Warning: Don’t Get Vished


If you’ve spent some time on the Internet, you probably know that if you aren’t careful you can get “phished” through a fraudulent email or a malicious website. But did you also know that you can get “vished” through an SMS text message sent to your mobile device?

A recent report released by researchers at PhishLabs has uncovered a large “vishing” campaign affecting an average of 250 people per day – potentially since October 2013. The financial institution utilized in this campaign has yet to be disclosed, but PhishLabs’ report indicates that it is of medium-size and based in the United States. The report also indicates that the campaign is just one of many others like it.

How to Spot a Vish

To spot this latest scam, watch out for an unsolicited SMS text message from your bank that states your card has been deactivated and includes a phone number to call for reactivation.

Vishing is the act of phishing through Voice over IP (VOIP) technology. Much like a phisher attempts to steal your personal information with a cheesy email or a fake website, a visher attempts to do so through a phone call or a text message. In order to do so, the visher – or gang of vishers – must first accomplish a few preliminary steps.

First: compromise a server unconnected to their name and install Interactive Voice Response (IVR) software onto it. Second: Hack a VoIP server (also unconnected to their name) that will allow them to send the vishing SMS texts. Third: Use the IVR to record an automated customer service voice assistance program that emulates the one used by the targeted bank and include a prompt to enter account and pin numbers. Fourth: Use the compromised VoIP server to disburse vishing text messages that include a phone number which connects victims who call it to the fake customer service IVR. Fifth: Wait for victims to enter their credentials. Sixth: Cash in.

The well documented, step-wise nature of vishing campaigns is reflective of the fact that this technique has actually been around for quite some time and that it is usually instigated by well organized groups of attackers – to whom many banks and individual customers fall prey.

Once credit or debit account credentials are compromised, they can be used to make fraudulent purchases both online and off. Vishers can either shop online using cardless transactions or create fake cards with the stolen numbers to cash out instantly at ATMs.

Preventing Psychological Malware (and actual malware too)

Malware isn’t always computerized. Though carried out through technical means, the impetus to each and every compromised account in this latest vishing campaign was a victim making a wrong decision – calling a fraudulent phone number and sharing financial information with an unknown party.  This is social engineering, and the only way to prevent it is through increased security knowledge. This is why we blog.

Financial malware is just as often computerized as it is psychological though – perhaps even more so. Most notorious of all is the use of financial Trojans like Zeus, which can perform man-in-the-middle attacks to steal user credentials. This is why we create anti-malware and submit it to testing organizations like MRG-Effitas – to make sure that it can protect you and your computer from 100% of the world’s most prevalent financial malware threats.

As this latest vishing campaign shows, financial cybercrime is also merging into the mobile world. This is why in addition to blogging and creating high performance anti-malware for the PC, we also offer Emsisoft Mobile Security. SMS texts like the one used in this latest vish campaign detailed by PhishLabs can also be used to link victims to more traditional but equally malicious phishing websites or drive-by websites that automatically install malware – as was done just one week ago with the Facebook iBanking rogue.

As always, if you even slightly suspect that you might have been vished by this latest campaign or by any campaign like it, you should keep a close eye on your financial accounts and consider contacting your bank. It’s not enough to play the odds and assume that you won’t be targeted! An attacker with your credentials can create a fake card and cash in on an ATM, can make unmitigated purchases online, can sell your credentials to other cyber-thieves, and can even go as far as falsifying your identity.

Have a great (Vish-Free) day!