[VOIPSEC] Phishers Snare Victims With VoIP

Shawn Merdinger shawnmer at gmail.com
Thu Apr 27 16:02:58 PDT 2006


>From: "Gupta, Sachin" <s-gupta2 at ti.com>
>It doesn't look like that VoIP has anything to do with these kind of
>issues. Scammers could have used a PSTN numer as well, instead of VoIP.

True, a PSTN number could have been used.  However, I think we'll see
VoIP capabilities, features and weaknesses combined with savvy
scammers' creativity, employed more blatantly soon.

For example:

1.  Spoofing caller-id numbers.  Still an issue in VoIP.  The current
scammers could use this in as a added illusion of security
confirmation by implementing a call-back mechanism.  This could be
automated, so that the customer initially calls the spoofed email
number, and a recording says because of these scams a "secure
call-back feature" has now been implemented.  The victim is directed
to hang-up and then compare the incoming (spoofed) caller-id to the
*legitimate* number of victim's bank statement, bank website, etc.

2.  VoIP forwarding capability adds an interesting twist.  Sure you
can bounce PSTN-based calls around, but can you do them with several
services in different countries at such low-cost?  This capability
makes log coordination, call-tracking and technical efforts difficult,
not to mention the legal and jurisdiction challenges in this area.

3.  Some VoIP services have features that could be employed in these
scams easily.  One example is that SkypeOut's caller-ID shows up as
0000123456 -- there are other issues, including specifying ones own
caller-id during the SIP service registration process.


More information about the Voipsec mailing list