Internet Security Systems - AlertCon(TM)

Do Not Call List—R.I.P.

Posted by Dan Ingevaldson on November 26, 2007 at 8:09 PM EST.

Starting mid-November, there have been hundreds of reports in Alabama, Tennessee, Florida and Mississippi of what I suspect might be a hybrid SPIT (Spam over Internet Telephony) and Phishing scam (See an article from Fox News). 

The calls all originated from the same two numbers, with varying caller-id information.  Some callers reported that the caller-id information said, “THIS IS A SCAM”.  I still can’t figure that one out.  The originating numbers appear to be associated with a hosted voicemail service in California.  When answered, the victim is played an automated recording informing them that their accounts have expired, and that they must visit a fraudulent site where they must enter their username and password. 

There was nothing special about the phishing site, but the widespread nature of the SPIT campaign is alarming. 

Regions Bank and the FBI have made announcements about this specific threat. 

Many of us in the security industry have been talking about the threat posed by these sorts of attacks for years.  Of course, one need not take a huge intellectual leap to make this sort of prediction.  All of the ingredients are already in the pot:

  1. Outbound VoIP calls are either free or nearly free (termination rates in the US range from $0.015-0.02 per call, Skype Out Pro offers free intra-US outbound calls)
  2. The white-market for “voice marketing” or “voice broadcasting” (the practice of calling bazillions of peoples and playing recorded messages” is doing quite well.  These services quote between $0.06 and $0.07 per successful call, but pricing might be irrelevant (see #4 below)
  3. Hackers are targeting SIP proxies
  4. Credit card information is readily available to setup accounts or purchase minutes
  5. US consumers are getting numb to phishing emails

Much like any other attack technique, once a proof of concept is pulled off, the genie is out of the bottle. 

Expect to see in the coming months more SPIT-based Phishing scams, along with an increasing level of sophistication. 

Do you remember when you filled out your application for the "Do Not Call list"?  Enjoy the calm while it lasts.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.