Vishing

What is Vishing?

• Voice Phishing or Vishing is the use of bogus phone numbers to trick people into revealing confidential information.
• According to researches done in Websense labs at San-diego it is one of the top 10 vulnerabilities that can happen in 2008.
• Vishing asks the victim to call a phone number, rather than visit a website, but the intention is the same: to steal details for financial gain.
  
                   Eg: PayPal voice phishing email

Vishing Attack

• It looks much like the traditional e-mail phishing attack except that, instead of tricking or inducing the victim to click on a spoofed link to take them to a Web site, you're actually tricking them to dial a phone number that takes them to a spoofed automated attendant. 
• Vishing attacks are rising as voice-over-IP services become more popular.

Example scenario

      It can trick you into calling a number that you think is your Bank, and can mock up a VoIP system fairly easily with free tools, and then attacker can ask you to enter in your account info and your PIN number and even some other verification like your Social Security number or your billing ZIP Code. Then the hacker can go in and reconstruct those tones after the fact and use them to access your account.

     

     What can be done to combat vishing?  

• User education
  
                             Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with.

• The best defense against vishing is a little common sense. 
• If your bank or other financial institution with which you are affiliated contacts you requesting personal data, hang up using only the number provided on the back of your card or official statement. 

Does spam filtering  applicable to Vishing ? 

• No
• There are two reasons why content  filtering does not apply to vishing.

1.  The spam cannot be analyzed before the user sees it.
                   In the case where the user answers the call, the call is already established and the user is paying attention before the content is delivered
2.  If the content is stored before the user accesses it the content will be in the form of recorded audio or video (Ex: Voice mail)
   
                   Speech and video recognition technology is not likely to be good enough to analyze the content and determine whether or not it is spam.

Countermeasures for Vishing

•  If a certain VOIP system have a constant feed of these voice-phishing numbers is program them into your PBX as restricted numbers.
• That way users wouldn't necessarily be able to call these numbers back despite falling for the e-mail come-on.
• There are two ways of eliminating vishing.
• Black Lists
• White Lists

Black Lists

• Black listing is an approach whereby the vishing filter maintains a list of addresses that identify “vishers”.
• These addresses include both usernames and entire domains. Pure blacklists are not very effective in email for two reasons.
  White Lists

• White lists are the opposite of black lists.
• Unlike black lists, a visher cannot change identities to get around the white list.

References:

•       http://arstechnica.com/news.ars/post/20080121-fbi-warns-that-vishing-attacks-are-on-the-rise.html

•       http://people.wcsu.edu/wrightm/MIS341/Papers_pdf/Section%2001/Varrone.pdf