Vishing: The Crooks Are Getting BetterRobert Siciliano: Attacks Are More Sophisticated, Targeted
Vishing is a socially engineered scheme that used to be limited to landlines and call centers. Most recently, even the Federal Deposit Insurance Corp. was used as a guise to convince unsuspecting consumers to hand over Social Security numbers and dates of birth. Today, with the advent of mobile technology, this classic scheme has been given a new channel to exploit. Growth of mobile banking has helped fuel mobile text-based attacks, as consumers have become more accustomed to receiving communications from their financial institutions via the mobile channel.
"Vishing hooks the consumers directly through their phone, whether it's a land line or a mobile phone, and it's much harder for the financial institution to detect," Robert Siciliano, a McAfee security consultant and founder of IDTheftSecurity.com, says in an interview with BankInfoSecurity.com and CUInfoSecurity.com (transcript below). "They are getting better and better at identifying who that end user is, meaning who the bank's or the credit union's client is."
Vishing and phishing attacks are more sophisticated and organized today than they have ever been, especially when it comes to the schemes perpetrated by crime rings. "They are employing criminal hackers with the sophistication of the best penetration testers out there today," Siciliano says. "They are modeling the financial software industry, the security industry, bringing in social psychologists and social engineers to look at everything to figure out how to get your client base to fork up data. They are very good at it, and they are only going to get better."
In the end, consumer education is the only way to combat the vishing and phishing epidemic, Siciliano says. In this interview with Managing Editor Tracy Kitten, Siciliano explains:
- How socially engineered schemes are evolving;
- How the attacks and those who perpetrate them are getting more sophisticated and more organized; and
- Why consumer education is the best way to fight and prevent these types of attacks.
Siciliano has 29 years of experience in the business world and has been involved in information security, personal security and identity theft issues since the early 1990s. He has presented hundreds of security presentations to businesses, including GMAC, the National Association of Realtors, Dominos Pizza, United Bankers Bank, Conference of State Bank Supervisors, along with numerous state banking associations, among others. He is also a certified security instructor for numerous industry associations.
TRACY KITTEN: Vishing, it's a socially engineered scheme that has been limited to land vines and call centers, but today with the advent of mobile technology this classic scheme has been given a new channel to exploit by hitting unsuspecting consumers with vishing or smishing text messages convincing them to reveal anything and everything from Social Security numbers to account numbers and PINs. I'm here with Robert Siciliano, a McAfee security consultant and founder of IDTheftSecurtiy.com. Robert, you've made a career out of exposing fraud and providing consumers with personal protection advice on everything from identity theft to financial security. Could you please tell the audience a bit about your company, your website and the work you do in the security arena.
SICILIANO: I work with small, medium, and large business consumers essentially educating them on what the issues are, how bad they are, and what they need to do to protect themselves and their clients.
KITTEN: Robert, when we talk about vishing, a voice attack, phishing, e-mail attack, and smishing, a text-message-based attack, all three are basically the same thing. They are all socially engineered schemes that prey on consumer's trust. Can you explain how you view these socially engineered schemes and how you see them evolving?
SICILIANO: The beauty of vishing is that it's a relatively offline crime that it doesn't solely connect to the Internet. The vendors -- the service providers out there that are doing their due diligence to protect banks and consumers and credit unions from phishing attacks -- often don't have systems in place to protect from vishing. Vishing hooks the consumers directly through their phone, whether it's a land line or a mobile phone, and it's much harder for the financial institution to detect.
KITTEN: Who typically perpetrates this type of crime? Is it usually conducted by organized crime rings, such as the rings we often see behind the card-skimming attacks and database breaches, or is vishing a more low-tech type of crime?
SICILIANO: Vishing is a relatively low-tech crime that does require some organization. Those responsible for perpetrating the crime have to be somewhat organized. Having access to the different databases may require some type of inside job. It may require some type of hack over voice over IP or hacking a database connected to the Internet. And the different technologies behind a vishing attack are often readily available over the Internet for free.
KITTEN: Has the advent of mobile technology helped to fuel or breathe new life into vishing?
SICILIANO: So, this is another medium, another way of contact other than land line, and also requires a new area code close to a land line area code that my be established by the land line carriers as opposed to the mobile carriers. Ultimately, it's just war dialing. War dialing is potentially when the bad guy is calling specific area codes in relation to local or regional credit union, and they are reaching out and dialing everybody in that region via that area code.
KITTEN: Now, a number of smaller communities have recently been hit with smishing messages that were randomly texted to cell phones. These smaller communities seem to be new targets for fraudsters who perpetrate these types of attacks. What patterns are you seeing in vishing, smishing and robo calls?
SICILIANO: The credit union and bank clients, when they receive this communication, they are ultimately engineered, socially engineered, conned into believing that it is their institution. The crime of phishing is when the bad guys are blanketing the Net with a communication that looks legitimate; vishing is potentially the same thing, except they are doing it via the phone lines and sometimes using phishing, e-mail phishing, in coordination with the vishing. They are able to, in many different ways, get the actual list, phone list, of who the potential marks are. In addition to that, they're getting better and better at posing as that legitimate organization. Through intelligence, they are monitoring the incoming or outgoing calls, communications, of that particular entity, and so they are better able to disguise themselves as that entity. That they look more and more legitimate with each and every communication, whether it's phishing or vishing, shows that they really are doing a great job.
KITTEN: So what can financial institutions do to proactively protect themselves?
SICILIANO: Well, I think it is very important that they understand all the different ways in which the bad guy is exploiting them. When voice over Internet protocol is hacked, they are compromising existing call centers and so the entity, the institution, needs to make sure that their land lines are all set up to prevent this type of attack. They should employ vendor solutions for both hardware and software, ultimately to help prevent or detect war dialing. Institutions should also understand that databases where their existing banks of clients and their phone numbers are housed are valuable. So, all the different points in which that information can be accessed, whether it's on a database itself, needs to be properly protected from the inside out. And they need to understand that to throw a way a list of phone numbers in a dumpster can also compromise your existing clients. Whether those phone numbers are land lines or mobile phones, and whether they are receiving a vishing attack, a text-messaging attack, or a call in via voice messaging or voicemail, they need to understand that everybody is vulnerable. Banks and credit unions need to protect that data any way possible. Instituting any vendor solutions that might be available to use, again, to protect that hardware and protect that software, and protect those lists is absolutely essential.
KITTEN: Robert, are there companies that provide proactive or protective phishing or vishing services to financial institutions?
SICILIANO: There are many companies that are providing some type of phishing prevention, where they are monitoring the Internet looking for your brand name; it's essentially a brand-identity-protection service that is looking for your name out on the wild, wild Web. They are looking for some type of a Botnet or Internet-relay chat or some type of a server that is sending out communications with your brand, whether it's being reported back to your entity or it's just out there. They work to actively shut down any type of a server or any type of a communication via a Botnet that is sending that data out. It's much, much more difficult to do the same for a vishing attack, especially one that is employing the technique of war dialing, where it's typically sending out phone calls and leaving voice messages. There is not much institutions can do to prevent that unless they can find the source that is making the calls.
You know, in the end, this is one of those attacks that is best prevented by educating the consumer, telling them that they are not to respond to any communication that is requesting to provide personal-identifying information in any way, whether it's to verbally enter voice prompts or to punch in your 16-digit card number via your phone line. While the caller ID may show that it is your entity, that kind of identifying information can easily be spoofed. Banks and credit unions need to understand the root and nature of the crime and all the different ways that it is occurring, and then they need to communicate that to their client base. Consumers should be informed via the three-fold brochure that you might send out with a statement or in the teller line or maybe even through some outgoing calls. You need to let them know there are phishing messages taking place. Any means that you can coordinate with your client base to let them know that there is an outgoing attack is one way to minimize and reduce risk.
KITTEN: What final words advice can you offer, and do you see these types of attacks continuing to grow?
SICILIANO: There is no question about it, these types of attacks are going to continue. The sophistication and coordination of the bad guy proves that they are working 9 to 5 and/or 24/7-365. These are full-time professionals. They are employing criminal hackers with the sophistication of the best penetration testers out there today. They are modeling the financial software industry, the security industry, bringing in social psychologists and social engineers to look at everything to figure out how to get your client base to fork up data. They are very good at it, and they are only going to get better at it. They are more organized today than they've ever been, and as a financial institution, your only option is to be as good, if not better, than them. That means employing some of the best technologies and/or penetration testers out there to work for looking at your existing networks and figure out where the vulnerabilities are, how they can be compromised; and, ultimately, financial institutions need to employ the best solutions they can to keep the bad guys out. Then, working with your existing client base may be a good idea, to test them to see what their vulnerabilities are, and then provide them with ongoing education. These types of frauds are only going to continue to grow as long as we incorporate the conveniences of all these different technologies over the phone and over the Internet.