Researchers at PhishLabs have uncovered a spate of vishing attacks (Voice over IP phishing) have been stealing payment card data from customers of U.S. banks.
According to the firm, an attack last week was detected targeting customers of a midsized bank. In the attack, customers received SMS text messages claiming their debit card was deactivated and requesting the customers provide the card and PIN numbers to reactivate it.
“PhishLabs investigated the attack and uncovered a cache of stolen payment card data belonging to customers of dozens of financial institutions,” blogged CEO John LaCour. “Based on analysis of the recovered cache, we estimate the vishing crew responsible for the attack has stolen the data of 250 cards per day in this vishing campaign. Further investigation also indicated that one of the phone numbers used in the campaign has likely been used in vishing attacks since October of 2013.”
With a typical withdrawal limit of $300 per day on ATM cards, as much as $75,000 could have been lost each day of the attack.
While not as widespread as online phishing attacks, vishing schemes are often run by professional crews, LaCour explained. After stealing card data, the crews typically sell the information or give it to cash-out crews who either encode the data onto new cards or use it for online shopping.
The operations typically follow a similar process. First, vishers find and compromise vulnerable servers and install IVR (Interactive Voice Response) software. Then they locate a vulnerable VoIP server and hijack the DID (Direct Inward Dialing) function. The next step is to assign a hacked phone number to their IVR system and use free text-to-speech tools to generate recordings and load them into the IVR system.
Afterwards, the attackers send out spam texts containing the hacked phone number to thousands of phone numbers using email-to-SMS gateways. The compromised VoIP server directs incoming calls to the IVR system, where victims are prompted for card data and their PIN. Any data entered is saved and stored locally or sent to a drop site for retrieval, LaCour explained.
“Based on our investigation, we believe this vishing campaign is being carried out by an eastern European vishing crew,” he blogged.
LaCour told SecurityWeek the attackers seem to have been at this for a while, and are estimated to have gone after at least 50 banks during the last three years.
In his blog post, LaCour recommended among other things that organizations make sure CVV1/CVC1 is encoded on cards and validated by their card processor and that they use a caller ID telephone number that matches the number on the bark of the card when calling customers. He also advised mobile carriers to use strong anti-spam controls for email-to-SMS gateways.
*This story was updated with additional commentary.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
