The telephone is not a communications medium that most people would associate with high-tech fraud, but the evidence of recent weeks suggests that it is time to look at its supposed safety in a new light.
As far as can be ascertained, the phone fraud took its troubling new turn some time towards the end of 2005, with the emergence in China of an ingenious phone-based fraud that combined the ubiquity of SMS to give the social engineering scam an unexpected new twist.
An unknown number of residents of China’s capital, Beijing, were sent unsolicited SMS messages, claiming they had spent sizable sums of money on their credit cards. Alarmed and confused, recipients dialled an embedded telephone number after which they were asked to “verify” their credit card account details.
Armed with this information, the fraudsters were able to spend up to the maximum of the caller’s account before the con was uncovered, claiming an unknown number of victims.
From this very basic, phone-only fraud, the use of the medium to carry out theft has more recently reached to its next logical step, that of integrating social engineering via phone with an online medium in a number of ways.
By early June of this year, a new spate of phone-based attacks started to appear. Some use the phone as the initial lure, while other prefer to use it as a the back end to execute the actual information fraud, but all have the common theme of using a trusted, low-tech medium (the phone) in conjunction with a complex, insecure one people are now wary of (the Internet).
One example, reported in mid-June, also used SMS as the initial lure. The scam involved sending an SMS message to randomly-generated cellphone numbers on one or more US mobile networks, saying that users would be billed $2 a day subscription to an online dating service. Recipients who wanted to cancel this fictitious subscription were invited to do so online.
However, the unwary and unprotected visitor hitting the “unregister their mobile” button on this site would have found themselves infected with a variant of the Dumador Trojan, (reportedly Dumador.eo, also known as BackDoor-CCT), a piece of malware that has been circulating for some months as the engine for a variety of scams.
Its effects are to open backdoor control using HTTP as the command channel, and to attempt to carry out information/keystroke theft in addition to – most probably - turning the PC into a botnet zombie.
If SMS and the mobile phone were used in this example to start an attack, another recent ploy is to use the phone at the other end of the chain, to actually carry out the fraud. One such attack, reported by Websense, also from June, was the Santa Barbara Bank & Trust voice phishing scam.
In tried and tested fashion, an email turns up targeting customers who happen to use that bank, asking them to verify their online account details. Instead of asking them to visit a website – the usual way to start a phishing attack – the email requested users to phone a telephone number with a south California area code.
The automated message that greets anyone dialling this number is relatively convincing and can be heard on the Websense site.
Needless to say, anyone “verifying” their account details through this system will find their balances have suddenly shrunk to zero credit shortly thereafter.
The cleverness of these two attack examples lies in their blended nature, using a basic medium to start a chain of events that starts innocuously using low-tech means but becomes, behind the scenes, highly complex.
As with all social engineering, these attacks sound simple, but trade on a complex understanding of user behaviour that even the world’s largest software companies struggle to emulate for their perceptive precision.
The main motivation for coupling the phone to the online world is simply that it is more difficult to block than a conventional online-only attack. The SMS fraud starts offline in an unprotected domain, before moving online, at which point it can only be blocked if the user happens to be running security software that is aware of the specific malware being used (it also uses HTTP instead of the commonly-blocked IRC to issue commands to the infected PC).
The alternative would have been to use email to start the scam, but that is much easier to block using an anti-spam system, either at the gateway or desktop.
The second, voice-initiated scam is a curiosity, but one that is likely to turn up with increasing frequency in the coming months. This time, email is used to hook the user, but once over that barrier, the request that the victim-to-be phone a telephone system could garner a decent success rate.
At that point, no security system on earth can stop it.
“People have become more savvy and we’ve already seen a shift in tactics to use IM,” comments Websense’s technical director, Mark Murtagh.
“What we’re seeing now is the move to the telephone.” Murtagh’s prediction is that multi-medium phishing and scamming is here to stay, and is merely a natural part of the way malware has been evolving in the last two years.
The window of opportunity will close or at least reduce, as people become aware that the phone is a device that deserves as little trust as does communication in the online world. Until the typical user catches up, however, the scammers, are set to stay one step ahead.