Here Comes Voice Phishing

The email quoted at the very beginning of the chapter was first discovered on June 23, 2006, by security researchers from the Websense and Castlecops security teams (http://www. websense .com/securitylabs/alerts/alert.php?AlertID=534). By all accounts, the email looks legitimate and non-phishy because it does not try to entice the user into clicking an obfuscated link or visiting a dubious website. However, when calling the phone number the following recording is played :

"Welcome to account verification. Please type your 16-digit card number." (You can hear the recording at http://www.websense.com/securitylabs/images/alerts/june_vishing.wav.)

This email was, in fact, a malicious targeted attack involving an interactive voice response (IVR) system that was set up by an attacker trying to glean victims' account numbers . It was widely speculated that the phone number used in the emails was set up with a stolen identity (in other words, stolen credit cards) through a VoIP provider. Setting up a fake answering system in the VoIP world is a lot easier because a hacker is not limited by physical boundaries in the area code(s) he can assign to his fake IVR. As you'll see later in the chapter, purchasing an 800 number online and routing all incoming calls to a VoIP system is pretty simple.

The aforementioned email was actually one of the first documented cases of voice phishing or vishing. Voice phishing involves an attacker setting up a fake IVR (instead of setting up a fake website) to trick victims into entering sensitive information such as account numbers, pin numbers, Social Security numbers, or generally any authentication info that is used to verify your identity. As you might remember from our eavesdropping examples in Chapter 5, the DTMF tones that the attacker records can be easily replayed and decoded at a later time.

Voice phishing relies on the effective gullibility of a victim trusting a phone number much more than an email link. Also, for a fraction of the cost, an attacker can set up the IVR through a VoIP provider that is harder to trace than a compromised web server. Also, the nature of VoIP makes this type of attack even more feasible since most VoIP services grant their customers an unlimited number of calls for a monthly fee.

Two weeks later on July 7, 2006, another variant of this technique was discovered by the anti-virus security firm Sophos. As you can see in Figure 15-2, this time the email purported to be from PayPal and again enticed the recipient to call a phone number that was manned by a malicious IVR system.

Figure 15-2: The PayPal voice phishing email

We are certainly witnessing the early growth curve of this emerging threat. By the time you read this chapter, there will most likely be many more variants and reported cases of voice phishing. It is important to emphasize that voice phishing is not a VoIP-specific threat, but rather the evolution of the same social threats that have followed us throughout telecommunications history: bulk faxes, telemarketing, phone confidence scams, email phishing, instant messaging SPAM, and so on.

Attack Anatomy of a Voice Phishing Attack

Carrying out a voice phishing attack is easier than you think. Jay Schulman gave a compelling VoIP phishing presentation at the Black Hat Briefings in Las Vegas on August 2, 2006 (http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#us-2006). In his presentation, he demonstrated a proof of concept VoIP phishing attack with an IVR constructed wholly from open source tools. At the simplest level, the two main components to the attack he demonstrated included:

• An inbound 800 VoIP provider to receive calls

• A PBX software and voicemail system

Getting an 800 Number Through a VoIP Provider

In order to sign up for an 800 number, Schulman used the VoIP Provider sixTel (http://www.iax.cc), which sells 800 numbers (see Figure 15-3).

Figure 15-3: Getting an 800 number through a VoIP provider is easy .

Through the administrative interface at sixTel, an option is available to route all incoming calls through IAX to an Asterisk server.

The CatchSetting Up the Malicious IVR System

Trixbox (formerly named Asterisk@Home) was used to install the PBX software and voicemail system onto a dedicated computer. Trixbox is a self-contained ISO image that includes all of the pieces needed to get started and then some:

• Asterisk, the core PBX

• Sugar, a CRM system

• A2Billing, a calling card platform

• Flash Operator Panel, a screen-based operator's console

• Web Meet Me Control, a meet-me conferencing control application

• freePBX, a web-based provisioning tool for Asterisk

• A report system, the part of freePBX that provides CDR reporting tools

• A maintenance system, also part of Trixbox, which provides low-level interfaces to some components and real-time system information

• CentOS, a version of Linux that is very similar to Fedora

With one CD, anyone can use Trixbox to have a PBX/IVR system up and running within an hour . All that is required is to simply burn the Trixbox ISO image onto a CD, boot the dedicated computer from the CD, and select a full installation, which will create a standalone VoIP PBX automatically with all of the components listed previously running on your hard drive. In a typical voice phishing attack, a remotely compromised machine would most likely be used to install these components individually.

Once the system reboots, the attacker can log in to the administrative web console and start tweaking things a little further, as shown in Figure 15-4.

Figure 15-4: The Trixbox administrative web console

Next, he needs to connect the Asterisk system to the newly registered 800 service by adding a trunk through the web console. Finally, in order to use his own recorded sounds that are copied from the legitimate IVR site he's trying to mimic , he can copy .wav files into the directory /var/lib/asterisk/sounds . The last step involves building a customized response menu system, called [custom-phish], for the incoming caller in /etc/asterisk/extensions.conf , and then applying it through the Trixbox console.

The IVR system should be now be set up for anyone to call the 800 number, hear the recordings, and leave messages.

The Come On

Now that the attacker has successfully set up his malicious IVR system, he needs to spread the word to potential victims. The call to action will typically be some catastrophic event that the user is encouraged to avoid by calling in (for example, their account has expired , their password has been compromised, and so on). The victims that the attacker needs to target still have to fulfill the following criteria:

1. They are customers of the phisher's targeted brand of choice.

2. They are gullible enough to trust that the number in the email is the actual customer service number to their financial institution.

3. They respond and call the number immediately to take care of the catastrophic event before the malicious VoIP IP address is taken offl ine.

Traditional phishing email attacks are typically sent to tens of thousands of email addresses, with an average click-through rate of two to five percent. The criminals currently launching traditional phishing attacks have a variety of email spamming tools at their disposal. There is no doubt that these criminal groups are the same ones beginning to dabble in voice phishing as well.

Beyond the traditional email "come on" vector for enticing victims, SPIT, as you learned in the last chapter, can also be used effectively. As we discussed in Chapter 14, SPIT can involve leaving prerecorded , official-sounding voicemails for thousands of people that encourage them to call a number for more information. The following list of messages might be hard for even the most wary of consumers to resist:

"Hi, this is Bill Stevens from American Express, please call us immediately at 1-800-XXX-XXXX to discuss possible fraud with your credit card."

"Hello, this message is in regards to your phone bill, which is currently in default of payment. Please call us at 800-XXX-XXXX in order to prevent your service from being interrupted ."

"This is a message regarding your Internet service. It seems your account is in danger of being shut down due to excessive downloading of illegal online music. To speak to a customer service representative, please call back during normal business hours at 800-XXX-XXXX."

Brian Krebs from the Washington Post reported the following anecdote:

"Last month, I spoke with Lynn Goodendorf, vice president of privacy for InterContinental Hotels Group PLC. She told me about a scam that has apparently become quite common in the Atlanta area (and probably other U.S. cities) where crooks call someone and pretend to be from the local clerk of the court 's office, asking why the person failed to respond to a jury summons. Ignoring a jury summons can result in a judge issuing a bench warrant for your arrest, but in this scam the callers say the problem can probably be straightened out if the person provides his or her name , Social Security Number and other personal data.

'This scam works because it really throws people off balance or into a panic,' Goodendorf said. Imagine the panic that sets in after you fork over your information to one of these low-lifes."