Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Scammers may use recorded snippets during voice phishing InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scammers may use recorded snippets during voice phishing

Published: 2008-08-29
Last Updated: 2008-08-29 23:40:14 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

The vishing (voice phishing) incident described in an earlier diary seemed to use a rudimentary voice synthesizer to request information from the caller. An ISC reader noted that in more sophisticated attacks, scammers employ "sampling"--recorded snippets of actual calls to sound more legitimate.

He submitted the following outline of the call he received the other day:

"XXX Bank values your business, please hold for next representative."

Hold music plays...

"Call being transferred to automated information system."

The above seemed to be recorded sound files from an actual call to the bank, as this is exactly what you would hear if you called the bank and chose to use their automated system.

"You have been selected to receive a special offer from XXX Bank. For a limited time you can receive 0% interest for 6 months on existing balances on your XXX Bank card. You can apply over the phone or online at www dot XXX Bank dot com. Press 1 to apply now."

You press 1 (or any number).

"To apply for the offer please enter your credit card now" (Computer generated voice)

You enter the card number.

"Please enter your PIN number now."

You enter the PIN.

"Thank you, processing account information now."  (Again, a recorded snippet from the real bank's voice system.)

"Your request has been processed and will appear on your next account statement, goodbye." (wav file sampled from banks real voice mail system.)

The ISC reader pointed out that this call highlights the following evolution in the scammers' tactics:

  • They had put effort into sampling real voice prompts from banks automated phone system.
  • They gave out the bank's real web address, presumably to give an air of legitimacy to the call. 

Thanks, ISC reader!

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

0 comment(s)
Diary Archives