A recent VoIP-based phishing campaign has been netting the payment card information of up to 250 Americans per day.
Voice over IP phishing, or vishing, is a form of phishing that relies on users getting tricked into giving up their payment card information after receiving phone or SMS messages – purporting to come from banks – instructing them to do so.
Security firm PhishLabs unveiled research on the wave of attacks on its blog today and said it stumbled upon a “cache of stolen payment card data belonging to customers of dozens of financial institutions” upon investigating the campaign.
The firm speculates that an Eastern European crew is carrying out the spree of attacks by using email-to-SMS gateways to send messages informing victims that their debit card has been deactivated.
More than 50 medium-sized banks have been targeted by campaigns over the last several years.
In the attack, users are sent a message that their ATM card has been deactivated. The users are prompted to call a phone number to reactivate the card by entering their card number and their PIN – data that of course is stored, then later accessed by the criminals to be used in cash-out schemes.
John LaCour, the South Carolina-based group’s founder and CEO, pointed out that the operation could be proving costly for users and banks alike.
“Each stolen payment card can result in hundreds of dollars in fraud losses and card replacement losses,” LeCour wrote Tuesday.
As the blog post notes, if it’s assumed withdrawal limits on ATM cards are around $300 per day, that’s about $75,000 per day that the attackers could be siphoning from unsuspecting users’ bank accounts.
Data on this specific vishing attack is slim, but PhishLabs researchers claim that one of the phone numbers used in the campaign has been in use for more than six months and dates back to October 2013.
On the whole, the technique has been around for years though.
“It appears that these vishers have been active for several years,” LeCour said Tuesday, “They target a specific bank or credit union for a few days and then move on to another target.”
The blog entry does a good job recapping exactly how vishing scams work: The attackers compromise servers to install interactive voice response (IVR) software. Then the attackers hack a VoIP server and its direct inward dialing function and rig it to send spam texts which direct victims to a hacked phone number which takes down their information.
A similar streak of attacks plagued Skype users a few years back. In that campaign users received a handful of calls from unknown numbers and heard pre-recorded messages informing them their machines were infected with a “fatal virus.” If users were gullible enough they’d be directed to a URL to get disinfected – which ultimately – and quite ironically – wound up deploying malware on the computers.