what is vishing acutally?
Vishing, or Voice over IP phishing, is a method of stealing payment card data and credentials in which fraudsters send phone or SMS text messages that pose as banks or other institutions, in order to trick victims into divulging their card information.
In other words : Vishing OR voice phishing is a term in this term attacker may send you text of VoIP calls that contains message like they are authorized vender of that particulate service you are using.
Vishing (Voice phishing) is discovered by researchers from cybercrime intelligence firm PhishLabs Before some days back some Bank’s customers had received text messages with claiming that their debit cards had been deactivated and than got calls for instructing them . An IVR (Interactive Voice Response) system set up at that number asked callers to input their debit card and PIN numbers in order to Reactivate the cards. According to researchers The attacks are being carried out by a Group of hackers from Easter Europe since October 2013.
According to a blog post by John LaCour Posted 29th of April 2014 He says : Vishing is alive and well – and impacting midsize banks “PhishLabs investigated the attack and uncovered a cache of stolen payment card data belonging to customers of dozens of financial institutions. Based on analysis of the recovered cache, we estimate the vishing crew responsible for the attack has stolen the data of 250 cards per day in this vishing campaign. Further investigation also indicated that one of the phone numbers used in the campaign has likely been used in vishing attacks since October of 2013.”
Vishing is still alive and well
While not as prevalent as online phishing and crimeware attacks, vishing attacks are often run by professional crews. These crews use vishing to harvest card data, which they then sell or hand-off to cash-out crews. The data is then used for card-not-present transactions (e.g. shopping online or via phone) or it is encoded onto new cards to purchase goods or withdraw cash from ATMs. Based on Phishlabs investigation, Phishlabs believe this vishing campaign is being carried out by an eastern European vishing crew. The operation uses Email-to-SMS gateways to spam out text messages that instruct recipients to call a phone number to reactivate their card.When called, an IVR (Interactive Voice Response) system requests that the caller enter in their card number and PIN. This data is captured by the IVR system and stored for retrieval by the vishing crew.
The Financial and Operational Impact of Vishing
The financial cost of a vishing attack is significant for targeted organizations. Each stolen payment card can result in hundreds of dollars in fraud losses and card replacement costs. The withdrawal limit on ATM cards are typically $300 per day. Using the recently investigated attack as an example, $75,000 can be lost each day of the attack.
How vishers use this technique : Its vary crew to crew
- They find and compromise vulnerable servers and install IVR in that particulate server
- Than they locate vulnerable VoIP server and hijack the DID function (Direct inward Dialing)
- After that they will assign a hacked phone number to their IVR system
- Using free text-to-speech tools, they generate their recordings and load them into the IVR system
- They send out spam texts containing the hacked phone number to thousands of phone numbers using email-to-SMS gateways
Source : Phishlabs