Monday, April 23, 2012

What Is Vishing

Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential information for the purpose of financial reward. The term “vishing” is derived from a combination of “voice” and “phishing.”

The use of landline telephony systems to persuade someone to perform unintended actions has existed since the birth of the telephone. Who didn’t make prank phone calls as a child? However, landline telephony services have traditionally terminated at a physical location known to the telephone company and could therefore be tracked back to a specific bill payer. The recent massive increase in IP telephony has meant that many telephone services can now start or terminate at a computer anywhere in the world. In addition, the cost of making a telephone call has dropped to a negligible amount.

This combination of factors has made it financially practical for Phishers to leverage VoIP in their attacks. Vishing is expected to have a much higher success rate than other phishing vectors because:

  • Telephone systems have a much longer record of trust than newer, Internet-based messaging
  • A greater percentage of the population can be reached via a phone call than through e-mail 
  • There is widespread adoption and general acceptance of automated phone validation systems 
  • The telephone makes certain population groups, such as the elderly, more reachable 
  • Timing of message delivery can be leveraged to increase odds of success 
  • The telephone allows greater personalization of the social engineering message
  • Increased use of call centers means that the population is more accepting of strangers who may have accents asking for confidential information.


Valuable data

Although there are multiple vectors for the phisher to conduct a vishing attack, it is important to understand the types of data that are most easily gained by the attacker leveraging IP telephony services. Typically, numeric information is more easily submitted by the victim when responding to a vishing attack using a mobile handset.

The most valuable information to the phisher is likely to be:
  • Credit card details (including expiration data and card security codes)
  • Account numbers and their corresponding personal identification numbers (PINs)
  • Birthdays
  • Social Security numbers
  • Customer loyalty card numbers

Passport numbers.The most profitable uses of the information gained through a vishing attack include:

  • Controlling the victims’ financial accounts
  • Purchasing luxury goods and services
  • Identity theft
  • Making applications for loans and credit cards
  • Transferring funds, stocks and securities
  • Hiding criminal activities, such as money laundering
  • Obtaining personal travel documents
  • Receiving government benefits.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)