one.  The authenticity of a call should not be trusted based on caller ID.iss.no matter how official they may sound. Today.pdf news. Conclusions: Studies illustrate that even in the best case scenario. References: en.  Private data should never be given out over a phone or online in response to an email or automated phone call.html www.cnet. The mechanisms discussed above are to be kept in mind and the security mechanisms should also be followed to overcome the threats imposed by vishers.com/8301-13554_3-9899849-33.internetnews.ca/scams/vishing_e. Attackers can make it appear that the call is coming from a genuine financial institution.net/documents/whitepapers/IBM_ISS_vishing_guide. The historical trust that consumers have placed in telephony services.wikipedia.  Don't ever believe ‘account updates’ or checking on this or that .org/wiki/Vishing www.

westchestergov.com/news_vishingscams.jsp?aid=cs_vishing VISHING 10 .http://www.com/norton/clubsymantec/library/article.html http://www.symantec.