Researchers at PhishLabs have uncovered a spate of vishing attacks (Voice over IP phishing) have been stealing payment card data from customers of U.S. banks.
According to the firm, an attack last week was detected targeting customers of a midsized bank. In the attack, customers received SMS text messages claiming their debit card was deactivated and requesting the customers provide the card and PIN numbers to reactivate it.
“PhishLabs investigated the attack and uncovered a cache of stolen payment card data belonging to customers of dozens of financial institutions,” blogged CEO John LaCour. “Based on analysis of the recovered cache, we estimate the vishing crew responsible for the attack has stolen the data of 250 cards per day in this vishing campaign. Further investigation also indicated that one of the phone numbers used in the campaign has likely been used in vishing attacks since October of 2013.”
With a typical withdrawal limit of $300 per day on ATM cards, as much as $75,000 could have been lost each day of the attack.
While not as widespread as online phishing attacks, vishing schemes are often run by professional crews, LaCour explained. After stealing card data, the crews typically sell the information or give it to cash-out crews who either encode the data onto new cards or use it for online shopping.
The operations typically follow a similar process. First, vishers find and compromise vulnerable servers and install IVR (Interactive Voice Response) software. Then they locate a vulnerable VoIP server and hijack the DID (Direct Inward Dialing) function. The next step is to assign a hacked phone number to their IVR system and use free text-to-speech tools to generate recordings and load them into the IVR system.
Afterwards, the attackers send out spam texts containing the hacked phone number to thousands of phone numbers using email-to-SMS gateways. The compromised VoIP server directs incoming calls to the IVR system, where victims are prompted for card data and their PIN. Any data entered is saved and stored locally or sent to a drop site for retrieval, LaCour explained.
“Based on our investigation, we believe this vishing campaign is being carried out by an eastern European vishing crew,” he blogged.
LaCour told SecurityWeek the attackers seem to have been at this for a while, and are estimated to have gone after at least 50 banks during the last three years.
In his blog post, LaCour recommended among other things that organizations make sure CVV1/CVC1 is encoded on cards and validated by their card processor and that they use a caller ID telephone number that matches the number on the bark of the card when calling customers. He also advised mobile carriers to use strong anti-spam controls for email-to-SMS gateways.
*This story was updated with additional commentary.
