New Phishing Attack Uses Call-Forwarding Technique
A new phishing attack tricks victims into transferring their telephone calls to the attacker so that the latter can foil the efforts of a bank to identify fraud, according to researchers at SecureWorks.
The Atlanta-based security vendor found the attack this week. The attacker sends a threatening e-mail that tells the recipients that their bank needs to check out their phone numbers. If the recipient failed to confirm the number then the person's account will stand suspended. The person can confirm his/her number by dialing *72 and then another given number. This trick effectively transfers the recipients' calls to the phisher's telephone.
After this the e-mail asks the victim to update his/her personal information including bank account and Social Security numbers.
If the e-mail receiver falls in the trap, then the scammer is able to intercept all incoming calls. The scammer is able to even inform victims over phone that the verification of their account information was complete.
This type of scam has occurred for the first time, SecureWorks researcher Don Jackson said.
He explained that unlike previous phone-phishing scams, in this attack the phishers actually ask for call forwarding. The victimized bank in the case said it would call customers personally to confirm their accounts. Some phishing forums challenged if anyone could design a way to neutralize that, therefore this case was its response. SCMagazine published this, April 27 2007.
A customer who co-operates with the phisher allows him to own all the information needed to conduct fraudulent purchases, according to SecureWorks.
There was a security advise in the phishing e-mail and also tips about username and password to maintain additional security. These were to make the e-mail look authentic like many real bank pages, said Jackson. In fact, the page used a template from the bank that the phisher targeted, Jackson added.
Phishing schemes in the past had requested users to call a phone number and submit their account information but never to forward call. In 2006, a phishing e-mail urged recipients to make a phone call at a given number and key in a 16-digit card number.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 05-05-2007