Security Experts at PhishLabs revealed that a vishing campaign targeted banking industry to harvest credit/debit card data from customers.

The security firm PhishLabs revealed that numerous US banks are victims of a recent Vishing (VoIP-based phishing) campaign that is targeting the payment card information of up to 250 Americans per day. Assuming that the withdrawal limits on ATM cards are around $300 per day, the overall amount of money stolen each day is about $75,000.

As remarked by experts at PhishLabs in addition to financial losses and the costs of replacing cards for the victims, vishing attacks can have a serious impact on the banking operations due to the surge of inbound calls into their customer support operations.

“Small and midsize banks that do not have overflow support capacity typically see their phone lines quickly become saturated. “

Vishing (Voice over IP phishing) is the practice to trick bank users into giving up their sensitive information after receiving phone or SMS messages purporting to come from legitimate entities, in the case of the above attacks the attackers requested to the victims the payment card information.

“Multiple recent vishing attacks (Voice over IP phishing) have been stealing payment card data from the customers of U.S. banks. In an attack last week, customers of a midsize bank received SMS text messages claiming their debit card was deactivated and requesting they provide the card and PIN numbers to reactivate it. “

Despite Vishing is not as prevalent as online phishing, it is usually run by professional criminal organizations, experts at PhishLabs speculates that the current campaign is managed by an Eastern European gang. The purpose of the vishing campaign is to harvest card data, which the criminals sell on the underground black market, more than 50 medium-sized banks have been targeted over the last several years.

“The operation uses email-to-SMS gateways to spam out text messages that instruct recipients to call a phone number to reactivate their card. When called, an IVR (Interactive Voice Response) system requests that the caller enter in their card number and PIN. This data is captured by the IVR system and stored for retrieval by the vishing crew.” report the blog post.

The harvest card data are used by criminal organizations for card-not-present transactions (e.g. Shopping online) or are sold to a group that clones the legitimate card using the stolen card information.

Data on this specific vishing attack is slim, but PhishLabs researchers claim that one of the phone numbers used in the campaign has been in use for more than six months and dates back to October 2013.

Vishing attacks aren’t a prerogative of banking offensives, Skype was victims of a similar campaign a few years ago, in that case, the victims were informed by an unsolicited call that their machine was infected than the attackers provided a link to a bogus website used to sanitize them, but these websites were used to serve malware.

Below the suggestions provided to the Financial institutions in the blog post:

• Make sure CVV1/CVC1 is encoded on cards and validated by your card processor.
• When calling customers, use a caller ID telephone number that matches the number on the back of the card. Using different numbers can result in customers being more likely to trust vishing messages.
• Proactively engage with telecoms to understand their procedures and connect with the appropriate technical and anti-fraud resources.
• Have a response plan in place that includes customer notification via your primary communications sources.
• Ensure front-line customer support personnel are trained to handle vishing reports. This includes collecting the vishing call-back number from customers reporting suspicious calls/messages.
• Consider working with specialized security partners (like PhishLabs) that have significant experience mitigating vishing attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, Vishing)

[adrotate banner=”5″]

[adrotate banner=”13″]