Video Screencast Help
Symantec Intelligence

Beware of the Vishers

Created: 10 Jul 2011
Paul Wood's picture
+1 1 Vote
Login to vote

As with many exciting trends we observe in the technology industry - designed as a force for good, to enable, enhance and empower - there are criminals on the other side of fence looking to hijack, undermine and exploit the new capabilities for their own nefarious purposes.  The subject of today's post - VoIP telephony - is an excellent example of how even a genuinely transformative technology can quickly lose its innocence.  Sunday 10th July represents the five year anniversary of a new word in the security commentator's vocabulary, as the first 'vish' - a phish using VoIP telephony - was reported by a number of concerned consumers. Vishing uses techniques that are essentially similar to phishing, the act of acquiring sensitive information via electronic communication whilst posing as a trusted entity. A vish takes place over the telephone, using call spoofing, and tricks a user into disclosing personal information such as credit card numbers or a three digit security code.

When Symantec first started to observe the trend, vishing was largely a case of a cybercriminal contacting an end user, posing as a bank, running through a series of security questions - your mum's maiden name, or the name of your first pet - before procuring highly sensitive information that, in tandem with social engineering, could be utilised to compromise an online bank account and steal thousands of pounds.  Since then the trend has become even more sophisticated. Better education from the banking sector has meant consumers are more cautious when it comes to their bank. Scammers have responded by taking a new tack, specifically contacting victims and pretending to be operators at a support centre for large software vendors. The fraudster tells the target that they are in urgent need of some software or an update, charge them a sum of money and downloads malicious application onto their computer.

In January this year, at the 5th Council of Europe Data Protection Day, Data Protection Commissioner Billy Hawkes took the opportunity to warn about a scam in the Irish marketplace, in which consumers received calls from fraudsters posing as Microsoft technical support, telling the target their computer has a problem, gaining their trust, before directing them to a website and instructing them to download a file to solve the problem. Afterwards, the scammer requested credit card details to pay for the software, allowing them to both steal from the victim in addition to downloading malicious code onto their machine. Last month, Microsoft released a survey of 7,000 computer users in the UK, Ireland, US and Canada, finding that 15 per cent of people had been contacted by fraudsters in this way.

Five years on from the first vish, and there is tremendous potential for vishing to continue to develop. With more people connected to the internet than ever, and a growing uptake in VoIP services by consumers in particular, the opportunity for cybercriminals to prey on inexperienced users is significant. Despite much education and publicity around phishing, it is still a multi-billion dollar business. Vishing is arguably even more tempting for a user, as it preys on people's inherent trust in a voice on the other end of the phone.

For end users, the best way to guard against falling victim to a vishing attack is similar to any kind of cybercrime. Stay alert, and question the credentials of anyone that, not only requests sensitive information, but also requests access to your personal or business device. No trustworthy authentic organisation should approach you in such a personal way, and your default position should always be 'no', unless you have assurances from your IT department. It sounds simple, but the reality is, very few of us are immune to being tricked by a convincing voice.