Phishers have branched out beyond e-mail and are now exploring both VoIP and text messaging as attack avenues.

Voice over IP is attractive to identity fraudsters because it's an affordable way to dial a large volume of phone numbers, Zulfikar Ramzan of Symantec's Advanced Threat Research group says in a company blog posting. Dubbed "vishing" for voice phishing, "such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment," Ramzan says. Phishers substitute phone numbers for URLs in traditional e-mailed come-ons or dial consumers directly, circumventing e-mail entirely.

Another tactic, says Ramzan, is "smishing," for SMS phishing. "A victim might receive a phone [text] message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn't canceled," he says. "In a panic, the victim then visits the site to cancel the order [but] in the process the victim will end up with malicious software on his or her machine."

Symantec also has evidence that phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using quickly disposed URLs to avoid site blacklisting, an anti-phishing technique.

"Phishers have demonstrated that they really mean business," Ramzan says. "Their attacks have become more frequent, more varied, and quite frankly more innovative."

Return to the story:
EMS: Adventures In X-treme Web 2.0