[funsec] Vishing (voice/phone phishing) - public incident
Dr. Neal Krawetz
hf at hackerfactor.com
Sat Jun 24 13:02:48 CDT 2006
I've received similar automated phone calls over the last month.
(An unsolicited phone call, not a spam email.)
Each time the automated system says that there was a problem with my
Press 1 to re-submit my account credentials.
Press 2 to review my account information.
Press 3 to request more information about my account.
The big problems:
- No caller ID.
- No identification (they do not even pretend to be a bank).
- No mention of who they are calling.
- No option to talk to a human.
- In the first call, there was one pregnant pause during a word in
option #3 -- likely VoIP.
- (Forget the fact that they are in violation of the No-Call law...)
- Oh, and I haven't tried to setup any accounts. (Duh!)
A few coworkers have received similar calls. They're probably calling
everyone in the area code (or region).
The voice quality was better than the Websense WAV file. (Likely a
different automated system.) It reminded me more of the T-Mobile
automated woman -- even had the slight southern accent.
I've got my phone set to record it next time. It's phun!.
Neal Krawetz, Ph.D.
Hacker Factor Solutions
Author of "Introduction to Network Security" (Charles River Media, 2006)
On Fri Jun 23 11:09:28 2006, Gadi Evron wrote:
> Last year some of us made jokes about Vishing on funsec, today it's a
> reality. Here is the incident going public:
> Special thanks to the good guys at Websense and the PIRT guys at
> CastleCOPS PIRT.
> I guess jokes about Vishing with a heavy Russian accent were good, too bad
> this wave file doesn't have that accent. :)
> The attacked party is Santa Barbara Bank & Trust. I suppose the IRS will
> also take interest in this.
More information about the funsec