VoIP Phishing Scams on the rise

When security experts first learned of Voice-over-IP Phishing or Vishing, they all but expected that the voice on the other end would have an Eastern European accent (a majority of phishing scams are linked back to Eastern European countries). It should be no surprise to see how the latest vishing scam was created. One of the more recent Vishing e-mails targeted the Santa Barbara Bank & Trust Inc. The e-mail suggests you call a phone number in area code 805 number (an area code for the Santa Barbara area). Security Firm Websense made a recording of the phone call so we can analyze the attack. When listening to the recording, people who have spent any time with Asterisk will recognize how the vish scam was created. Because of its ease of use and incredible functionality, Asterisk is a natural choice to create this type of attack. (You cannot expect a criminal to invest in a high-cost PBX from Avaya or Cisco.) Using Asterisk, you can create a fully functional PBX using a $10 PC. The reason why there is not an Eastern European voice on the other end is that the scam creator probably used Festival, a speech synthesis module available with Asterisk. While major corporations use professionally recorded announcements, this visher instructed his computer to say "Welcome to account verification." That's why the voice sounds computer generated - it is. At least the visher does not have to worry about anyone recognizing his voice. You would expect that such a poor duplication of an automated phone system would not fool anyone. While there are no statistics on this incident, we can assume people entered their information. In fact, banks encourage you to call and authenticate information so although this is a very basic call and recorded response, it follows accepted banking practice in its operation. By no means does this example harness the true power of Asterisk or the potential to gain valuable information from unsuspecting people. Future attacks will only get more sophisticated and will use menus systems and professional-quality recorded voices that better mimic real bank systems.