Don't call it in

It's called Vishing, and it's yet another way that phishers are trying to get you to give up your personal information--this time over the telephone. In a presentation at Black Hat, Jay Schulman outlined just how criminal hackers are able to do this. Essentially it's a man-in-the-middle attack using VoIP. By recording legitimate telephone services from well-known financial institutions, criminal hackers can, using open-source PBX software such as Asterisk, re-create a realistic-sounding interactive voice recognition system on their own. Because many of these scams come from Eastern Europe and target Americans, the use of text-to-speech software further disguises any accent, lulling phone callers into handing over their info. In Schulman's example, victims call in and provide the criminal attacker with credit card and zip information, but when they are asked to check their bank balance, they are often handed over to a live telephone operator at the bank in question. The criminal hackers, in this case, are in the middle, recording all the personal information provided. Schulman reminded the audience to call the number on the back of your credit card, not some number sent to you via e-mail. Further, he asked that financial institutions start educating the public about these scams.