Voice Phishing Hits PayPal

Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."

Tracability?

Isn't this more traceable than just clicking on some IP in Russia? If I got an email asking me to phone any company, I'd be first looking for a landline. If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?

Not in the VoIP era

There are now plenty of companies (such as StanaPhone) that provide a free DID, all you need to do is register with them. Their business model is that they make money on outgoing calls, but most of them don't require payment until you actually decide to make such a call.

Re:Tracability?

Haha ! Welcome to the world of Phreaking [wikipedia.org]... You might not know it but the telephone network is as easily hackable, vulnerable and exploitable as the Internet is today. Good luck tracing the bad guy who impersonated your credit card company you supposedly called on 1-800-XXX-YYYY, when he might have penetrated voicemail systems, set up temporary forwarding, hacked telephone switches, etc...

Re:Tracability?

err.. 1980s called? Analogic phone networks are history in most places today. In order to hack the digital circuit switched phone networks used today, you'd need little more than a whistle and a tape recorder. Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.

Re:Tracability?

Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.

The SS7 network is certainly not built with security in mind - once you've gained access to a system connected to the SS7 net you've got a pretty free reign. Pretty much any large VoIP gateway will have an SS7 connection on one side and an internet connection on the other so crack one of them and you're sorted. Not to mention all the SIGTRAN enabled equipment that some moron has decided to plug into an unfirewalled internet connection.

That said, I suspect the worst you'd be able to do is spoof a few calls, send a few SMS messages and add a few records to the billing systems.

Besides, there are much easier ways of getting an anonymous DDI - just use one of the many PSTN-%gt;SIP gateways.

Re:Tracability?

You think the phone company would just tell you who a line belonged to if you called them up?

You've got to admit it *seems* reasonable. After all they handed over the information on every call made in the country to the government without even blinking. Why not tell a customer about one little number? ;)

Easier to track?

Wouldnt having a phone to trace be more effective in catching them then a 'blind' and easily hidden behind webpage??

Latest phishing method???

wasn't phone phishing one of the first methods used?

The obvious joke...

Quick! What's the number for the internet???

Got that yesterday...

I've gotten that phishing mail yesterday, and called the number (1-805-214-4801) immediately. The system's recordings were chopped and barely intellegible, and I was prompted to enter "my 16 digit credit card number" (which was indeed verified to at least follow the basic rules of correctess or be rejected), and its expiry date, but nothing like a name or even the paypal account data.

Where can one complain about such fraudulent 1-8xx numbers to get them shut down? Additionally, how much does calling a 1-805 cost in the US, and is any part of the cost passed to the operator?

Re:Got that yesterday...

805 is Bakersfield, California, USA. You're charged whatever your long distance carrier feels like. If you go to the FBI website, you'll find that there's a link to file an Internet crime complaint. The link is here: http://www.ic3.gov/ [ic3.gov]

not surprising

There's a small degree of higher risk, but if you get a new disposable cell phone every three days and move around all day you'd be a hard mark to hit.

Too many people are now aware of the "don't click the link" aspect of phishing, but I'm sure there are still pleanty of suckers that assume if they have your phone number you must be legit. I would not be surprised if they find a way to do this through US Mail in a way that hides their identity.

It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.

I wager that alone would eliminate 80% of successful phishes.

Re:In school, not when signing up...

But I do believe we have a right to call people stupid when they do things like fall for a PayPal scam, buy from spam, send important (highly confidential!) information over email, refuse to apply patches (or not know how), and so on, and so on.

Did you know that 85% of dead televisions just have a blown fuse? Did you know the $120 transmission fluid replacement at Jiffy Lube is a twelve dollar bottle of green grease, and the opening and closing of one valve? Did you know that almost everything a plumber ever actually does is run a drain snake and a plunger?

I mean, we have Sex education, we have Driver's education, I don't think it's unreasonable that we know the computer equivalent of wearing a condom, stopping at red lights, buckling your seatbelt...

Here's the difference: one costs people their lives, the other costs them an hour at the local computer shop. I don't think it's unreasonable that we know how to maintain appliances; nonetheless, nobody requires it, because that's batshit retarded.

Most people think I'm a snobbish bastard, like every other Linux user.

It's got nothing to do with your being a Linux user. It's because you're condescending and because you can't fathom that some people don't have the time or the desire to learn to maintain their computers. Believe it or not, some people have better things to do with their lives.

Next time you pull into a jiffy lube, call a repair person, go to a barber shop, buy art tools, purchase clothes or engage in any service activity whatsoever, please remember that that's something you could learn to do and then spend your life doing, just like a seventy year old woman could spend a year reading tech sites and manuals and getting up to speed on jargon.

Guess what? You don't want to either. You're just too dense to tell the difference.

why no phishing stings?

I haven't heard of any sting operations for hitting the phishers... Considering the anonymous and random nature of the phishing scams and ease with which you can attract a phishing email, you could send an email from a newly created email account back to the phisher without them realizing this wasn't one of the addresses they phished, and could arrange for a carefully monitored and traceable transaction to take place, to track down the phisher. ("follow the money" principle) Why don't we see more of this going on?

Paypal -- reachable by phone? Ha.

What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

Use someone else

Paypal is just one of many. Do you really need the hassle if they're being targeted?

Perhaps losing customers might encourage companies to start signing official emails.

 

1-800 Number ?

I got a weird email [ozzu.com] about two weeks ago.
I never did find out if Paypal has a 1-800 number & just ended up "reporting phishing" to be done with it.

"Latest" attack?

This goes back to decades before the Internet.

[ring, ring]Hello? Hello, is this $TRUSTINGSENIORCITIZEN? I have wonderful news! Congratulations, you have just won a diamond ring in our marketing lottery! There are some shipping and insurance fees, so if you'll just give me your credit card number...".

Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself, which is really the same advice as "don't click on the link" if you think about it.

I'm just waiting for the other shoe to drop ...

Hw long before eBay (who own paypal) strt a rumur that Google Checkout is behind this?

I do not understand

Why exactly would *any* financial institution want to verify credit card information. They have the fucking information: it's their bread and butter. No financial institution would lose any customer data because it's the most valuable item they have.

Anybody who falls for "please verify your information" has no clue how financial institutions work (Yeah, I know PayPal isn't a bank, but nevertheless... Your credit card number is the most valuable they have)

A compromise of the database would just mean that they lock your account. Next time you log in, you get an explanation and you have to re-enter your data.

That's pretty much fool-proof.

The Beauty Behind It

Whilst of course they face greater risk of legal action, there's no fake URL in the e-mail to rumble.

Woah, timely!

Just got mine in the email this morning.

(530) 204-6800 is a land line based in Davis, CA
The registered service provider is 01 Communications**.
Detailed listing information is not available.

I got one yesterday...

I got one yesterday I must say it sounded really compelling. I checked the headers and my initial newbie glance was that none of the URLs were immediately noticeable as faked. Upon second glance I could see some warning messages about mismatching IP addresses.

Regardless of the technicalities, because it didn't have the usual telltale signs it really made me wonder. I then checked into my account the usual way, noticed nothing was wrong and then forwarded the email to spoof@paypal.com, receiving a reply this morning that it was indeed a phishing attempt.

The thing is, on this site we always talk about how clueless people are, and I have participated myself on occasion. But after talking with my wife and in-laws yesterday I realize how *easy* it is to dupe 95% of the computer using population using these tactics. These are people that are educated, smart and generally not clueless in life... but when it comes to computers they are. I had to explain to my sister-in-law why my brother-in-law was receiving Cialis/Viagra emails shortly after posting their clean (well, it was) email address on petfinder.com. My point is, it may seem like there is a low percentage of willing responders to a phone phishing attempt, but I can say from my observation that this new technique should be more successful than ever!

I just wonder isn't it really easy to trace phone numbers?

Why?!?

I just got couple questions.

Why is Phishing so successful?
What is so hard about actually contacting the company yourself?

Suggestion:
  Record IP addresses or domains of phishing sites and add them to HOSTS. Along with addresses used in trojans and worms. Also add them to Routers.

    Quick. Someone write a program that automatically updates HOSTS file and charge $19.95/year or $4.95/month for the peace of mind that you won't be caught up in phishing attempts or viruses.

"Long Distance" Number?

Wait, it asks you to call a long distance number? Any self-respecting company now days has an 800 number for you to call. Paypal HAS an 800 number printed on their webpage somewhere, I don't understand how people can actually fall for this. Anyone with half a brain would go "A long distance number? what kind of BS is this?"

Even in today's day-and-age of Free Long Distance service via VOIP and Wireless carriers, 800 numbers are still quite popular, even small businesses that do business over the internet have them.

Catch 22?

The other day I got an atuomated call from a credit card company asking me to call an 800 number to review account details. When I called I was in the voice-mail system that sounded like the company but without any explanation of what I was to do. When I finally managed to get to an operator she wouldn't discuss the matter with me without the last four digits of my social security number, and I wouldn't give her those. So there we were, she didn't know who I was and I didn't know who she was. I got through two levels of supervisor and still never found out what the call was about.

Sample

I got one of these. Here is a copy of it:
                                                                              PayPal
Account Verification
Dear $email_addres
You have received this email because we have strong reason to belive that your
PayPal account had been recently compromised. In order to prevent any fraudulent
activity from occurring we are required to open an investigation into this matter.

If your Credit/Debit Card on file is not updated within the next 48 hours, then will
assume this account is fraudulent and will be suspended. We apologise for this
inconvenience, but the purpose of this verification is to ensure that your PayPal
account has not fraudulently used and to combat fraud attempts.

To speed up the process, you are required to call us ($phone_number) to verify your
PayPal account.

We apologise in advance for any inconvenience this may cause you and we would like
to thank you for cooperation as we review this matter.

Regards,
PayPal Account Verification.
Copyright (c) 1999-2006 PayPal. All rights reserved.
--
Please do not reply to this e-mail. Mail sent to this address cannot be answered.

My Simple Solution

If it's paypal, ebay, or hell any company that you "supposedly" get an e-mail from with a phone number to call. Don't call it. Go to the company's OFFICIAL site (actually type in the URL, no links), get that phone number and call it if you're not sure. That way you know its valid. Most customer service reps will completely understand about phishing so you shouldn't get made fun of, criticized, or anything. The few times I checked, the service reps were very understanding simply said something along the lines of "thanks for alerting us, but there's nothing you need to do, your account is fine. Please go to our webpage and submit a phishing report." They were always very nice and polite. So don't hesitate to call and check, just don't use any links or phone numbers in the email.

And also, if you don't have an account with a bank, and that bank emails you requesting verification...yeahhhhhh...just delete it or report it and then delete it.

yet again...

I have already been getting emails like this, with a phone number instead of link. These were for "colleges" that were trying to recruit me. Hahaha, funny.
As for the pay pal ones, so far I have received two, both marked as spam by Gmail. I have reported them as phishing. They were identical except for the phone numbers.

The full email received is posted here [qays.net].

The "pay pal" phone numbers 1-805-214-4801 and 1-530-204-6800

It seems to me like the spoofer is a ChoiceOne subscriber, or a poor drone sending out emails because of a trojan.

This is driving my crazy

The first time I encountered phishing is before it even had a name, and It was retarded obvious, and Not even a good attempt. After that, I was very hesitant with anything of that sort, then phishing became more widespread, got a name etc, so I made a simple rule for myself. Never ever respond to or click on anything, or call any number given to, that asks me for anything I wouldn't Tell any stranger I met on the street. Ever. I Have all the numbers and websites for all my financial information, and other companies I do business with. I will go to them directly If I ever have any question. This Seem to 100% eliminate any kind of phishing ever, so Why is this thing still an issue? Why is this not the general rule for every person??? and why is phishing still a problem??

Press 1 if you're a moron.

Obviously it's time to fight fire with fire. Companies such as eBayPal, Citigroup, et al need to start "phake phishing." When the recipient clicks on the link or calls the number, he or she will be presented with:

YOUR BANK ACCOUNT IS EMPTY.

At least, that could have been the result from clicking on this link. NEVER trust e-mails which claim to require account information, logins, or passwords. Delete them, and/or forward them to abuse@ourwebsite.com. If in doubt, call the number on your most recent bill, or find our number in the phonebook to discuss the issue with one of our representatives.

Voice pishing?

When did they stop calling this Social Engineering?

Re:Spam is spam?

This type of advertising doesnt work on me. If the advertiser cannot spell the product and produce meaningful sentences with out mumble jumbo at end then I dont give it any attention and delete it. Imagine if TV ads were like this, company would be out of business in a week, flat. So I ask, why is this email spamming thing still going on if it isnt looking professional?