TMCnet News
Cloudmark Detects - and Thwarts - New VoIP Phishing Threat Discovered on its NetworkTMCnet Associate Editor When it comes to identity theft, we’ve all been given plenty of practical advice to follow: Don’t leave your Social Security number where wandering eyes can see it; shred all documents containing personal information before you throw them away; never make purchases from non-secure websites; and don’t give out any personal information over the phone unless you are the one who placed the call.
That last bit of advice, however, has had a huge hole blown through it with the recent emergence of “VoIP phishing attacks.” Although there will likely be many permutations of this insidious and illegal practice in the future, the most common example of VoIP phishing is where someone posing as a bank or other financial institution contacts you via email and fools you into calling them via a VoIP call which you initiate yourself. (At least, that is the form it has taken since it was first detected about six months ago.) It is really no different from conventional email phishing, except that it is telephone-based, rather than website-based, and the form of telephony used is IP-based, rather than PSTN-based. The Cloudmark Collaborative Security Network (CCSN) recently spotted this new variant of e-mail phishing inside its network. According to the company, the attack circulates via e-mail from a “bank” and requests that customers call an “official’ number to verify account information. The phone number connects the customer over VoIP to a PBX system that utilizes an interactive voice recognition (IVR) application. The customer then provides his personal account information, which, in turn, is transcribed and saved by the IVR system. From there, the perpetrators can take the information collected and get down to the sleazy business of ripping off the credit card companies while simultaneously destroying people’s lives. Cloudmark, however, claims that it has managed to detect and stop these attacks through the use of “fingerprinting algorithms” – software specifically designed to detect unique features of attacks – in this case, VoIP phone numbers. After discovering the new attack variant, Cloudmark performed an analysis of phishing attacks that contained phone numbers on the CCSN. As a result, the Cloudmark team of experts identified other variants of the same attack (in fact, they discovered that there had been two separate attacks). After performing an analysis of the scope and timeframe of the attacks, Cloudmark was able to initiate filtering which brought the number of these phishing emails down to almost zero in just a matter of days. Adam O’Donnell, senior research scientist with Cloudmark, explained during a recent interview that although the process of “fingerprinting” is fast and automated (detection, he said, takes place within “minutes”) the CCSN is still dependent on its users for the detection of VoIP phishing attacks. “All of our users get a certain amount of spam that isn’t filtered,” he said, adding that Cloudmark depends on its users to send these emails to its network, “where it gets sent to our filters on the back end.” From there, it’s just a matter of finding the commonalities, or patterns, amongst the spam emails to determine if certain ones are part of a broad-scale VoIP phishing attack. “If enough of our trusted users send us the same content (i.e. spam emails), then we can detect based on just filtering that content alone,” O’Donnell said, adding that this is what the “collaborative” element of the CCSN is all about. O’Donnell said what makes VoIP phishing unique is the IP element. He said VoIP’s low cost – plus the ease with which people can set up and break down numbers – makes it the ideal type of telephony for phishers and other scam artists. “Certainly, the economics have changed,” he said. “It’s so much cheaper now to get a phone number and it costs nothing to have it connected to a computer or PBX. In that sense, this is pretty novel …” O’Donnell pointed out that with no link to a phishing website in the email, fraud detection software may not be able to identify and block these scam email messages. However, Cloudmark’s fingerprint-based, collaborative security network has shown to be effective at blocking new attacks, regardless of the type or method - even without a supervised learning process. While the recent VoIP phishing attacks detected by Cloudmark had a negligible impact on the CCSN’s user base, they are alarming nevertheless - and they underscore the need for more rigorous enforcement. The company reminds and urges recipients of suspicious messages to notify their service providers immediately. Although CCSN first spotted and began to block VoIP phishing threats just last week, it is characteristic of the network to automatically stop threats without the research team having previously identified them, therefore it is likely that the CCSN has been stopping VoIP-based attacks for some time. “Cloudmark’s large customer base gives them a unique position to detect and prevent phishing attacks, which are highly sophisticated, targeted, transient and dynamic, thereby making it far more difficult to uncover and capture the perpetrators,” said Dr. Jose Nazario, a senior security engineer within the Arbor Security Engineering & Response Team (ASERT) at Arbor Networks, which provides network security for global business networks. “Leveraging their unparalleled data helps Arbor by enabling its customers to track and stop phishers mid-attack.” O’Donnell said Cloudmark continuously offers assistance to U.S. and international government agencies for the apprehension and prosecution of the criminals perpetrating these attacks. Cloudmark also offers an anti-phishing data service that provides confirmed phishing URLs to customers. The Cloudmark anti-phishing engine fits within the service provider’s infrastructure to provide filtering protection at the messaging gateway from fraudulent email. It scans each message and computes a set of fingerprints on the message, a process that is automatic, lightweight and highly scalable for large volumes of email. Cloudmark claims its approach consistently proves faster and more accurate than competitive methods of relying on fingerprinting algorithms to analyze the structure of messages sent by phishers and block new attacks in advance of receiving URL reports. For more information about Cloudmark, visit http://www.cloudmark.com. ------ Patrick Barnard is Associate Editor for TMCnet and a columnist covering the telecom industry. To see more of his articles, please visit Patrick Barnard’s columnist page. |