In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing. For those that have not heard the term before, Rich describes it:
“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.
This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “
This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address. This is one of the weaknesses of today’s email system that makes life so easy for spammers.
Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario: You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number. You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo. Now maybe you’re ready to tell him something secret?
Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal. The defence? Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it. For example, call someone else you know in the help desk, and ask them about ‘Steve’. “Steve who?”
Â
Â
Â
Pingback: Signal to Noise » VoIPSA blog on spearfishing