Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Vishing, Skype, and VoIP-Based Fraud InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Vishing, Skype, and VoIP-Based Fraud

Published: 2007-10-10
Last Updated: 2007-10-10 17:56:47 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)

The spring of 2005 brought us early reports of phishing activities conducted over the phone, rather than email. The victims received phone calls from a 727 number, with the caller asking for personal information regarding a student loan or a banking account. A year later we observed activities that involved automated VoIP systems, rather than humans speaking to the victims. WebSense referred to the practice as "vishing" when describing one such attack, and provided a recording of the attacker's VoIP system in action.

That was the last we've heard of such activities. Where have all the vishers gone? People tend to trust phone more than they do email, so I was expecting VoIP phishing to increase in popularity for targeted high-payoff scams. Perhaps traditional phishing has been so effective, that the attackers saw no need to invest in VoIP phishing schemes?

[Update: I came across a VoIP phishing attack dated to March 2007. According to News Tribune, about 1,000 people received a recorded phone message that "sought customer information and claimed to be from 'Central Trust Bank'- a name Central Bank does not go by - and, in fact, showed Central Bank's customer service line on caller ID systems." ISC reader Horatiu pointed out a similar phone scam that pursued Flagstar Bank customers in September 2007. The victims were given a free number to call, and asked to provide their account number and PIN for an account that was, supposedly, reactivated.]

I was reminded of VoIP's role in fraud after seeing a report last month of phishing activities that targeted Skype users. This was a traditional, email-based phishing attack, but its goal was to hijack Skype accounts, which are capable of VoIP and other communications. What for?

It turns out, Skype phishers been quite active in the recent months.

The earliest report of the Skype scam mentioned above dates to May 2007. Another instance dates to June 2007. The most recent report I found dates to September 2007. The text of the message does not change despite the typo: "your skype account informations needs to be updated." I suppose the original message was sufficiently effective, and the attacker saw no need to tweak with it. The destinations of the links embedded into the messages were changing, probably because the phishing sites were being disabled. The fraudulent websites presented the victims with a logon page that closely resembled that of the real Skype website, according to a screen shot captured by one of the messages' recipients. One of the victims didn't realize he was scammed until it was too late: he got locked out of his own Skype account.

Another, phishing campaign for Skype accounts was seen in July 2007. Its messages began with the phrase "We have to notice that your account is suspended because Skype major Terms are being changed" and pointed the victims to a a Skype copycat website that looked like the real thing.

In April and May 2007 there were reports of Skype phishing websites written in Simplified Chinese at domains such as, according to one of the reports I found on Skype forums. CISRT translated the fraudulent site, explaining that the site lured its victims with a promise of a prize.

So Skype accounts are being phished. Why? ISC handlers and I had a lively discussion on the topic. The consensus was that email fraud can be significantly enhanced, from the scammers' perspective, with the addition of voice:

According to Internet Crime Complaint Center (IC3), "Internet auction fraud was by far the most reported offense, comprising 44.9% of referred complaints." Email was the most popular mechanism by which the fraudulent contact took place. The scammers may be looking to enhance their abilities to defraud auction participants with voice communications, particularly for high payoff deals. (Remember the synergies between the auctions and voice, which eBay touted when acquiring Skype for $2.6 billion? It's a bit like that.)

The IC3 report describes an investigation into a Romanian crime ring that targeted eBay users, often by contacting the individuals who lost an auction with a second chance offer. "Victims then wired money one of the defendants who posed as the seller or the seller’s agent." Providing a US-based phone number to the victim would add an air of legitimacy to the transaction; a hijacked Skype account can help with this.

Skype offers a level of anonymity that regular phone doesn't, making it particularly difficult to trace the origin of the call. Perhaps it's not surprising that at least one report describes a Nigerian-style scam where the victim was urged to contact the scammer via Skype in August 2007: "I am Naushad Asif Kermalli, a Banker here in U. A. E. I believe it is the wish of God for me to come across you on Skype now." Quite likely, the scammer was using a Skype account that was hijacked.

Furthermore, let's not forget that Skype offers powerful IM functionality, in addition to voice. Attackers may use hijacked Skype accounts for spamming victims via chat messages. This may be particularly useful for seeding automated infection campaigns, such as the Skype worm that was reported in April 2007.

Finally, a hijacked Skype account may have resale value, not only to someone conducting the fraudulent activities described above, but also someone interested in making free phone calls. Strangely, we have come a full circle, fusing phishing with phreaking--a term from which "phishing" probably derived its name.

What are your thoughts on the Skype phishing activities outlined above? Let us know.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

0 comment(s)
Diary Archives