Vishing

In: Computers and Technology

Submitted By vinayaartala
Words 2502
Pages 11
ABSTRACT
The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet, connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. This paper is intended to discuss an emerging threat vector which combines social engineering and technology. Utilizing Voice over Internet Protocol (VoIP) convenience combined with electronic mail phishing techniques, Vishing has the potential to be a highly successful threat vector. Vishing victims face identity theft and/or financial fraud. An increased awareness about these attacks will provide an effective means for overcoming the security issues.

INDEX
1. Introduction 1
2. What is Vishing? 1
3. How Vishing works? 2
4. The Problem of Trust 4
5. Vishing Characteristics 5 5.1. Type of data prone to attack 5 5.2. Data usage by the attacker 6
6. Other Attacks 6 6.1. Dumpster diving 6 6.2. Card Owner Validation 7 6.3. Handset Blackmail 7 6.4. Exploit payloads 7
7. Overcoming Vishing 7
8. Conclusion 8
References 9

1. Introduction:
Many of today’s widespread threats rely heavily on social engineering techniques, which are used to manipulate people into performing actions or divulging confidential information to leverage and exploit technology weaknesses. Phishing is the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake website designed to steal…...

Similar Documents

Installing a Voip System

...in the office causing the downtime to be longer. This phone system also lacks the features necessary to improve the overall sales of both companies. Managers cannot monitor or coach calls and the calls cannot be recorded by the current system. The IT Department feels it is necessary to upgrade to an IP Based Phone System. Discussion of Business Problems: Why should the current analog phone system be replaced and how will it improve the overall quality of service for both companies? There are many advantages to switching to a Voice Over IP or VoIP Phone system. However, it is also important to review the possible negatives of the switch. One important issue is the security of the new system. There is a cyber attack called Vishing. Vishing also known as voice-phishing – “uses social engineering over the telephone system, most often using features facilitated by VoIP, to access private and personal information for credit card and identify theft.” (Bodhani, A. (2011). VOIP - voicing concerns. Engineering & Technology, Pg 78) The IT Department needs to be well prepared for these types of attacks before upgrading the phone system. The current equipment for the phone system will be another issue. Russ Drumheller realizes that, “another obstacle is the possible loss of investment in legacy phone and network equipment” in his review, “Managed VoIP Services.” (Drumheller, R. (2011, November 11). Managed VoIP Services.) The IT Department will have to research on what...

Words: 3299 - Pages: 14

How Ethics Relate to Computer Crimes

...yours, to launch a denial-of-service attack. The attacker then forces your computer to send huge amounts of data to a website or send spam to particular email addresses. Phishing, Spear-phishing, Smishing, and Vishing Phishing is a method of online identity theft; most people associate phishing with e-mail messages that spoof, or mimic, banks, credit card companies or other business like Amazon, eBay, PayPal, the Better Business Bureau, etc. In addition to stealing personal and financial data, phishers can infect computers with viruses and convince people to participate in illegal activities. Most people won't reveal their bank account, credit card number or password to just anyone, phishers have to trick their victims into giving up this information. This kind of deceptive attempt to get information is called social engineering. Phishers often use real company logos and copy legitimate e-mail messages, replacing the links with ones that direct the victim to a fraudulent page. These messages look authentic and attempt to get victims to reveal their personal information. Spear phishing is fraudulent emails are sent to a specific organizations employees. Smishing is another form of phishing and uses Short Message Service or texting; to obtain personal information. Vishing is similar except the victim gats a voice mail directing them call or visit a website where their personal information is requested. If you believe you have given your personal information to a person or......

Words: 3580 - Pages: 15

Common Information Security Threats Paper

...sensitive customer data in hidden system files stored on the user’s smart phones. And with 30% of phone subscribers owning iPhones, BlackBerrys and Droids, there are a lot of people at risk. While storing a password and keeping your phone locked is a good start, it's not going to protect you from professional fraudsters. (Doughton, 2012). The identity thieves generate domains with similar looking URL addresses as the banks they are targeting, with a character or two added or two characters switched within the URL address for instance BankOfAmericas.com in hopes customers will accidentally visit the website and attempt login with their real enter their usernames and passwords. The level of sophistication used in phishing, smishing and vishing attacks has also increased in the past couple of years. In 2009 researchers discovered a sophisticated method of phishing that is aimed at customers while they are online banking; the attack used the method of sending fake popup messages pretending to be from the customer’s bank. The phisher’s attack works by injecting a legitimate bank’s website with malicious code usually JavaScript, so when a banking customer visits one of the infected bank’s websites, they became targeted. The malware functions by exploiting flaws in the browser that allows the phisher to view the bank website’s URL where the customer is logged into, then the malware automatically creates a popup posturing as their bank. If the customer is fooled with the popup......

Words: 1188 - Pages: 5

Biometrics

...hacker send thousands of false communications or request. All are aim at shutting down the system. Zeus is one of the top bank credential stealing Trojan. It has been linked to over 100 million dollars of financial losses world wide, according to the Federal Bureau of Investigation. Once this Trojan is thought to be under control a new more sophisticated one will take its place. .” (Laudon, 12ed) “The infected computer then becomes a slave, or zombie, serving a master computer belonging to someone else. Once a hacker infects enough computers, her or she can use the amassed resources of the botnets to launch DDos attacks, phishing campaigns, or unsolicited “spam” e-mail.” (Laudon, 12ed) 4. Phishing – Phishing, smishing and vishing attacks are on the rise. This type of threats targets not only banks but also Amazon and other e-commerce. Phishing involves setting up fake websites, emails or text messages that may look legitimate but in fact they are disguised to get personal information. Another technique to phishing called the “evil twin” is harder to detect because it preys on people on the go. Wireless network connections that are found in airport lounges, coffee shops and hotels are built to seem trustworthy but in fact are bogus networks made to look like legitimate networks to try and capture passwords or credit card numbers once users log in to conduct business. (Laudon, 12ed) 5. ACH Fraud – Is part of corporate account takeovers. Banks are suing......

Words: 1787 - Pages: 8

Computer Crime

...transactions fraudulent 2006; 0.052% in 2011(Aust) • Card-not-present fraud losses increased: $31.8m (2006) $198m (2011) • Sept 2012 – 15,000 false cards worth $37.5m seized by police Cybercrime • Verizon (2011) – 855 data breaches involving 174 million records • APWG – Phishing attacks – 176 (Jan 2004); 23,535 (Jan 2011) Anti-Phishing Working Group Data January 2004 • 176 unique attacks January 2012 • 25,244 unique attacks 14,243% increase over 8 years Source: http://www.antiphishing.org/phishReportsArchive.html Developing risk areas Computer-facilitated fraud and money laundering • • • • Focussed personal spam attacks (whale phishing, spear phishing) Click frauds to defraud online advertisers Phishing leading to Vishing and SMiShing / context-aware phishing Money laundering using stored value cards and online games Unauthorised access • Access to disable security systems • Embedded malicious code installed by corrupt insiders / consultants • Displacement risks of violence to obtain access codes Evolution of malware • Malware able to avoid detection by filters • Vulnerabilities from user-generated web content • Botware moving to peer-to-peer networks / file-sharing Developing risk areas Intellectual property infringement and industrial espionage • • • • Electronic theft of trademarks and patents Enhanced reverse engineering of code relating to inventions Hacking into unencrypted commercial-in-confidence communications Risks from insecure......

Words: 1301 - Pages: 6

Information Security Project

...procedures. 2. What initial steps are taken as soon as the security incident is discovered. Should the computer, server, or device be immediately shut down… or left running? 3. What departments will be involved? IT Department? Management? 4. Who all should be notified? What departments, what members of management, customers, regulators? Specifically, who method of communication will be used to notify? 5. Was information compromised? If so, customers/patients will have to be notified. Note: These are not preventative measures and projects to take on before or after the incident. This is a “What do I do immediately?” type of scenario. Incident Response Choices 1. Corporate Account Takeover 2. Phishing, Vishing, or Smshing Attack on Customers (choose one) 3. Spear Phishing Attack on Employee(s) 4. Trojan Horse Virus/Keylogger Attack on Workstation/Server 5. Advanced Persistent Threat 6. Distributed Denial-of-Service Attack (DDoS) 7. Denial-of-Service (DoS) Attack 8. Company Laptop Stolen Containing 200 Customer/Patient Social Security Numbers 9. Former IT Staff Remotely Accesses Systems with “Admin” Password 10. Network Breach Detected By IDS (IDS NOT IPS) 11. Network Breach Detected by IPS, Router Password to One Business Location Compromised; Vulnerability Scan Ran Afterward Says Password Was Factory Default 12. Network Administrator Leaves After Heated Dispute with......

Words: 625 - Pages: 3

Social Engineering

...started education employees on the need for verification other than just a name before giving out information. In the medical field, laws such as HIPAA prevent patient information being given out before some verification is given over the phone (such as patient name, address, and health insurance). Victims of these social engineering attacks believe they are doing their jobs or just protecting themselves. In the past some over the phone attacks occurred at night in order to ‘phish’ for information such as credit card and CVV numbers. Again, the attacks are successful in that they play on human need to please the person on the other line if they believe they are doing them a service and want to comply. Some attacks, refered to as ‘vishing’ are voicemails urging you to call a number back to discuss fraudulent charges or credit activity. When it comes to the security and safety of yourself and your finances over the phone, you’re relying on that person’s voice and information they have given you. Attacks that occur in person can be trickier than over the phone. Delivery personnel are allowed in buildings to come and go during most business hours if they have a uniform complete with the laminated photo name badge. Think about the photo id card, in the area there are countless companies and even branches of the government use these forms of identification to grant employees access. They wear them everywhere during the work week; to and from work, in the......

Words: 1344 - Pages: 6

Mgmt 330 Mid Term Study Guide

...admissible in court.EX. Herring v. U.S.; evidence IS admissible when seized based on mistaken belief of police. So, if the police mistakenly seized evidence then it IS admissible in court. Fruit of the Poisonous Tree-think of a tree, if the tree is poisonous, then the apples that the tree drops are poisonous too. So if evidence obtained in violation of due process is brought, then any evidence that comes from the initial evidence is not admissible either. * • Cyber Crimes: Any act directed against computers or that uses computers as an instrumentality of a crime. * -Cyber Fraud: fraud committed over the internet (e.g., Nigerian letter scam). * Online Auction Fraud. Cyber Theft: -Identity Theft. -Phishing. -vishing. -Employment Fraud. -Credit-Card Crime on the Web * Prosecution of Cyber Crime. * “Location” of crime is an issue. * Jurisdiction of courts is an issue. * Computer Fraud and Abuse Act. * Person is liable if he accesses a computer online, without authority, to obtain classified, private, or protected information. * • Criminal Penalties; To be convicted of a crime, a person must: -Commit a guilty act (actus reus). -Have the guilty mind (mens rea) during commission of the guilty act. * State of Mind. -Required intent (or mental state) is indicated in the applicable statute or law. -Criminal Negligence or Recklessness (unjustified, substantial and foreseeable risk that results in harm). ......

Words: 953 - Pages: 4

Vishing

...Your credit union is committed to protecting your personal information and your financial accounts. A part of that commitment is to provide timely information on the many scams and fraud schemes that criminals use in an attempt to steal your money or your identity. Having that knowledge will help each member avoid being a victim of fraud. VISHING ... A NEW IDENTITY THEFT THREAT Presented by the National Association of Federal Credit Unions, an independent trade association representing federally chartered credit unions nationwide. © 2008 National Association of Federal Credit Unions. SF78-807 VISHING: A RISING FORM OF IDENTITY THEFT Identity thieves often use fake Web sites and e-mails that appear so realistic they have tricked many people into providing their private financial information. But many identity thieves are also using a computer technology called Voice over Internet Protocol (VoIP) that enables them to make anonymous calls to your phone for a crime called “vishing.” For example, you may get a call from an identity thief saying that your credit card has been used illegally. You’re asked to dial a fake toll-free number in order to “confirm” your account details and credit card number. Once you provide this information to the thief, it is used to run up charges on your account and leave you with a financial mess to clean up. Your credit rating may also be affected. • If you receive a phone call asking you to “confirm,” “update” or “verify” credit......

Words: 500 - Pages: 2

Cis 500

...CIS 500 Weeks 6, 7, 8,9,11 Discussion Questions Week 6 * Mobile banking features have added several advantages for customers however; there are security risks that come with them. Determine the security risks with respect to phishing, smishing, vishing, cloning, and a lost or stolen smartphone that have been experienced by the financial services industry as a result of mobile banking. Phishig – Is when malware is downloaded on to a device and it attempts to obtain personal information. It lies in wait and gathers information from apps such as a mobile banking app to gain your login and password. If you bank does not have proper security in place this can lead to your account getting hacked and loss of money. Smishing- This is where fraudulent communication occurs in the form of a text message in order to obtain personal information. Vishing – This is similar to smishing instead of getting information through text it is obtained through phone calls or voicemails. Cloning- The transfer of information from one device to another device including the electronic serial number When a smartphone is lost or stolen this can lead to a compromise to a person’s personal information since it may be on the phone. I bank with Bank of America and use the mobile app to manage my account transfer funds, pay bills, deposit checks and so on. The app does not store the password but it does store the user login. You are unable to just log in to it from a new device or location without......

Words: 2846 - Pages: 12

Antiphishing

...Completeness of Antiphishing Controls……………………………………………………………65 5.5. Defensibility against Current Attacks……………………………………………………………….66 5.5.1. Dragnet Phishing…………………………………………………………………………..…..66 5.5.2. Rental Time Man in the Middle Phishing Attacks…………………………………67 5.5.3. Malware Based Phishing…………………………………………………………………….67 5.6. Antiphishing Responsibility & Liability…………………………………………………………….67 5.7. The CANTINA Algorithm………………………………………………………………………..………68 5.8. Key Issues of this Chapter……………………………………………………………………………….72 Chapter 6 - Future Attack Vectors 6.1. Attack Vectors Analysis………………………………………………………………………….………73 6.1.1. The Lure…………………………………………………………………………………………………….74 6.1.1.1. Spear Phishing………………………………………………………………………………..74 6.1.1.2 Vishing………………………………………………………………………………………..….76 6.1.1.3 Exploiting Other Communcation Channels……………………………………..….77 6.1.2. The Hook…………………………………………………………………………………………………….77 6.1.2.1. Semantic Attack…………………………………………………………………………..….78 6.1.2.2. Man in the Browser Attack……………………………………………………………….78 6.2. Problems with Two Factor Authentication…………………………………………………..…...78 6.3. Vulnerability of Two Channel Scheme…………………………………………………………..…82 6.4. Man in the Browser Attack……………………………………………………………………………..83 6.5. Browser Helper Object……………………………………………………………………………………83 6.6. Man in the Mail Client Attack………………………………………………………………………….84 6.7. Key Issues in the Chapter………………………………………………………………………………..85 Chapter 7 – An Enhanced......

Words: 15039 - Pages: 61

Acc 564 Wk 5 Quiz 2

...com/product/acc-564-wk-5-quiz-2/ Contact us at: help@coursehomework.com ACC 564 WK 5 QUIZ 2 1) Wally Hewitt maintains an online brokerage account. In early March, Wally received an email from the firm that explained that there had been a computer error and that provided a phone number so that Wally could verify his customer information. When he called, a recording asked that he enter the code from the email, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the email. Wally was a victim of A) Bluesnarfing. B) splogging. C) vishing. D) typosquatting. 2) When a computer criminal gains access to a system by searching records or the trash of the target company, this is referred to as A) data diddling. B) dumpster diving. C) eavesdropping. D) piggybacking. 3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by A) scavenging. B) skimming. C) Internet auction fraud. D) cyber extortion. 4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a A) trap door. B) data diddle. C) logic bomb. D) virus. 5) The unauthorized copying of company data is known as A) data leakage. B) eavesdropping. C) masquerading. D)......

Words: 1600 - Pages: 7

Acc 564 Wk 5 Quiz 2

...com/product/acc-564-wk-5-quiz-2/ Contact us at: SUPPORT@ACTIVITYMODE.COM ACC 564 WK 5 QUIZ 2 1) Wally Hewitt maintains an online brokerage account. In early March, Wally received an email from the firm that explained that there had been a computer error and that provided a phone number so that Wally could verify his customer information. When he called, a recording asked that he enter the code from the email, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the email. Wally was a victim of A) Bluesnarfing. B) splogging. C) vishing. D) typosquatting. 2) When a computer criminal gains access to a system by searching records or the trash of the target company, this is referred to as A) data diddling. B) dumpster diving. C) eavesdropping. D) piggybacking. 3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by A) scavenging. B) skimming. C) Internet auction fraud. D) cyber extortion. 4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a A) trap door. B) data diddle. C) logic bomb. D) virus. 5) The unauthorized copying of company data is known as A) data leakage. B) eavesdropping. C) masquerading. D)......

Words: 1599 - Pages: 7

Acc 564 Wk 5 Quiz 2

...com/product/acc-564-wk-5-quiz-2/ Contact us at: SUPPORT@ACTIVITYMODE.COM ACC 564 WK 5 QUIZ 2 1) Wally Hewitt maintains an online brokerage account. In early March, Wally received an email from the firm that explained that there had been a computer error and that provided a phone number so that Wally could verify his customer information. When he called, a recording asked that he enter the code from the email, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the email. Wally was a victim of A) Bluesnarfing. B) splogging. C) vishing. D) typosquatting. 2) When a computer criminal gains access to a system by searching records or the trash of the target company, this is referred to as A) data diddling. B) dumpster diving. C) eavesdropping. D) piggybacking. 3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by A) scavenging. B) skimming. C) Internet auction fraud. D) cyber extortion. 4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a A) trap door. B) data diddle. C) logic bomb. D) virus. 5) The unauthorized copying of company data is known as A) data leakage. B) eavesdropping. C) masquerading. D)......

Words: 1599 - Pages: 7

Acc 564 Week 5 Quiz 2

...http://mindsblow.us/question_des/ACC564WEEK5QUIZ2/524 contact us at: help@mindblows.us ACC 564 WEEK 5 QUIZ 2 1) Wally Hewitt maintains an online brokerage account. In early March, Wally received an email from the firm that explained that there had been a computer error and that provided a phone number so that Wally could verify his customer information. When he called, a recording asked that he enter the code from the email, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the email. Wally was a victim of A) Bluesnarfing. B) splogging. C) vishing. D) typosquatting. 2) When a computer criminal gains access to a system by searching records or the trash of the target company, this is referred to as A) data diddling. B) dumpster diving. C) eavesdropping. D) piggybacking. 3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by A) scavenging. B) skimming. C) Internet auction fraud. D) cyber extortion. 4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a A) trap door. B) data diddle. C) logic bomb. D) virus. 5) The unauthorized copying of company data is known as A) data leakage. B) eavesdropping. C)......

Words: 1569 - Pages: 7

Thám Tử Lừng Danh Conan chap 996 | Corey Winston | Puthuyugam