Slashdot Mirror

← Back to Stories (view on slashdot.org)

Voice Phishing Hits PayPal

Posted by ryuzaki0 on from the eight-six-seven-five-three-zero-nine dept.

Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."

25 of 191 comments (clear)

  1. Tracability? by celardore · · Score: 4, Insightful

    Isn't this more traceable than just clicking on some IP in Russia? If I got an email asking me to phone any company, I'd be first looking for a landline. If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?

    1. Re:Tracability? by this+great+guy · · Score: 4, Informative

      Haha ! Welcome to the world of Phreaking... You might not know it but the telephone network is as easily hackable, vulnerable and exploitable as the Internet is today. Good luck tracing the bad guy who impersonated your credit card company you supposedly called on 1-800-XXX-YYYY, when he might have penetrated voicemail systems, set up temporary forwarding, hacked telephone switches, etc...

    2. Re:Tracability? by Keruo · · Score: 4, Informative

      err.. 1980s called? Analogic phone networks are history in most places today. In order to hack the digital circuit switched phone networks used today, you'd need little more than a whistle and a tape recorder. Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.

      --
      There are no atheists when recovering from tape backup.
    3. Re:Tracability? by FireFury03 · · Score: 3, Informative

      Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.

      The SS7 network is certainly not built with security in mind - once you've gained access to a system connected to the SS7 net you've got a pretty free reign. Pretty much any large VoIP gateway will have an SS7 connection on one side and an internet connection on the other so crack one of them and you're sorted. Not to mention all the SIGTRAN enabled equipment that some moron has decided to plug into an unfirewalled internet connection.

      That said, I suspect the worst you'd be able to do is spoof a few calls, send a few SMS messages and add a few records to the billing systems.

      Besides, there are much easier ways of getting an anonymous DDI - just use one of the many PSTN-%gt;SIP gateways.

      --
      http://blog.nexusuk.org
    4. Re:Tracability? by SeaFox · · Score: 2, Informative
      If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?

      You think the phone company would just tell you who a line belonged to if you called them up?
        Nope. Even if the other party is calling you and harrassing you repeatedly you would have to file a police report and get the information sopenaed. The telco doesn't want to be named in any lawsuit if someone goes vigilante after getting the info.

      You can use reverse directories online and such, but that assumes the number is publically listed.

      and yes, I DO work for a phone carrier.
    5. Re:Tracability? by vux984 · · Score: 3, Insightful

      You think the phone company would just tell you who a line belonged to if you called them up?

      You've got to admit it *seems* reasonable. After all they handed over the information on every call made in the country to the government without even blinking. Why not tell a customer about one little number? ;)

    6. Re:Tracability? by tomhudson · · Score: 2, Interesting

      You're confusing number with proportion. How many people EVER go to jail for phishing? Try reporting it to your local cop shop - you'll get the "we don't handle that here" bit. Then you're told to post your complaint to such-and-such a web site ... and nothing happens, because they're after the easy-to-bust ones - they guys running boiler-rooms going "You've just won a vacation, just send us the money for the taxes and duties."

      They HAVE the tools to deal with that, so that's what they do. They DON'T have the tools to deal with phishers.

  2. Not in the VoIP era by Andy+Dodd · · Score: 3, Interesting

    There are now plenty of companies (such as StanaPhone) that provide a free DID, all you need to do is register with them. Their business model is that they make money on outgoing calls, but most of them don't require payment until you actually decide to make such a call.

    --
    retrorocket.o not found, launch anyway?
  3. Got that yesterday... by canavan · · Score: 4, Interesting

    I've gotten that phishing mail yesterday, and called the number (1-805-214-4801) immediately. The system's recordings were chopped and barely intellegible, and I was prompted to enter "my 16 digit credit card number" (which was indeed verified to at least follow the basic rules of correctess or be rejected), and its expiry date, but nothing like a name or even the paypal account data.

    Where can one complain about such fraudulent 1-8xx numbers to get them shut down? Additionally, how much does calling a 1-805 cost in the US, and is any part of the cost passed to the operator?

    1. Re:Got that yesterday... by Anonymous Coward · · Score: 4, Informative

      805 is Bakersfield, California, USA. You're charged whatever your long distance carrier feels like. If you go to the FBI website, you'll find that there's a link to file an Internet crime complaint. The link is here: http://www.ic3.gov/

    2. Re:Got that yesterday... by hlh_nospam · · Score: 2, Informative

      I don't believe that 805 is a toll-free number. IIRC, inbound WATTS lines are 800, 888, 877, and 866.

      From 411.com reverse lookup:

      (805) 214-4801 is a land line based in Newbury Park, CA
      The registered service provider is Pacific Bell**.
      Detailed listing information is not available.

      **Due to number portability, some numbers have been transferred to a new service provider

      --
      Concealed Handgun License Courses in Plano, Texas
  4. not surprising by v1 · · Score: 4, Interesting


    There's a small degree of higher risk, but if you get a new disposable cell phone every three days and move around all day you'd be a hard mark to hit.

    Too many people are now aware of the "don't click the link" aspect of phishing, but I'm sure there are still pleanty of suckers that assume if they have your phone number you must be legit. I would not be surprised if they find a way to do this through US Mail in a way that hides their identity.

    It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.

    I wager that alone would eliminate 80% of successful phishes.

    --
    I work for the Department of Redundancy Department.
  5. Paypal -- reachable by phone? Ha. by Buran · · Score: 3, Informative

    What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

    --
    i am a soviet space shuttle
  6. "Latest" attack? by Beryllium+Sphere(tm) · · Score: 4, Informative

    This goes back to decades before the Internet.

    [ring, ring]Hello? Hello, is this $TRUSTINGSENIORCITIZEN? I have wonderful news! Congratulations, you have just won a diamond ring in our marketing lottery! There are some shipping and insurance fees, so if you'll just give me your credit card number...".

    Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself, which is really the same advice as "don't click on the link" if you think about it.

    1. Re:"Latest" attack? by beebware · · Score: 2, Interesting

      I've had my (now ex)-bank's anti-fraud system automatically call me. "This is an automated telephone call from Lloyds TSB for Mr xxxxxx. To confirm you are the card holder, please enter in your 16 digit card number." Needless to say, I hung up and called the number printed on the back of my card. I asked the person what it was about and then asked if they would have entered their number onto an automated system that randomly called them - nope(!)

  7. Re:The obvious joke... by mcpkaaos · · Score: 2, Funny

    (202) 224-3004

    Ask for Ted.

    --
    It goes from God, to Jerry, to me.
  8. In school, not when signing up... by SanityInAnarchy · · Score: 2, Insightful

    I live in Iowa. In the state of Iowa, to get a driver's license, you must pass driver's education.

    I would dearly love to have a high-school level course in computer usage, which would be required for anyone to connect to the Internet. Not going to happen, I know...

    Maybe just make it a part of the general education requirements?

    Most people think I'm a snobbish bastard, like every other Linux user. Which is true, to some extent. But I do believe we have a right to call people stupid when they do things like fall for a PayPal scam, buy from spam, send important (highly confidential!) information over email, refuse to apply patches (or not know how), and so on, and so on.

    I mean, we have Sex education, we have Driver's education, I don't think it's unreasonable that we know the computer equivalent of wearing a condom, stopping at red lights, buckling your seatbelt... I don't like driving much, I avoid it, but when I have to drive, I consider it my responsibility to know enough to not be a danger to myself and others, and to not get tickets (which cost money and are a hassle, rough equivalent of getting scammed even if you're not held liable)...

    This is the argument I use to explain to my mother why we are so snobbish. She gives the example of my uncle, a chemistry prof at MIT -- even his own wife doesn't need to know what he's doing. And I say, at least she knows what atoms are. At least she has a rough idea of what chemistry is, and what a chemical reaction is. Or take a car, at least you know to put gas in the thing, and you know it runs on an internal combustion engine. Take math, at least you know enough basic math to know whether you're getting ripped off; most people still remember a little algebra, even. These basic concepts do have equivalents in computer science.

    I may not ever have the opportunity to use a wrench, or take a wrench to my car. But I know what a wrench is and what it does, and so do most people. Most people don't know what a compiler is, and are offended that they should have to know if they'll never use it.

    Do you see the parallel?

    This is not just about phishing, this is about life skills. It is as profoundly stupid to fall for a phishing attack as to fire a Roman Candle or a bottle rocket at your face. I'm no chemistry or pyrotechnics expert, but even I know it's a bad idea.

    Oh, and the Chinese education system has us beat in so many ways it isn't funny -- they're learninng their second foreign language in 7th grade. All we have left is creativity. If they ever find a way to teach creativity, we're through. If we want to preserve our ideals and our way of life, it's imperitive that we improve our education system.

    --
    Don't thank God, thank a doctor!
    1. Re:In school, not when signing up... by stonecypher · · Score: 5, Insightful

      But I do believe we have a right to call people stupid when they do things like fall for a PayPal scam, buy from spam, send important (highly confidential!) information over email, refuse to apply patches (or not know how), and so on, and so on.

      Did you know that 85% of dead televisions just have a blown fuse? Did you know the $120 transmission fluid replacement at Jiffy Lube is a twelve dollar bottle of green grease, and the opening and closing of one valve? Did you know that almost everything a plumber ever actually does is run a drain snake and a plunger?

      I mean, we have Sex education, we have Driver's education, I don't think it's unreasonable that we know the computer equivalent of wearing a condom, stopping at red lights, buckling your seatbelt...

      Here's the difference: one costs people their lives, the other costs them an hour at the local computer shop. I don't think it's unreasonable that we know how to maintain appliances; nonetheless, nobody requires it, because that's batshit retarded.

      Most people think I'm a snobbish bastard, like every other Linux user.

      It's got nothing to do with your being a Linux user. It's because you're condescending and because you can't fathom that some people don't have the time or the desire to learn to maintain their computers. Believe it or not, some people have better things to do with their lives.

      Next time you pull into a jiffy lube, call a repair person, go to a barber shop, buy art tools, purchase clothes or engage in any service activity whatsoever, please remember that that's something you could learn to do and then spend your life doing, just like a seventy year old woman could spend a year reading tech sites and manuals and getting up to speed on jargon.

      Guess what? You don't want to either. You're just too dense to tell the difference.

      --
      StoneCypher is Full of BS
  9. Re:Passwords by tomhudson · · Score: 2, Interesting

    One guy up here was convicted for "hacking" into the local police squad's voicemail system.

    Everyone's password was (and I'm not making this up, and its NOT a Spaceballs reference) "1" "2" "3" "4" "5"

    For months he listened into all sorts of messages for the detectives, including from informants, wives and girlfriends (nice to be able to blackmail a cop by threatening to tell his wife about his action on the side), etc.

    You KNOW most systems have an easy password (or still have the default password).

    Convicted, sentenced ... and caught doing it again - they hadn't changed the passwords a year later!!! Of course, once the story made the news, they HAD to change them (hint: if you remember the story and the police station, try "54321")

  10. Woah, timely! by Kid+Zero · · Score: 4, Interesting

    Just got mine in the email this morning.

    (530) 204-6800 is a land line based in Davis, CA
    The registered service provider is 01 Communications**.
    Detailed listing information is not available.

  11. I got one yesterday... by fprintf · · Score: 3, Informative

    I got one yesterday I must say it sounded really compelling. I checked the headers and my initial newbie glance was that none of the URLs were immediately noticeable as faked. Upon second glance I could see some warning messages about mismatching IP addresses.

    Regardless of the technicalities, because it didn't have the usual telltale signs it really made me wonder. I then checked into my account the usual way, noticed nothing was wrong and then forwarded the email to spoof@paypal.com, receiving a reply this morning that it was indeed a phishing attempt.

    The thing is, on this site we always talk about how clueless people are, and I have participated myself on occasion. But after talking with my wife and in-laws yesterday I realize how *easy* it is to dupe 95% of the computer using population using these tactics. These are people that are educated, smart and generally not clueless in life... but when it comes to computers they are. I had to explain to my sister-in-law why my brother-in-law was receiving Cialis/Viagra emails shortly after posting their clean (well, it was) email address on petfinder.com. My point is, it may seem like there is a low percentage of willing responders to a phone phishing attempt, but I can say from my observation that this new technique should be more successful than ever!

    I just wonder isn't it really easy to trace phone numbers?

    --
    This post brought to you by your friendly neighborhood MBA.
  12. Re:I'm just waiting for the other shoe to drop ... by Anonymous Coward · · Score: 2, Funny

    Fuck dude, you should fix your keyboard: You're missing ALOT of keys there!

  13. Re:So what duped you? by canavan · · Score: 2, Informative
    Lets be honest here, you were scammed but why? What was it in the e-mail that immidialtly send you to the telephone ready to hand over your credit card number.
    No, I wasn't scammed. Which part of my posting misled you into believing that I could possibly have entered my real credit card number?
    You now know that you been had and that it was stupid, you are, judging from your ID, a fairly recent slashdot user but the mere fact that you are here probably means you have heard about phishing scams before especially in concern to paypal and that in general handing over your credit card number is a bad idea.
    No, now I know that some people with slashdot IDs 40 times higher than mine may not yet have understood the decimal system, or confuse UIDs and CIDs. The scammers don't have my credit card number, but instead one of these. Have fun shopping online with any of these.
  14. Catch 22? by wbean · · Score: 2, Interesting

    The other day I got an atuomated call from a credit card company asking me to call an 800 number to review account details. When I called I was in the voice-mail system that sounded like the company but without any explanation of what I was to do. When I finally managed to get to an operator she wouldn't discuss the matter with me without the last four digits of my social security number, and I wouldn't give her those. So there we were, she didn't know who I was and I didn't know who she was. I got through two levels of supervisor and still never found out what the call was about.

  15. Sample by Faux_Pseudo · · Score: 3, Informative

    I got one of these. Here is a copy of it:
                                                                                  PayPal
    Account Verification
    Dear $email_addres
    You have received this email because we have strong reason to belive that your
    PayPal account had been recently compromised. In order to prevent any fraudulent
    activity from occurring we are required to open an investigation into this matter.

    If your Credit/Debit Card on file is not updated within the next 48 hours, then will
    assume this account is fraudulent and will be suspended. We apologise for this
    inconvenience, but the purpose of this verification is to ensure that your PayPal
    account has not fraudulently used and to combat fraud attempts.

    To speed up the process, you are required to call us ($phone_number) to verify your
    PayPal account.

    We apologise in advance for any inconvenience this may cause you and we would like
    to thank you for cooperation as we review this matter.

    Regards,
    PayPal Account Verification.
    Copyright (c) 1999-2006 PayPal. All rights reserved.
    --
    Please do not reply to this e-mail. Mail sent to this address cannot be answered.

    --
    Ascii artist &