‘Untraceable’ Phone Frauders Vishing for Credit Cards

Vishing, now there’s a new term for you. Basically its Phishing – but utilising VoIP call services, which makes it very easy to spoof the Caller ID.

Even though Caller ID Spoofing was Made Illegal in the USA – people will still continue to do it, remember the FCC said it’s still easy to spoof caller ID. This scam as always includes some Social Engineering, it’s not that easy after all to get people to give up their important info over the phone.

Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven’t given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.

The calls begin with a recording that makes a tempting offer – usually for a lower credit-card interest rate or an extended car warranty – and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.

So be careful, don’t be tempted by lower credit card rates or any kind of nonsense offers that you receive from strangers. Honestly I don’t believe any readers of Darknet would fall for this kind of thing..but as always educate those you aren’t so savvy and you are doing your part.

The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.

Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.

It’s worrying, people are getting spammed, scammed and phished from every direction now. All these frauds and spammers are making technology more complex and polluting the Internet with stuff like CAPTCHAs.

I guess it’s here to stay though, so we have to accept with it and deal with it as best we can.

Source: The Register

Posted in: Social Engineering, Spammers & Scammers

, , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

7 Responses to ‘Untraceable’ Phone Frauders Vishing for Credit Cards

  1. razta June 4, 2008 at 8:57 am #

    The guy who lost $900, hes either really stupid or has more money than senss and simply dident care.

    I had a guy social engineer me the other week! I had just woke and was taking the bins out, male and female come walking over smartly dressed and looked very professional, the guy flashed his wallet at me and said “Police”, I didn’t quite see the wallet because he did it so fast, however did not want to argue with a possible police man as id just woke up. He then asked me for the security code for my building and I gave it to him, only later did I realise id been had.

    More than likely he was a debt collector. I thought I would never get social engineered, just goes to show.

  2. Jinesh Doshi June 5, 2008 at 8:06 am #

    I agree with razta that guy has to be a real fool to give away details on phone.

  3. BMX guy June 6, 2008 at 9:21 am #

    @razta – that is the best way, take someone by surprise. Got myself into a very similar thing a couple of times, but after some training managed to stop myself from giving people vital information. Doesn’t work every time, but at least “most of the time” is better than nothing. We’re only human,

  4. Pantagruel June 6, 2008 at 12:44 pm #


    Always argue with a so called ‘official ‘ most social engineers will try to impose as an ‘official’ of some sort (police/traffic warden/meter man/cable guy). A true ‘official’ will allow you to scrutinize his/her ID, if the so called ‘official’ refrains from doing this or simply replies ‘I already showed you my ID’ you can safely use the fifth and give him/her the silent treatment.

    Had a similar thing some days ago, some ‘supposedly ‘ security type of guy was ‘performing’ ticket checks in our subway. He was quite aggressively asking for identity papers to verify card holder name/photograph. Many people simply complied and only few objected and or demanded to see some kind of proof of his identity/function. I declined simply because they always operate in groups and have police support. The guy threatened with a fine and to call in the police to arrest me. When I told him to be my guest he got out at the next stop, clearly a fake.

  5. Navin June 7, 2008 at 6:15 am #

    As BMX guy pointed out, we’re only human!! there was this quote I’d read on some newbie’s “hacking” site.The site was lame but the quote made sense– “Servers don’t make mistakes, humans do”.

    Its silly when U tell someone about such stuff but at the time U’re getting phished U don’t really figure whats going on…. As long as the social engineer is good that is.

    U guys read Kevin Mitnick’s “The Art of Deception”– Brilliant book with loads of examples on conning!! My icon as far as social engineering is concerned

  6. Pantagruel June 7, 2008 at 7:17 pm #


    I Read Kevin Mitnick

  7. d347hm4n June 8, 2008 at 10:08 am #

    Unfortunately the people that will fall for this type of social enginnering attack will not be reading the darknet.