A recent Voice Over IP (VoIP) phishing campaign has been targeting and successfully stealing up to 250 Americans payment information per day from financial institutions.
Voice over IP phishing, also know as Vishing, is a form of phishing that targets victims to give up payment information from a phone call or SMS text message. The scams appear to come from banks, and give instructions on how to proceed forward to do certain tasks for the attacker.
Security firm, Phish Labs, uncovered a trove of attacks in a recent report on their blog. The firm says they had stumbled upon a “cache of stolen payment card data belonging to customers of dozens of financial institutions” whilst investigating.
Phish Labs believes that a group of cyber criminals based in Eastern European are carrying out the attacks. The attackers are believed to be using email-to-SMS methods to inform victims their debit card has been deactivated.
In the attack, the cyber criminals send the victim a text message that their ATM card has been deactivated. From there, the user is prompted with a phone number to call, once called the victim is told to enter their card number and pin to reactivate the card. From there the attackers obviously log the data, and can use the data to cash out later.
Phish Labs reports that more than 50 medium-sized finical institutions have been targeted by the attacks over several years. The CEO of the firm, John LaCour, noted the operation could be costly for its users and other banks. In a post LaCour states, “each stolen payment card can result in hundreds of dollars in fraud losses and card replacement costs”.
The blog post noted that if a user has a withdrawal limit of around $300 per day, attackers could siphon out over $75,000 per day from these vishing attacks.
Details on this specific vishing attack are minimal, but Phish Lab security researchers claim that one of the phone numbers used in the attacks has been in use for over six months and dates back to October 2013.
The vishing attack method is nothing new, it has been used for targeted attacks for years.
A Phish Labs reporter told Threatpost on Tuesday, “It appears that these vishers have been active for several years,” Stacy Shelley Phish Lab employee noted, “They target a specific bank or credit union for a few days and then move on to another target.”
Phish Labs blog post details how vishing attackers operate, the impact, and how finical institutions along with mobile providers can help better protect their users.