‘Untraceable’ Phone Frauders Vishing for Credit Cards

Vishing, now there’s a new term for you. Basically its Phishing – but utilising VoIP call services, which makes it very easy to spoof the Caller ID.

Even though Caller ID Spoofing was Made Illegal in the USA – people will still continue to do it, remember the FCC said it’s still easy to spoof caller ID. This scam as always includes some Social Engineering, it’s not that easy after all to get people to give up their important info over the phone.

Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven’t given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.

The calls begin with a recording that makes a tempting offer – usually for a lower credit-card interest rate or an extended car warranty – and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.

So be careful, don’t be tempted by lower credit card rates or any kind of nonsense offers that you receive from strangers. Honestly I don’t believe any readers of Darknet would fall for this kind of thing..but as always educate those you aren’t so savvy and you are doing your part.

The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.

Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.

It’s worrying, people are getting spammed, scammed and phished from every direction now. All these frauds and spammers are making technology more complex and polluting the Internet with stuff like CAPTCHAs.

I guess it’s here to stay though, so we have to accept with it and deal with it as best we can.

Source: The Register

Posted in: Social Engineering, Spammers & Scammers

, , , , ,

Latest Posts:

Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.

7 Responses to ‘Untraceable’ Phone Frauders Vishing for Credit Cards

  1. razta June 4, 2008 at 8:57 am #

    The guy who lost $900, hes either really stupid or has more money than senss and simply dident care.

    I had a guy social engineer me the other week! I had just woke and was taking the bins out, male and female come walking over smartly dressed and looked very professional, the guy flashed his wallet at me and said “Police”, I didn’t quite see the wallet because he did it so fast, however did not want to argue with a possible police man as id just woke up. He then asked me for the security code for my building and I gave it to him, only later did I realise id been had.

    More than likely he was a debt collector. I thought I would never get social engineered, just goes to show.

  2. Jinesh Doshi June 5, 2008 at 8:06 am #

    I agree with razta that guy has to be a real fool to give away details on phone.

  3. BMX guy June 6, 2008 at 9:21 am #

    @razta – that is the best way, take someone by surprise. Got myself into a very similar thing a couple of times, but after some training managed to stop myself from giving people vital information. Doesn’t work every time, but at least “most of the time” is better than nothing. We’re only human,

  4. Pantagruel June 6, 2008 at 12:44 pm #


    Always argue with a so called ‘official ‘ most social engineers will try to impose as an ‘official’ of some sort (police/traffic warden/meter man/cable guy). A true ‘official’ will allow you to scrutinize his/her ID, if the so called ‘official’ refrains from doing this or simply replies ‘I already showed you my ID’ you can safely use the fifth and give him/her the silent treatment.

    Had a similar thing some days ago, some ‘supposedly ‘ security type of guy was ‘performing’ ticket checks in our subway. He was quite aggressively asking for identity papers to verify card holder name/photograph. Many people simply complied and only few objected and or demanded to see some kind of proof of his identity/function. I declined simply because they always operate in groups and have police support. The guy threatened with a fine and to call in the police to arrest me. When I told him to be my guest he got out at the next stop, clearly a fake.

  5. Navin June 7, 2008 at 6:15 am #

    As BMX guy pointed out, we’re only human!! there was this quote I’d read on some newbie’s “hacking” site.The site was lame but the quote made sense– “Servers don’t make mistakes, humans do”.

    Its silly when U tell someone about such stuff but at the time U’re getting phished U don’t really figure whats going on…. As long as the social engineer is good that is.

    U guys read Kevin Mitnick’s “The Art of Deception”– Brilliant book with loads of examples on conning!! My icon as far as social engineering is concerned

  6. Pantagruel June 7, 2008 at 7:17 pm #


    I Read Kevin Mitnick

  7. d347hm4n June 8, 2008 at 10:08 am #

    Unfortunately the people that will fall for this type of social enginnering attack will not be reading the darknet.