这两年使用短信欺骗的报导和宣传已经很多,我们不妨管它叫 Sishing, S 代表SMS。比它科技含量高些的是 Phishing, 发出一个群组邮件,然后静候某些邮件接收者点击其中的链接,在那个链接那里有一个提示界面,为了恢复您的信用卡,请输入您的卡号和密码,再往后面的步骤就很简单了。大家都知道这是Phishing攻击,现在有很多厂商已经提出了各种解决方案,已防止用户被欺骗。这里也包括IE7和Firefox2.0的努力奉献。这里,各种社会媒体和宣传力量也在贡献自己的力量来培养大众的自我保护意识,避免被轻易欺骗:
不要轻易点击不明邮件中的链接
任何银行、信用卡公司、电信公司都不会通过任何方式向用户索取密码
现在欺骗的技术又获得更新,在您收到的邮件中嵌入了一些电话号码,列出了各种原因请您拨打。通常,一般用户对电话电话号码的威胁的认识通常是话费欺骗,把号码转移呼叫到信息台等。但是,现在您听到的是一个 Call Center 的标准提示,请您输入您的号码以 # 结束,请您输入您的用户密码以 # 结束...这样的攻击叫 Vishing。这里的 V 代表 VoIP(Voice Over IP)。
Just as Internet surfers have gotten wise to the fine art of phishing, along comes a new scam utilizing a new technology.
Creative thieves are now switching their efforts to "vishing," which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information.
Phishing (define) is the sneaky art of sending an e-mail to people pretending to be from a bank or major online merchant, such as Amazon (Quote)or EBay (Quote), asking them to click on a link and verify their account information.
The user is then directed to a fake site that collects the login and password information.
Repeated efforts on the part of security firms have educated users to be cautious about clicking on links from unknown senders.
But now, the criminal element has shifted from asking people to click on links to placing a phone call instead. Only the number isn't to a bank or credit card, it's to a VoIP phone that can recognize telephone keystrokes.
The thieves don't even use an e-mail blast, they use a war dial over a VoIP system to blanket an area. A recorded message tells the person receiving the call that their credit card has been breached and to "call the following (regional) phone number immediately."
When the user calls the number, another message is played stating "this is account verification please enter your 16 digit account number." The rest is academic.
Secure Computing, which specializes in secure connections over networks, sent up the red flag over this new method. Secure Computing engineers have been tracking news group sites and open disclosure discussion groups discussing vishing.
"This is just a natural evolution of phishing itself," said Paul Henry, vice president of strategic accounts for Secure Computing.
"Simply put, people are becoming more aware of the fact that an e-mail containing a URL could be malicious in nature. So hackers are moving away from the URL and using something victims are more familiar with like calling a number."
Henry said Secure Computing raised the issue over a year ago, but the first recorded incident took place last month, involving a Santa Barbara bank, then a second incident in early July involving Paypal.
Henry said there is no real preventative technology solution. Caller ID spoofing is very simple, and VoIP providers like Skype allow customers to pick not only their area code but the prefix as well, so it's possible to pick a phone number in the same area code and prefix of a major bank.
To that end, Henry thinks the VoIP companies could help with the issue by being a little stricter in their signup process, but doesn't think they will.
"These VoIP companies are in the business of producing value for their shareholders, so they are trying to drive down transaction costs. They want establishment of a new account to be as fast and painless as possible," Henry said.
At this point, common sense is your best defense, said Henry. "If you receive an e-mail that would direct you to a telephone number, don't use that number. Contact your credit card provider or whoever with a known number that's good."
Daniel Hong, senior voice business analyst for Datamonitor, concurred that users need to be educated all over again.
"There's definitely vulnerability, because this is a completely new approach, especially in terms of customer behavior and customer psyche," Hong said.
There's been a lot of education on Internet scams, but there hasn't been a lot of awareness concerning the phone. So if there's an automated phone prompting you, it seems more credible than getting an e-mail blast from hackers out there."
More stringent measures for VoIP account activation could help, but in the end, education might be the best solution. "If the hacker is able to get to the consumer," said Hong, "then education will make the difference."
订阅数:344974
http://www.i170.com/Article/52318/trackback
主题:[