Business VoIP Providers Must Stay Vigilant Against Vishing Attacks

VoIP has become so ubiquitous a solution that even banks are beginning to use it. But there are criminals to match every new technology out there, and VoIP has not been an exception.

Over the past several years, hackers located somewhere in Eastern Europe have reportedly been targeting dozens of U.S. banks in an elaborate phishing scheme to capture payment card data from victims.

PhishLabs, a Charleston, S.C.-based cyber crime prevention firm, first discovered the widespread hacking when it unearthed a cache of stolen payment card data. Initially, the firm believed that the cyber attackers were stealing the data of roughly 250 cards per day through “vishing,” or voice phishing, a method by which hackers snag individuals’ information using loopholes in VoIP technology.

But as of Tuesday during an interview with SCMagazine.com, PhishLabs CEO John LaCour amended that count, saying that it is likely closer to 400 cards being stolen per day.

According to LaCour, the criminals behind this outbreak have been using email-to-SMS gateways to pose as legitimate financial institutions, sending spam text messages to bank customers. Typical of spam messages, these involve a call to action, asking recipients to call their banks to reactivate their payment cards.

However, when victims call the number, they are connected to an interactive voice response (IVR) system set up by the hackers, which requests their card and PIN number. It appears that the criminal gang has used these numbers to make online and phone purchases, as well as withdraw cash from ATMs using counterfeit cards. PhishLabs estimates that around $120,000 is being stolen daily in ATM cash-outs alone under the scheme.

An easy way to avoid such scams is to check the bank number provided in the (potentially spam) message against the number provided on the bank’s website. Unfortunately, many still seem duped by this simple ruse.

“It's still ongoing,” said LaCour, “and they've changed banks in the past 24 hours. The previous bank may have fixed the security issue, or [attackers] may feel like they've gotten all the cards they can. It’s common for these attackers to target a bank for a few days and then move to another.”

For business VoIP providers, this attack has been an important reminder to stay vigilant with VoIP security. In addition to the added security measures banks must take, PhishLabs recommends that mobile service providers also aid in prevention by employing strong anti-spam measures for email-to-SMS gateways.