The Vishing Guide
Posted by Gunter Ollmann
on
May 23, 2007 at 9:51 AM EDT.
Many of today’s widespread threats rely heavily on social engineering—techniques used to manipulate people into performing actions or divulging confidential information—to leverage and exploit technology weaknesses. For example, “phishing” is perhaps the most commonly exploited threat currently plaguing the Internet and its users. At one point, phishing referred exclusively to the use of e-mail to deliver messages whose purpose was to persuade recipients to visit a fake Web site designed to steal authentication details. Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences. The following threats are all subcategories of the
phishing threat:
- “Pharming” is the manipulation of Domain Name Server (DNS) records to redirect victims.
- “Spear phishing” consists of highly targeted attacks.
- “Smishing” uses Short Message Service (SMS) on mobile phones.
- “Vishing” leverages Internet Protocol (IP)-based voice calling.
This white paper specifically examines
vishing and provides an analysis of current and future vectors for this particular attack.
My latest white paper on the subject can be found at
http://www.iss.net/documents/whitepapers/IBM_ISS_vishing_guide.pdfand continues the guide series on this highly organized threat:
