NEWS FROM THE LAB - Thursday, June 29, 2006

Phishing Hooks Posted by Sean @ 13:14 GMT

Hypothetical Mobile Phishing

April 2006 brought news of e-mail trying to lure recipients into calling toll-free phone numbers. Automated voice systems on the other end of the numbers were used to request personal info, supposedly for Chase Bank. (Credit Card #, PIN, Etc.)

Bait has been taking other forms as phishers have been testing VoIP systems. VoIP bots are calling individuals directly with "account requests". And it works, people have been conditioned to recognize such scams via e-mail, but their guard is down when they receive a request on their phone.

In a fairly related matter, there was a recent endeavor to use SMS messages to lure recipients into visiting a website to "unregister" from a sham dating service, or else be charged $2USD. The process was an effort to install a Backdoor Trojan. The SMS numbers were spammed in bulk to numbers in the UK and Iceland. (The Irreal Dating site is still currently online.)

We could predict that it's only a matter of time before phishers try SMS as a vector. It seems likely that someone could be tempted into clicking on a phone/web link within an SMS, only to be directed to an automated phishing net. We could predict, but in fact - it's reportedly already happened in China last October.

Bottom line: When it comes to requesting your personal data, don't trust ANY source.