Customers of a number of US banks have recently been hit by Voice over IP phishing (vishing) attacks orchestrated by eastern European cyber crooks, warns John LaCour, founder and CEO of PhishLabs.
“While not as prevalent as online phishing and crimeware attacks, vishing attacks are often run by professional crews. These crews use vishing to harvest card data, which they then sell or hand-off to cash-out crews,” he explained in a blog post earlier this week.
“The data is then used for card-not-present transactions (e.g. shopping online or via phone) or it is encoded onto new cards to purchase goods or withdraw cash from ATMs.”
Vishing attacks usually begin with an SMS – in the latest attack the company researchers investigated, the criminals sent out messages to the customers of an mid-size bank, claiming that their debit card was deactivated. In order to “activate” it again, they were required to provide the card number and PIN.
Attackers usually use email-to-SMS gateways to send out the phishing messages to a great number of users. They install Interactive Voice Response software on random servers that they have managed to hack, and route calls from compromised VoIP servers to them. The software responds to the calls, and records the entered information, which is then retrieved by the attackers.
Given that the withdrawal limit on ATM cards are typically $300 per day, the researchers have estimated that in this latest attack, the crooks could have “earned” $75,000 per day if the stolen cards are used in an ATM cash-out operation.
But what the customers and banks do about this?
Customers are advised to be wary of similar messages and, if in doubt, contact the bank for more information – just be careful not to use contact information provided via the SMS.
Financial institutions can do a number of things, and among these are the following:
- Ensure that customer support personnel are trained to handle vishing reports
- Work with telecoms to gave a good grasp on their procedures and to know who to contact immediately after they discover the attacks
- Be ready to quickly notify customers of the attack, and do so via usually used channels (not from random/never before used phone numbers and emails).