The Security Catalyst

I receive all kinds of exciting spam, as do most people. The phishing emails are a dime a dozen… but today was interesting. I received my first Vishing attempt. Even more interesting, it was a Vishing/Phishing hybrid.

What’s Vishing? Wikipedia has a decent definition page - http://en.wikipedia.org/wiki/Vishing

In summary - “Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP allows for caller ID spoofing, inexpensive, complex automated systems and anonymity for the bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.”

The phone number in the email below is most likely an Asterisk (http://www.asterisk.org/) system designed to receive phone calls via VOIP. When you call it, a synthesized voice asks for your card number, 4 digit PIN, and expiration date. This is a slick scam, but not that slick - if it was, they would have also asked for the CVV2 code and asked the owner to record their name and address. They also have something to learn about forging email headers. “decuritydepartment.com” isn’t very believable, but I’m sure some poor soul will fall for this scam. They also didn’t do any kind of validation checking on the card. I called the system, and 1111111111111111 worked just fine, though all Bank ID Numbers for issuers of MasterCard all start with numbers in the range of 51-55.

Still - the bad guys are getting better at their craft, and as I mentioned, some poor souls are bound to fall for it.

The scam email follows:

Dear MasterCard customer,

We regret to inform you that we have received numerous fraudulent emails which ask for personal
account information. The emails contained links to fraudulent pages that looked legit.

Please remember that we will never ask for personal account information via email or web pages.

Because of this we are launching a new security system to make MasterCard accounts more secure
and safe. To take advatage of our new consumer Identity Theft Protection Program we had to
deactivate access to your card account.

To activate it please call us immediately at (641) 665-6048

Activation is free of charge and will take place as soon as you finish the activation process.

If you enjoyed this post, make sure you subscribe to my RSS feed!