Vishing is alive and well -- and impacting midsize banks
Multiple recent vishing attacks (Voice over IP phishing) have been stealing payment card data from the customers of U.S. banks. In an attack last week, customers of a midsize bank received SMS text messages claiming their debit card was deactivated and requesting they provide the card and PIN numbers to reactivate it.
PhishLabs investigated the attack and uncovered a cache of stolen payment card data belonging to customers of dozens of financial institutions. Based on analysis of the recovered cache, we estimate the vishing crew responsible for the attack has stolen the data of 250 cards per day in this vishing campaign. Further investigation also indicated that one of the phone numbers used in the campaign has likely been used in vishing attacks since October of 2013.
Vishing is still alive and well
Vishing, or Voice over IP phishing, is a method of stealing payment card data and credentials in which fraudsters send phone or SMS text messages that pose as banks or other institutions, in order to trick victims into divulging their card information. While not as prevalent as online phishing and crimeware attacks, vishing attacks are often run by professional crews. These crews use vishing to harvest card data, which they then sell or hand-off to cash-out crews. The data is then used for card-not-present transactions (e.g. shopping online or via phone) or it is encoded onto new cards to purchase goods or withdraw cash from ATMs.
Based on our investigation, we believe this vishing campaign is being carried out by an eastern European vishing crew. The operation uses email-to-SMS gateways to spam out text messages that instruct recipients to call a phone number to reactivate their card. When called, an IVR (Interactive Voice Response) system requests that the caller enter in their card number and PIN. This data is captured by the IVR system and stored for retrieval by the vishing crew.
The Financial and Operational Impact of Vishing
The financial cost of a vishing attack is significant for targeted organizations. Each stolen payment card can result in hundreds of dollars in fraud losses and card replacement costs. The withdrawal limit on ATM cards are typically $300 per day. Using the recently investigated attack as an example, $75,000 can be lost each day of the attack if the stolen cards are used in an ATM cash-out operation.
In addition to the significant financial losses due to stolen funds and the costs of replacing cards for the victimized customers, vishing attacks can be extremely disruptive to banking operations. Banks hit with vishing attacks often report surges of inbound calls into their customer support operations. Small and midsize banks that do not have overflow support capacity typically see their phone lines quickly become saturated. The recent attack caused the volume of inbound calls to the targeted bank to surge quickly, creating long wait times and other operational headaches.
The Card Verification Gap (CVV1/CVC1)
Track 2 of a payment card’s magnetic stripe is used to authenticate payment cards. One of the track 2 values is the CVV1 (Card Validation Value) or the CVC1 (Card Validation Code). As the name implies, CVV1/CVC1 is used to validate the authenticity of the card. And since the CVV1/CVC1 value is not printed on the card (it’s only on the magnetic stripe), customers cannot unwittingly divulge the information to fraudsters. Ideally, this prevents fraudsters from easily fabricating working payment cards using card data that has been stolen, limiting them to card-not-present purchases.
Figure 1: CVV1/CVC1 value in track 2 payment card data.
Unfortunately, some card issuers and payment processors do not authenticate the CVV1/CVC1 code. This allows vishing crews, cash-out gangs and other fraudsters to create payment cards using stolen card data and use those cards to directly withdraw funds.
The Vishing Process
While the vishing operations vary from crew to crew, they generally all follow a similar high-level process:
- Vishers find and compromise vulnerable servers and install IVR software
- They locate a vulnerable VoIP server and hijack the DID function (Direct Inward Dialing)
- They assign a hacked phone number to their IVR system
- Using free text-to-speech tools, they generate their recordings and load them into the IVR system
- They send out spam texts containing the hacked phone number to thousands of phone numbers using email-to-SMS gateways
Figure 2: Vishers use email-to-SMS gateways to broadly distribute SMS text vishing messages.
- The compromised VoIP server directs incoming calls to the IVR system, where victims are prompted for card data and their PIN.
- Any data entered is saved and stored locally, or sent to a drop site, for retrieval.
Figure 3: Victims are routed to the visher’s IVR and asked to provide card data and PIN.
Targeted companies often encounter difficulties when attempting to mitigate vishing attacks. It can take weeks for an organization to navigate the structures of telecom providers, carriers, and service providers and effectively shut down the phone numbers used to scam customers. The following recommendations are provided to help organizations more effectively protect against vishing attacks and minimize their impact.Recommendations for Financial Institutions
- Make sure CVV1/CVC1 is encoded on cards and validated by your card processor.
- When calling customers, use a caller ID telephone number that matches the number on the back of the card. Using different numbers can result in customers being more likely to trust vishing messages.
- Proactively engage with telecoms to understand their procedures and connect with the appropriate technical and anti-fraud resources.
- Have a response plan in place that includes customer notification via your primary communications sources.
- Ensure front-line customer support personnel are trained to handle vishing reports. This includes collecting the vishing call-back number from customers reporting suspicious calls/messages.
- Consider working with specialized security partners (like PhishLabs) that have significant experience mitigating vishing attacks.
Recommendations for Mobile Carriers
- Implement strong anti-spam controls for email-to-SMS gateways.
- Develop efficient procedures for evaluating fraud reports and mitigating phone numbers and other infrastructure used in vishing attacks.
- Establish expedited reporting channels for financial institutions, anti-fraud companies, and other organizations that submit a high rate of true-positive vishing reports.