‘Untraceable’ Phone Frauders Vishing for Credit Cards

Vishing, now there’s a new term for you. Basically its Phishing – but utilising VoIP call services, which makes it very easy to spoof the Caller ID.

Even though Caller ID Spoofing was Made Illegal in the USA – people will still continue to do it, remember the FCC said it’s still easy to spoof caller ID. This scam as always includes some Social Engineering, it’s not that easy after all to get people to give up their important info over the phone.

Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven’t given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.

The calls begin with a recording that makes a tempting offer – usually for a lower credit-card interest rate or an extended car warranty – and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.

So be careful, don’t be tempted by lower credit card rates or any kind of nonsense offers that you receive from strangers. Honestly I don’t believe any readers of Darknet would fall for this kind of thing..but as always educate those you aren’t so savvy and you are doing your part.

The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.

Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.

It’s worrying, people are getting spammed, scammed and phished from every direction now. All these frauds and spammers are making technology more complex and polluting the Internet with stuff like CAPTCHAs.

I guess it’s here to stay though, so we have to accept with it and deal with it as best we can.

Source: The Register

Posted in: Social Engineering, Spammers & Scammers

, , , , ,

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

7 Responses to ‘Untraceable’ Phone Frauders Vishing for Credit Cards

  1. razta June 4, 2008 at 8:57 am #

    The guy who lost $900, hes either really stupid or has more money than senss and simply dident care.

    I had a guy social engineer me the other week! I had just woke and was taking the bins out, male and female come walking over smartly dressed and looked very professional, the guy flashed his wallet at me and said “Police”, I didn’t quite see the wallet because he did it so fast, however did not want to argue with a possible police man as id just woke up. He then asked me for the security code for my building and I gave it to him, only later did I realise id been had.

    More than likely he was a debt collector. I thought I would never get social engineered, just goes to show.

  2. Jinesh Doshi June 5, 2008 at 8:06 am #

    I agree with razta that guy has to be a real fool to give away details on phone.

  3. BMX guy June 6, 2008 at 9:21 am #

    @razta – that is the best way, take someone by surprise. Got myself into a very similar thing a couple of times, but after some training managed to stop myself from giving people vital information. Doesn’t work every time, but at least “most of the time” is better than nothing. We’re only human,

  4. Pantagruel June 6, 2008 at 12:44 pm #


    Always argue with a so called ‘official ‘ most social engineers will try to impose as an ‘official’ of some sort (police/traffic warden/meter man/cable guy). A true ‘official’ will allow you to scrutinize his/her ID, if the so called ‘official’ refrains from doing this or simply replies ‘I already showed you my ID’ you can safely use the fifth and give him/her the silent treatment.

    Had a similar thing some days ago, some ‘supposedly ‘ security type of guy was ‘performing’ ticket checks in our subway. He was quite aggressively asking for identity papers to verify card holder name/photograph. Many people simply complied and only few objected and or demanded to see some kind of proof of his identity/function. I declined simply because they always operate in groups and have police support. The guy threatened with a fine and to call in the police to arrest me. When I told him to be my guest he got out at the next stop, clearly a fake.

  5. Navin June 7, 2008 at 6:15 am #

    As BMX guy pointed out, we’re only human!! there was this quote I’d read on some newbie’s “hacking” site.The site was lame but the quote made sense– “Servers don’t make mistakes, humans do”.

    Its silly when U tell someone about such stuff but at the time U’re getting phished U don’t really figure whats going on…. As long as the social engineer is good that is.

    U guys read Kevin Mitnick’s “The Art of Deception”– Brilliant book with loads of examples on conning!! My icon as far as social engineering is concerned

  6. Pantagruel June 7, 2008 at 7:17 pm #


    I Read Kevin Mitnick

  7. d347hm4n June 8, 2008 at 10:08 am #

    Unfortunately the people that will fall for this type of social enginnering attack will not be reading the darknet.