We reached a milestone on the writing for our Hacking Exposed: VoIP and UC book. All the core material is written! We are reviewing final page proofs on about half of the book (17 chapters) and have some review and edit work ahead on the remaining chapters, but we are getting very close! Thank goodness :)
This book has refreshed chapters on the gathering information phase, network attacks, and SIP/RTP attacks. With new chapters on topics such as toll fraud, calling number spoofing, harassing calls, Telephony Denial of Service (TDoS), call pumping, voice spam, voice phishing, social engineering, and emerging technologies.
There has been quite a bit of press about a voice phishing/vishing scheme in the UK that has netted the crooks some $7,000,000 pounds. Whether this is one attack or several isn't clear, but it should be no surprise that attackers to use robocalls and then "vish" information out of individuals, is a very effective attack.
The attacker uses robocalls to call and leave messages on landlines, smart phones, and enterprise desk sets. The attacker simply picks numbers and leaves a message from a well-known financial enterprise, such as a top 5 bank. Odds are that if they call 10,000 numbers, a good percentage of the targets will just happen to work with that bank. While people have grown distrustful of phishing email, they tend to trust voice calls a little ore.
Individuals call back, usually to a 1-800 number, with an IVR that requests some sort of personal information, such as a credit card and PIN. Once the attacker has that information, they are good to go.
Here are a couple of links. You can find quite a few more.