ABSTRACT
The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet, connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. This paper is intended to discuss an emerging threat vector which combines social engineering and technology. Utilizing Voice over Internet Protocol (VoIP) convenience combined with electronic mail phishing techniques, Vishing has the potential to be a highly successful threat vector. Vishing victims face identity theft and/or financial fraud. An increased awareness about these attacks will provide an effective means for overcoming the security issues.

INDEX
1. Introduction 1
2. What is Vishing? 1
3. How Vishing works? 2
4. The Problem of Trust 4
5. Vishing Characteristics 5 5.1. Type of data prone to attack 5 5.2. Data usage by the attacker 6
6. Other Attacks 6 6.1. Dumpster diving 6 6.2. Card Owner Validation 7 6.3. Handset Blackmail 7 6.4. Exploit payloads 7
7. Overcoming Vishing 7
8. Conclusion 8
References 9

1. Introduction:
Many of today’s widespread threats rely heavily on social engineering techniques, which are used to manipulate people into performing actions or divulging confidential information to leverage and exploit technology weaknesses. Phishing is the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake website designed to steal authentication details. Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used, each with its own nuances and target audiences. The following threats are all subcategories of the phishing threat:
 Pharming is the manipulation of Domain Name Server (DNS) records to redirect victims.
 Spear phishing consists of highly targeted attacks.
 Smishing uses Short Message Service (SMS) on mobile phones.
 Vishing leverages Internet Protocol (IP)–based voice calling.
This paper specifically examines Vishing and provides an analysis of current and future vectors for this particular attack.

2. What is Vishing? Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone. Vishing is a convincing trick that uses scare tactics to pressure targets into giving up personal information. Identity thieves are eager to use personal information to open accounts, run up debt and ruin the victim’s credit. Thieves might pretend to be from legitimate financial institutions, companies, or government agencies. They seek confidential information such as financial account and credit card numbers, Social Security Numbers, passwords and personal identification numbers.
3. How Vishing Works?
A vishing attack can be initiated using a variety of methods, each of which lends itself to a particular audience and exploit vector. The most common method for delivering the initial socially engineered messages is through an Internet e-mail. The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur". The e-mails are almost identical to the classic phishing attacks that instruct the message recipient to click on an embedded URL that takes the victim to a fake Web site to steal authentication credentials. However, in this case, the victim dials the number, and an automated voice prompts the caller to provide authentication information. For example, the potential victim receives an e-mail like the following:

Fig 3.1: The fake e-mail received.

Dear customer,
We’ve noticed that there have been three unsuccessful attempts to access your account at [name of local bank]. To secure your accounts and protect your private information, [name of local bank] has locked your account. We are committed to making sure that your online transactions are secure. Please call us at [phone number with local area code] to verify your account and your identity. Sincerely,
[Name of local bank]
Online customer service

The socially engineered victim then dials the number. He may hear something such as this:

“Thank you for calling [name of local bank]. Your business is important to us. To help you reach the correct representative and answer your query fully, please press the appropriate number on your handset.”

The victim is then presented with the certain options. Regardless of what the caller presses, the automated system prompts him to authenticate himself. He may hear something like:

“The security of each customer is important to us. To proceed further, we require that you authenticate your identity before proceeding. So, please type your bank account number, followed by the pound key.”

The caller enters his bank account number and hears the next prompt:

“Thank you. Now please type your Social Security number, followed by the pound key.”

The caller enters his Social Security number and again receives a prompt from the automated system:

“Thank you. Now please type your PIN, followed by the pound key.”
The caller enters his PIN and hears one last prompt from the system:

“Thank you. We will now transfer you to the appropriate representative.”

At this stage, the phone call is dropped, and the victim thinks there was something wrong with the service. Alternatively, the vishing attack may redirect the victim to the real customer service line, and the victim is never aware that his authentication was appropriated by the visher.

4. The problem of trust:
Vishing mimics the legitimate ways people interact with their financial institutions, so victims are more likely to respond without hesitation. People trust phone transactions more than they trust the Internet, because the traceability and cost of landline or cellular phone service make mass phone fraud impractical. But VoIP service has rendered that security blanket inoperative. The reasons for increasing vishing attacks include:

 Vishing is very hard for legal authorities to monitor or trace.
 Internet-based phone companies make it easy to obtain an anonymous account and to handle large call volumes at little cost.
 Inexpensive software lets thieves create an interactive voice response system that sounds exactly like the one your bank uses-even matching the on-hold music.
 Traditional anti phishing tools cannot easily detect a phony telephone number within email text, so protection against vishing is up to the user.
 The ability to reach any phone number from any location in the world.
 The minimal cost to make or receive calls.
 The ability to mask or impersonate caller ID information.
 The ease of automating calling tasks (e.g., war dialing).
 The capability to use proxies to route traffic internationally, thereby obfuscating the true source of the attacks.

5. Vishing Characteristics: Cardholders receive computer-generated calls claiming to be from their financial institution. The calls claim their accounts have been frozen and then direct the cardholder to call a toll-free number to leave their debit card information in order to reactivate any cards. (Most communications include something that will concern or excite the victim.) The toll-free number includes a recorded message that asks the customer to key their account number, card expiration date, and PIN. The following are some of the characteristics of a Vishing attack:
 The call or a mail is said to be from a bank and it asks to reveal some sensitive information. This is something to be thought upon. A bank never calls asking for such information. The only reason the bank will call is for marketing purpose. They call eventually to inform about their special offers or something like that.
 Most of the calls start with a message telling that this is a secure call and it will be recorded once you start “the verification process”. They do this to scare people who receive the call and see to it that the users do not become suspicious and call the authorities.
 The user’s name will never be mentioned in the call or mail because they don’t know the names of users. If it was a genuine mail, then the name will be known for sure.
 The type of information requested may appear trivial to the user in some cases, but generally vishers can get their job done with the even such data. Some attackers do not ask for the CVV’s of credit card numbers and some others request for only 6 digits of the credit card number. This can be when they can get their purpose satisfied with that information itself.
5.1. Type of data prone to attack: Although there are multiple vectors for the visher to conduct a vishing attack, it is important to understand the types of data that are most easily gained by the attacker leveraging IP telephony services. Typically, numeric information is more easily submitted by the victim when responding to a vishing attack using a mobile handset.
The most valuable information to the visher is likely to be:
 Credit card details (including expiration data and card security codes).
 Account numbers and their corresponding personal identification numbers (PINs).
 Birthdays.
 Social Security numbers.
 Customer loyalty card numbers.
 Passport numbers.
5.2. Data usage by the attacker:
The most profitable uses of the information gained through a vishing attack include:
 Controlling the victims’ financial accounts.
 Purchasing luxury goods and services.
 Identity theft.
 Making applications for loans and credit cards.
 Transferring funds, stocks and securities.
 Hiding criminal activities, such as money laundering.
 Obtaining personal travel documents.
 Receiving government benefits.
6. Other attacks:
Vishing will inevitably advance beyond the current range of attack vectors that constitute components of a sophisticated and targeted attack. The following are some of the attacks which amount to great loss of information:

6.1. Dumpster diving:
The attacker regularly trawls through the trash of local retailers and will often find receipt rolls and voided transaction notes. These receipts already hold a wealth of information, for example, cardholders’ names, full or partial credit card numbers, transaction dates, items purchased, costs, etc., all of which can be easily leveraged in a highly personalized phishing attack.

6.2. Card-owner validation:
Consumers are frequently asked to validate their presence during a high-value purchase at the checkout. Usually the cash register operator is told to dial a bank number to get a transaction authorization number, but first the bank must speak with the cardholder and verify that he is, in fact, the account owner. It would be a relatively easy task for organized attackers to insert or impersonate this validation process, especially in collusion with the register operator. This would enable them to obtain additional personal information about their victims, for example, birth dates, Social Security numbers, etc.

6.3. Handset blackmail:
The visher may persuade victims to receive or install a software update to their phones. The phone is then locked and only able to receive or call numbers owned by the visher. To unlock the phone, the victim must call a specific primary rate number.

6.4. Exploit payloads:
The visher causes the phone to automatically prefix all calls with a primary rate routing number, either transparently generating revenue for the visher with each call by the victim, or automatically intercepting, recording and transcribing the victim’s phone calls to automatically identify confidential information.

7. Overcoming Vishing: Vishing is difficult for authorities to trace, particularly when conducted using VoIP. Furthermore, like many legitimate customer services, vishing scams are often outsourced to other countries, which may render sovereign law enforcement powerless. Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with. Some security mechanisms that should be followed to overcome these attacks are:
 Personal information should never be revealed to the unsolicited mails or calls received. Financial institutions don’t request identifying information over the telephone, as they already have that information on file. The bank or credit card company is to be immediately reported about the incident.
 Never respond to an email or voice mail that asks you to go to a Web site or call a phone number to resolve an account problem. These are never legitimate.
 Get into the habit of asking for authentication. For example, ask the person at the other end of the line to verify a recent transaction you've made. A thief is not likely to have access to this type of information.
 Greet all phone calls and e-mails about your accounts with a great deal of skepticism.
 The authenticity of a call should not be trusted based on caller ID. Attackers can make it appear that the call is coming from a genuine financial institution.
 Private data should never be given out over a phone or online in response to an email or automated phone call.
 Don't ever believe ‘account updates’ or checking on this or that - no matter how official they may sound. The financial institution is to be contacted first.
8. Conclusions: Studies illustrate that even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate mail from an unsolicited one. Today, Vishing is an increasingly popular attack vector for phishers because of its ability to reach beyond the computer screen and target a broader range of potential victims and because it is a more effective platform for launching social engineering attacks. The historical trust that consumers have placed in telephony services, the assumption that the phone number calling the consumer can be traced back to a (local) billable address will be fully leveraged by phishers for maximum profit gain. The mechanisms discussed above are to be kept in mind and the security mechanisms should also be followed to overcome the threats imposed by vishers.

References: en.wikipedia.org/wiki/Vishing www.rcmp-grc.gc.ca/scams/vishing_e.html www.internetnews.com/security/article.php/3619086 www.iss.net/documents/whitepapers/IBM_ISS_vishing_guide.pdf news.cnet.com/8301-13554_3-9899849-33.html http://www.westchestergov.com/news_vishingscams.html
http://www.symantec.com/norton/clubsymantec/library/article.jsp?aid=cs_vishing