Phishers Latch Onto VoIP Systems

Cloudmark, a provider of messaging security applications, this week discovered two separate e-mail schemes that direct recipients to VoIP systems in an effort to steal their personal data.

The scam works like this, according to Adam J. O'Donnell, senior research scientist at Cloudmark: "The target receives an e-mail, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem."

Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR (interactive voice response) system that sounds exactly like their own bank's phone tree and directs them to specific extensions.

The fake phone system then prompts the caller to enter his or her account number and PIN.

Consumers should not dial phone numbers received in e-mails from institutions, Cloudmark advises -- just as they shouldn't click on links provided by banks and other financial service providers in e-mails.

The Next Thing

The scam is particularly ingenious because it is so cheap for the phisher to run. One reason for VoIP's rapidly growing adoption, after all, is its low cost. As Cloudmark points out, VoIP-based services allow phishers to cheaply add and cancel phone numbers that are harder to trace than conventional numbers.

It is not surprising that phishers have turned their attention to VoIP connections, Ron O'Brien, security analyst with Sophos , told TechNewsWorld. "We do consider it an emerging threat," he said.

"Anytime you have an open port, you have a vulnerability -- and there will always be someone willing to try to capitalize on that vulnerability."

Same Pattern

While the this particular type of attack may be novel at the moment, O'Brien said other scam artists with a technical bent are likely to follow suit.

"These things tend to follow the same pattern," he noted. "One or two people try it out, meet with reasonable success, and then it eventually becomes another way for criminals to generate revenue."

Consumers have to learn to think of all electronic peripherals as potentially vulnerable -- if not from phishers, then from hackers intent on stealing data they could not otherwise trick a user into revealing, O'Brien cautioned.

This wariness is necessary "especially at the end point," he said. "There are a number of devices that link with PCs, and it is essential to protect those vulnerable areas."

Over the last few years, proof of concept viruses and other malware have specifically targeted mobile phones and other handheld devices via instant messaging systems. Now VoIP joins the list of compromised channels.