[ insider_reports_insider ]
Caller ID Spoofing The Next Big Threat
David Utter
Staff Writer
2007-12-18
 Insider Reports RSS Feed
Some enterprising websites offer ways to spoof a Caller ID for pranking purposes. Criminals have figured out how to scam people with this spoofing in a virtually foolproof way.
 |
| Caller ID Spoofing The Next Big Threat |  |
Paul Henry at Secure Computing referred to cases of Caller ID spoofing popping up all over the place as a "perfect storm for social engineering." He told SecurityProNews more about this threat to anyone with a phone and Caller ID.
A spoofed ID makes it appear the call comes from somewhere else. Henry noted how it has been used as a vicious prank, with people calling a 911 line, spoofing the phone number for a residence, and claiming a gunman was in the house.
That led to a SWAT team coming by the purported scene of the crime to investigate. Believe it or not, this example is a nuisance compared to the traffic ticket scam Henry described.
The victimized police department in question does not want to be identified in this incident. Caller ID spoofers used the department's number and name to convince people they were being called about delinquent traffic tickets.
These criminals told their marks that unless they paid their outstanding traffic tickets right then and there, over the phone, with a credit card, arrests would be made. People fell for this over and over, Henry said.
Such spoofing will continue to grow in 2008. Henry thinks next year will be huge for criminal Caller ID spoofing, which means security pros need to be on their guard now.
When receiving a questionable call, perhaps one that appears to be from a bank or credit card company, people who are suspicious should hang up and call the number appearing on their cards or bank statements. Legitimate callers aren't going to ask for a card number and expiration date when calling an individual, for example.
The issue of calling back has its own little pitfalls. We mentioned VoIP phishing, or vishing, in 2006. This is the use of a fake inbound number to collect information from callers.
"It's absolutely trivial to set up," said Henry. Criminals use the Asterisk open source IP PBX platform to establish a point to receive inbound calls. Survey software available as a free add-on allows Asterisk to record tones made when pressing keys to enter data like a credit card number.
Email phishing scams containing vishing phone numbers have been used to try and entice people to call what the victim thinks is a financial institution. A scam could go so far as to imitate the voice menu used by the legitimate business.
We can see the possibility of this being used to target individuals in the public eye through the mail. Someone could create a fake letter from a bank or similar business, address it to an executive at a company, and direct them to call the vishing number.
A letter arriving by post may be viewed by most people with less suspicion than email. If they fall for it, criminals could end up with access to business accounts. These accounts have much higher profit potential than the typical man on the street's credit card.
When in doubt, pull out the credit card and call the customer service number printed on it. Any legitimate institution should be eager to assist people and clarify correspondence the business sent to the person.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
