Vishing: Santa Barbara Trust (Voice or Phone Phishing)
June 23rd, 2006 by SecuriTeam, Filed under: Commentary, Culture, Physical Security, Phishing
as predicted in our circles last year, here is a documented vishing case. the wave file does not have a heavy russian accent attached, but it is interesting.
considering this bank also handles some tax refund issues, one would expect the irs to also take an interest in this.
today from dan hubbard at websense and our friends at castlecops pirt:
websense security labs™ has received reports of a new phishing attack that targets customers of santa barbara bank & trust. users receive an email message that is spoofed and has the subject “message 156984 client’s details confirmation (santa barbara bank & trust).”
unlike the most popular form of phishing where users are lured to click on a url and are directed to a fraudulent site, this lure uses a telephone number. the phone number is in the southern california area code and was answering at the time of this alert.
when victims dial the phone number, the recording requests that they enter their account number.
the phone response does not mention the bank name, which could be a potential indicator that this number is being used for fraud against other entities.
the vishing recording can be found here:
http://www.websense.com/securitylabs/images/alerts/june_vishing.wav
the actual phishing email with the number:
dear customer,
we’ve noticed that you experienced trouble logging into santa barbara bank & trust online banking.
after three unsuccessful attempts to access your account, your santa barbara bank & trust online profile has been locked. this has been done to secure your accounts and to protect your private information. santa barbara bank & trust is committed to make sure that your online transactions are secure.
call this phone number (1-805-xxx-xxxx) to verify your account and your identity.
sincerely,
santa barbara bank & trust inc.
online customer service
sun shine,
sunshine@beyondsecurity.com.
-
Is your site safe from SQL Injection? Sign up for an Automated Vulnerability Detection Service today!
Subscribe
Subscribe
[…] The SecuriTEam Blog has a post on Voice-based Phishing called Vishing. […]
hi,
this is not the first time as far as I know.
http://israblog.nana.co.il/blogread.asp?blog=177394&blogcode=4246482
What you describe is VoIP phishing, which indeed is named (by us) Vishing. Not the same.
[…] SecuriTeam Blogs PhishingWith Phishing the banks have the potential benefit of learning from the lessons of countries that suffered from these attacks before, such as the UK. Considering that the technology used for Phishing […]
How do I report phone phishing? I’ve received several messages from someone to call “Cardmember services” w/out specifying the bank. I finally called back and they claimed to be with Chase. I denied having a Chase card, and was asked for my SSN. At that point I said i’d call Chase…. this is clearly a scam.
The FTC handles phone fraud:
http://www.ftc.gov/bcp/conline/pubs/tmarkg/target.htm
To Report a Scam
Fight telephone fraud. Report telephone scam artists to the Federal Trade Commission and your state Attorney
General. The Telemarketing Sales Rule gives these local law enforcement officers the power to prosecute
fraudulent telemarketers who operate across state lines.
call toll-free, 1-877-FTC-HELP (1-877-382-4357)
(Thanks jono)
Also found this page, but it looks like it would take
15 minutes to fill out (people may not want to fill the
whole thing just to let the FTC know they got a phishing
phone call):
http://www.consumer.gov/idtheft/
which goes to
https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03
(thanks jono again)