Slashdot Mirror
Voice Phishing Hits PayPal
Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."
Haha ! Welcome to the world of Phreaking... You might not know it but the telephone network is as easily hackable, vulnerable and exploitable as the Internet is today. Good luck tracing the bad guy who impersonated your credit card company you supposedly called on 1-800-XXX-YYYY, when he might have penetrated voicemail systems, set up temporary forwarding, hacked telephone switches, etc...
805 is Bakersfield, California, USA. You're charged whatever your long distance carrier feels like. If you go to the FBI website, you'll find that there's a link to file an Internet crime complaint. The link is here: http://www.ic3.gov/
What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).
i am a soviet space shuttle
1-8xy are toll free numbers only if x==y, otherwise they're usually some area code.
http://www.cs.ucsd.edu/users/bsy/area.html
This goes back to decades before the Internet.
[ring, ring]Hello? Hello, is this $TRUSTINGSENIORCITIZEN? I have wonderful news! Congratulations, you have just won a diamond ring in our marketing lottery! There are some shipping and insurance fees, so if you'll just give me your credit card number...".
Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself, which is really the same advice as "don't click on the link" if you think about it.
err.. 1980s called? Analogic phone networks are history in most places today. In order to hack the digital circuit switched phone networks used today, you'd need little more than a whistle and a tape recorder. Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.
There are no atheists when recovering from tape backup.
Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.
The SS7 network is certainly not built with security in mind - once you've gained access to a system connected to the SS7 net you've got a pretty free reign. Pretty much any large VoIP gateway will have an SS7 connection on one side and an internet connection on the other so crack one of them and you're sorted. Not to mention all the SIGTRAN enabled equipment that some moron has decided to plug into an unfirewalled internet connection.
That said, I suspect the worst you'd be able to do is spoof a few calls, send a few SMS messages and add a few records to the billing systems.
Besides, there are much easier ways of getting an anonymous DDI - just use one of the many PSTN-%gt;SIP gateways.
http://blog.nexusuk.org
I don't believe that 805 is a toll-free number. IIRC, inbound WATTS lines are 800, 888, 877, and 866.
From 411.com reverse lookup:
(805) 214-4801 is a land line based in Newbury Park, CA
The registered service provider is Pacific Bell**.
Detailed listing information is not available.
**Due to number portability, some numbers have been transferred to a new service provider
Concealed Handgun License Courses in Plano, Texas
You think the phone company would just tell you who a line belonged to if you called them up?
Nope. Even if the other party is calling you and harrassing you repeatedly you would have to file a police report and get the information sopenaed. The telco doesn't want to be named in any lawsuit if someone goes vigilante after getting the info.
You can use reverse directories online and such, but that assumes the number is publically listed.
and yes, I DO work for a phone carrier.
805 is a hell of a lot more than Bakersfield. It's most of the Central Coast.
I got one yesterday I must say it sounded really compelling. I checked the headers and my initial newbie glance was that none of the URLs were immediately noticeable as faked. Upon second glance I could see some warning messages about mismatching IP addresses.
Regardless of the technicalities, because it didn't have the usual telltale signs it really made me wonder. I then checked into my account the usual way, noticed nothing was wrong and then forwarded the email to spoof@paypal.com, receiving a reply this morning that it was indeed a phishing attempt.
The thing is, on this site we always talk about how clueless people are, and I have participated myself on occasion. But after talking with my wife and in-laws yesterday I realize how *easy* it is to dupe 95% of the computer using population using these tactics. These are people that are educated, smart and generally not clueless in life... but when it comes to computers they are. I had to explain to my sister-in-law why my brother-in-law was receiving Cialis/Viagra emails shortly after posting their clean (well, it was) email address on petfinder.com. My point is, it may seem like there is a low percentage of willing responders to a phone phishing attempt, but I can say from my observation that this new technique should be more successful than ever!
I just wonder isn't it really easy to trace phone numbers?
This post brought to you by your friendly neighborhood MBA.
I got one of these. Here is a copy of it:
PayPal
Account Verification
Dear $email_addres
You have received this email because we have strong reason to belive that your
PayPal account had been recently compromised. In order to prevent any fraudulent
activity from occurring we are required to open an investigation into this matter.
If your Credit/Debit Card on file is not updated within the next 48 hours, then will
assume this account is fraudulent and will be suspended. We apologise for this
inconvenience, but the purpose of this verification is to ensure that your PayPal
account has not fraudulently used and to combat fraud attempts.
To speed up the process, you are required to call us ($phone_number) to verify your
PayPal account.
We apologise in advance for any inconvenience this may cause you and we would like
to thank you for cooperation as we review this matter.
Regards,
PayPal Account Verification.
Copyright (c) 1999-2006 PayPal. All rights reserved.
--
Please do not reply to this e-mail. Mail sent to this address cannot be answered.
Ascii artist &