There have been several articles about a bust of at least 70 people in India, who are behind some of the IRS scam phone scam. We have been working the the IRS/TIGTA, the FTC, and DHS CSD on this issue - it is good to see that at least one of the fraud rings has been busted. Hopefully this will result in at least a temporary reduction in this scam.
Here are articles from the Wall Street Journal and CNN. You can find several more:
For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
Check out the following article. It states that over 200,000 voice phishing/vishing calls into Korea, from other countries, were blocked in January and February. Some additional statistics are given as well that break the calls down by type, bank, etc. Most of them are imitating Korean banks. Unfortunately, there isn't any information about how these calls are blocked, I presumably by Korean service providers.
It seems like US-based service providers could do the same thing - block international calls claiming to be US-based finanical institutions. This isn't trivial though, you need technology at the right location in your network and managing blacklists of numbers takes a ton of work (I know, we do it too).
Here is an interesting report on a variety of fraud issues. One thing that struck me is that voice has become the preferred channel for fraud. Voice SPAM, scams, vishing, social engineering into contact centers, etc. Voice used to be the most trusted communications medium, but now it has become the LEAST trusted. Public voice has a ton of issues - is it any wonder that users are moving to closed systems for voice and messaging???
The M3AAWG Special Interest Group (SIG) on voice fraud and security issues has published their agenda. This SIG will be held February 20-21. I will be on the panel discussing current solutions, with a focus on Telephony Denial of Service (TDoS). I hope to see some of you there:
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is holding a special interest group in their annual conference in San Francisco, February 17-21, to focus on issues unique to voice. This includes Telephony Denial of Service (TDoS), robocalls, voice SPAM, voice phishing, etc. I will attend and be on the solutions panel. Here is a link to an article discussing the special interest group.
There has been quite a bit of press about a voice phishing/vishing scheme in the UK that has netted the crooks some $7,000,000 pounds. Whether this is one attack or several isn't clear, but it should be no surprise that attackers to use robocalls and then "vish" information out of individuals, is a very effective attack.
The attacker uses robocalls to call and leave messages on landlines, smart phones, and enterprise desk sets. The attacker simply picks numbers and leaves a message from a well-known financial enterprise, such as a top 5 bank. Odds are that if they call 10,000 numbers, a good percentage of the targets will just happen to work with that bank. While people have grown distrustful of phishing email, they tend to trust voice calls a little ore.
Individuals call back, usually to a 1-800 number, with an IVR that requests some sort of personal information, such as a credit card and PIN. Once the attacker has that information, they are good to go.
Here are a couple of links. You can find quite a few more.
I just finished a chapter in my upcoming book, Hacking Exposed: VoIP and UC on Social Engineering and Voice Phishing. The attacks are focused around gathering Personal Information (PI) and using it to enact illicit financial transactions. I will provide a more detailed post in the future. In the meantime here is a recent article on the subject. I will also be adding a bunch of articles to my list on this topic:
Collaboration Security, Mark Collier, robocalls, SecureLogix, TDoS, Telephony Denial of Service
Harassing calls, UC Security, Unified Communications Security, Voice Over IP Security, Voice Security, VoIP Security