Slashdot Mirror
Voice Phishing Hits PayPal
Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."
Isn't this more traceable than just clicking on some IP in Russia? If I got an email asking me to phone any company, I'd be first looking for a landline. If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?
Wouldnt having a phone to trace be more effective in catching them then a 'blind' and easily hidden behind webpage??
---- Booth was a patriot ----
wasn't phone phishing one of the first methods used?
Quick! What's the number for the internet???
There are now plenty of companies (such as StanaPhone) that provide a free DID, all you need to do is register with them. Their business model is that they make money on outgoing calls, but most of them don't require payment until you actually decide to make such a call.
retrorocket.o not found, launch anyway?
I've gotten that phishing mail yesterday, and called the number (1-805-214-4801) immediately. The system's recordings were chopped and barely intellegible, and I was prompted to enter "my 16 digit credit card number" (which was indeed verified to at least follow the basic rules of correctess or be rejected), and its expiry date, but nothing like a name or even the paypal account data.
Where can one complain about such fraudulent 1-8xx numbers to get them shut down? Additionally, how much does calling a 1-805 cost in the US, and is any part of the cost passed to the operator?
I'm just waiting for phone calls telling me my p3ni$ is too small and I need to buy some v14gra...
The numbers these companies provide will cause calls to be sent via VoIP to a computer or analog telephone adapter anywhere in the world. In this case, the number could be in California but you might in the end be connecting to a machine running Asterisk in Russia.
retrorocket.o not found, launch anyway?
There's a small degree of higher risk, but if you get a new disposable cell phone every three days and move around all day you'd be a hard mark to hit.
Too many people are now aware of the "don't click the link" aspect of phishing, but I'm sure there are still pleanty of suckers that assume if they have your phone number you must be legit. I would not be surprised if they find a way to do this through US Mail in a way that hides their identity.
It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.
I wager that alone would eliminate 80% of successful phishes.
I work for the Department of Redundancy Department.
I haven't heard of any sting operations for hitting the phishers... Considering the anonymous and random nature of the phishing scams and ease with which you can attract a phishing email, you could send an email from a newly created email account back to the phisher without them realizing this wasn't one of the addresses they phished, and could arrange for a carefully monitored and traceable transaction to take place, to track down the phisher. ("follow the money" principle) Why don't we see more of this going on?
I work for the Department of Redundancy Department.
What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).
i am a soviet space shuttle
Paypal is just one of many. Do you really need the hassle if they're being targeted?
Perhaps losing customers might encourage companies to start signing official emails.
Deleted
I got a weird email about two weeks ago.
I never did find out if Paypal has a 1-800 number & just ended up "reporting phishing" to be done with it.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
This goes back to decades before the Internet.
[ring, ring]Hello? Hello, is this $TRUSTINGSENIORCITIZEN? I have wonderful news! Congratulations, you have just won a diamond ring in our marketing lottery! There are some shipping and insurance fees, so if you'll just give me your credit card number...".
Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself, which is really the same advice as "don't click on the link" if you think about it.
Hw long before eBay (who own paypal) strt a rumur that Google Checkout is behind this?
It's 42, of course.
Lost: Sig, white with black letters. No collar. Reward if found!
Why exactly would *any* financial institution want to verify credit card information. They have the fucking information: it's their bread and butter. No financial institution would lose any customer data because it's the most valuable item they have.
Anybody who falls for "please verify your information" has no clue how financial institutions work (Yeah, I know PayPal isn't a bank, but nevertheless... Your credit card number is the most valuable they have)
A compromise of the database would just mean that they lock your account. Next time you log in, you get an explanation and you have to re-enter your data.
That's pretty much fool-proof.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Homeland security is not about protecting citizens, it's about surveilling citizens.
Whilst of course they face greater risk of legal action, there's no fake URL in the e-mail to rumble.
Do you see what I did there?
It just used to be called Sex Hotlines. [See Punch Drunk Love]
Actually it is about protecting citizens.
If some American citizens associate with those who wish to harm other American citizens, or wish to harm other American citizens themselves, or supply funds to those who wish to harm American citizens, or speak on behalf of or in defense of those who wish to harm American citizens, then it is entirely possible (and perfectly legal and correct) that they'd come under surveillance.
As much as you may hate to admit it there are such people living among us today.
I live in Iowa. In the state of Iowa, to get a driver's license, you must pass driver's education.
I would dearly love to have a high-school level course in computer usage, which would be required for anyone to connect to the Internet. Not going to happen, I know...
Maybe just make it a part of the general education requirements?
Most people think I'm a snobbish bastard, like every other Linux user. Which is true, to some extent. But I do believe we have a right to call people stupid when they do things like fall for a PayPal scam, buy from spam, send important (highly confidential!) information over email, refuse to apply patches (or not know how), and so on, and so on.
I mean, we have Sex education, we have Driver's education, I don't think it's unreasonable that we know the computer equivalent of wearing a condom, stopping at red lights, buckling your seatbelt... I don't like driving much, I avoid it, but when I have to drive, I consider it my responsibility to know enough to not be a danger to myself and others, and to not get tickets (which cost money and are a hassle, rough equivalent of getting scammed even if you're not held liable)...
This is the argument I use to explain to my mother why we are so snobbish. She gives the example of my uncle, a chemistry prof at MIT -- even his own wife doesn't need to know what he's doing. And I say, at least she knows what atoms are. At least she has a rough idea of what chemistry is, and what a chemical reaction is. Or take a car, at least you know to put gas in the thing, and you know it runs on an internal combustion engine. Take math, at least you know enough basic math to know whether you're getting ripped off; most people still remember a little algebra, even. These basic concepts do have equivalents in computer science.
I may not ever have the opportunity to use a wrench, or take a wrench to my car. But I know what a wrench is and what it does, and so do most people. Most people don't know what a compiler is, and are offended that they should have to know if they'll never use it.
Do you see the parallel?
This is not just about phishing, this is about life skills. It is as profoundly stupid to fall for a phishing attack as to fire a Roman Candle or a bottle rocket at your face. I'm no chemistry or pyrotechnics expert, but even I know it's a bad idea.
Oh, and the Chinese education system has us beat in so many ways it isn't funny -- they're learninng their second foreign language in 7th grade. All we have left is creativity. If they ever find a way to teach creativity, we're through. If we want to preserve our ideals and our way of life, it's imperitive that we improve our education system.
Don't thank God, thank a doctor!
I don't deny the fact that there are American citizens, who wish to harm other American (and non-American) citizens. I'm just saying that the system has turned into a giant surveillance machine, not unlike KGB was in Soviet Union.
One guy up here was convicted for "hacking" into the local police squad's voicemail system.
Everyone's password was (and I'm not making this up, and its NOT a Spaceballs reference) "1" "2" "3" "4" "5"
For months he listened into all sorts of messages for the detectives, including from informants, wives and girlfriends (nice to be able to blackmail a cop by threatening to tell his wife about his action on the side), etc.
You KNOW most systems have an easy password (or still have the default password).
Convicted, sentenced ... and caught doing it again - they hadn't changed the passwords a year later!!! Of course, once the story made the news, they HAD to change them (hint: if you remember the story and the police station, try "54321")
Just got mine in the email this morning.
(530) 204-6800 is a land line based in Davis, CA
The registered service provider is 01 Communications**.
Detailed listing information is not available.
Did you check the email headers, were they faked?
You now know that you been had and that it was stupid, you are, judging from your ID, a fairly recent slashdot user but the mere fact that you are here probably means you have heard about phishing scams before especially in concern to paypal and that in general handing over your credit card number is a bad idea.
So why? Was it a very good scam or are even warned people just plain stupid when on the line and in the general buzzle of a normal day you just didn't think it was going to happen to you?
I think the last case is the most frightening because it suggests there is nothing that can be done about this except to develop a 24/7 sense of paranoia. I remember growing up just having your wallet in your back pocket. Now it is standard routine to switch it to the front if I see an immigrant. Oh yes very racist but when you travelled for 2 years through a station (amsterdam lelylaan) wich was constantly pickpocketted by muslims to the extent that now the station has all but one entrance/exit sealed off (and damn any chance of an emergency or that people now have to cross a busy street to reach the trams/parking lot) you either learn to keep an eye on people with a dark skin or are one of the other losers who are confused why they have one less piece of luggage.
Oh well, going offtopic again.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I got one yesterday I must say it sounded really compelling. I checked the headers and my initial newbie glance was that none of the URLs were immediately noticeable as faked. Upon second glance I could see some warning messages about mismatching IP addresses.
Regardless of the technicalities, because it didn't have the usual telltale signs it really made me wonder. I then checked into my account the usual way, noticed nothing was wrong and then forwarded the email to spoof@paypal.com, receiving a reply this morning that it was indeed a phishing attempt.
The thing is, on this site we always talk about how clueless people are, and I have participated myself on occasion. But after talking with my wife and in-laws yesterday I realize how *easy* it is to dupe 95% of the computer using population using these tactics. These are people that are educated, smart and generally not clueless in life... but when it comes to computers they are. I had to explain to my sister-in-law why my brother-in-law was receiving Cialis/Viagra emails shortly after posting their clean (well, it was) email address on petfinder.com. My point is, it may seem like there is a low percentage of willing responders to a phone phishing attempt, but I can say from my observation that this new technique should be more successful than ever!
I just wonder isn't it really easy to trace phone numbers?
This post brought to you by your friendly neighborhood MBA.
I just got couple questions.
Why is Phishing so successful?
What is so hard about actually contacting the company yourself?
Suggestion:
Record IP addresses or domains of phishing sites and add them to HOSTS. Along with addresses used in trojans and worms. Also add them to Routers.
Quick. Someone write a program that automatically updates HOSTS file and charge $19.95/year or $4.95/month for the peace of mind that you won't be caught up in phishing attempts or viruses.
\
Wait, it asks you to call a long distance number? Any self-respecting company now days has an 800 number for you to call. Paypal HAS an 800 number printed on their webpage somewhere, I don't understand how people can actually fall for this. Anyone with half a brain would go "A long distance number? what kind of BS is this?"
Even in today's day-and-age of Free Long Distance service via VOIP and Wireless carriers, 800 numbers are still quite popular, even small businesses that do business over the internet have them.
I thought Slashdotters would know about VoIP!
The other day I got an atuomated call from a credit card company asking me to call an 800 number to review account details. When I called I was in the voice-mail system that sounded like the company but without any explanation of what I was to do. When I finally managed to get to an operator she wouldn't discuss the matter with me without the last four digits of my social security number, and I wouldn't give her those. So there we were, she didn't know who I was and I didn't know who she was. I got through two levels of supervisor and still never found out what the call was about.
Ok..... It is definitely wrong and illegal to do what these phishing sites are doing, but the victims of these schemes have only themselves to blame. ANYONE who calls a number, or discloses it AT ALL, and enters their bank/credit/debit/social security information is just plain stupid, and clearly guilty of LWCS.
LWCS, or Living Without Common Sense, is very similar to Driving Under the Influence (D.U.I.), lighting yourself on fire, or parking your car in some parts of the Bronx..... you just don't do it (thank you Lord Of War for that wonderful phrase!).
The reason these scams work is because of 1) Scammers like Phishers, and 2) People who are too stupid to NOT DISCLOSE a 9-digit Social Security Number and blame everybody else when their identity is stolen.
Instead of getting pissed because someone stole your identity, maybe you should be thankful that you got to learn what some of us were lucky enough to be born with.....COMMON SENSE. Common sense is simple, effective, and a virtually foolproof way to defeat social engineering.
-----
Anyone who uses the phrase "Think of the children!" ought to have the snot beaten out of them.
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Why? Do the spammers expect more people to fall for it now?
"YOU ARE A VIAGvRA STOCK WINNER FOR YOUR MIRACLE WEIGHT L0SS GIRL TO BE HAPPY"
"Ha, as if I would fall for that."
"Please call Vicky at this number to claim your prize. spendtrift oleaginous potvaliant"
"Oh, it's a PHONE NUMBER!! This changes everything, weight loss here I come!"
?
Frog blast the vent core.
they are just cutting costs-- i mean do you know how much it costs to set up and maintain a illegal webpage these days!? its highway robbery! Not to mention how it keeps getting shut down, its really a big hassle.
Mike
I heart the RIAA & MPAA, im sure its mutual...
I got one of these. Here is a copy of it:
PayPal
Account Verification
Dear $email_addres
You have received this email because we have strong reason to belive that your
PayPal account had been recently compromised. In order to prevent any fraudulent
activity from occurring we are required to open an investigation into this matter.
If your Credit/Debit Card on file is not updated within the next 48 hours, then will
assume this account is fraudulent and will be suspended. We apologise for this
inconvenience, but the purpose of this verification is to ensure that your PayPal
account has not fraudulently used and to combat fraud attempts.
To speed up the process, you are required to call us ($phone_number) to verify your
PayPal account.
We apologise in advance for any inconvenience this may cause you and we would like
to thank you for cooperation as we review this matter.
Regards,
PayPal Account Verification.
Copyright (c) 1999-2006 PayPal. All rights reserved.
--
Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ascii artist &
If it's paypal, ebay, or hell any company that you "supposedly" get an e-mail from with a phone number to call. Don't call it. Go to the company's OFFICIAL site (actually type in the URL, no links), get that phone number and call it if you're not sure. That way you know its valid. Most customer service reps will completely understand about phishing so you shouldn't get made fun of, criticized, or anything. The few times I checked, the service reps were very understanding simply said something along the lines of "thanks for alerting us, but there's nothing you need to do, your account is fine. Please go to our webpage and submit a phishing report." They were always very nice and polite. So don't hesitate to call and check, just don't use any links or phone numbers in the email.
And also, if you don't have an account with a bank, and that bank emails you requesting verification...yeahhhhhh...just delete it or report it and then delete it.
What's the matter, James? No glib remark? No pithy comeback?
I have already been getting emails like this, with a phone number instead of link. These were for "colleges" that were trying to recruit me. Hahaha, funny.
As for the pay pal ones, so far I have received two, both marked as spam by Gmail. I have reported them as phishing. They were identical except for the phone numbers.
The full email received is posted here.
The "pay pal" phone numbers 1-805-214-4801 and 1-530-204-6800
It seems to me like the spoofer is a ChoiceOne subscriber, or a poor drone sending out emails because of a trojan.
Then we may get email clients which automatically check the signatures and say yup, this is a real valid email. It's entirely possible, perfectly automatable and I think quite a reasonable expectation of email software.
Deleted
The first time I encountered phishing is before it even had a name, and It was retarded obvious, and Not even a good attempt. After that, I was very hesitant with anything of that sort, then phishing became more widespread, got a name etc, so I made a simple rule for myself. Never ever respond to or click on anything, or call any number given to, that asks me for anything I wouldn't Tell any stranger I met on the street. Ever. I Have all the numbers and websites for all my financial information, and other companies I do business with. I will go to them directly If I ever have any question. This Seem to 100% eliminate any kind of phishing ever, so Why is this thing still an issue? Why is this not the general rule for every person??? and why is phishing still a problem??
https://www.eff.org/https-everywhere
When did they stop calling this Social Engineering?
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
BTW - you still haven't named ONE good piece of Microsoft software.
And anyone who thinks coldfusion is hot shit really needs to buy a clue.
From your profile:
What are you trying for "Buzzword 2.0" compliance?
And I notice not a SINGLE PIECE of Microsoft software. Gee, guess you're being hypocritical saying that people shouldn't be to blame if they don't switch from Windows, while you have.
So, hypocrite, name me ONE good piece of Microsoft Software. Just ONE. One that the competition doesn't do better, or one that you can't get a "good-enough" free replacement for.
Just ... one ...
If true, that speeding tickets can produce profit for a system already funded by taxes does not prove that speeding tickets can even meet the expenses of a system without tax funding.
"Unless you've been living in a cave, you'd know..." Ah yes, the old "everyone knows" argument. "Everyone knows" the world is flat. "Everyone knows" the earth is in the center of the universe. Or, to quote a famous literary figure: "It is a truth universally acknowledged..."
I did not intend to suggest that there are not staff members assigned only to handling traffic issues, but rather that the law enforcement involved in regulating traffic issues extends beyond any specific percentage of police resources. Heck, if you count manufacturers of the computer systems and software makers, printers, etc. - it extends beyond police resources altogether! Thus, you cannot prove only a percentage of the force to be singularly responsible for speeding fines because the responsibilities involved overlap. My apologies for the misunderstanding - clearly this lame duck thinks too quickly for you!
That ActiveX has not been removed does not prove that Microsoft intentionally (as in, "with intent", as in "with the intent that malware take advantage of ActiveX") left Microsoft Windows open for malware.
In one of the trolling attacks you most recently posted to our happy litle thread, you seemed to suggest that my knowing how to write ColdFusion scripts (CF is listed in my profile) could somehow imply I believe CF to be "hot": don't confuse capability with endorsement. Most of us are physically capable of murder, yet few people endorse murder. Not that I'm comparing CF to murder.
In another fluff statment, you challenged me to name a good Microsoft product. Excepting security issues, the general quality of Microsoft's software is not relevant to our debate. It is true that I have not named one good piece of Microsoft software throughout the course of our debate. However, it is also true that I have not named the Brazillian soccer team members in the 2006 world cup. Neither of these would enhance our debate as both are irrelevant (that people can switch from Microsoft tools to TP tools does not excuse unfairly persecuting them for not doing so). Perhaps I will name a good Microsoft product if you can provide me with a good reason to name a good Microsoft product. At this stage in the debate, I probably will not.
In another attack, you suggested that I am a hypocrite for not using Microsoft products. As you admitted in the attack text, my reasoning has been that people should not be unfairly persecuted for using Microsoft products. Please, do not confuse arguing against unfair practices (such as fining victims and introducing legislation that would stifle OSS projects) as arguing that people should not use non-Microsoft products, or that people should be persecuted for using non-Microsoft products!
I am now unwilling to extend this debate any further. These are my reasons for halting this debate: