T 5.135 SPIT and Vishing

The use of VoIP offers many possibilities to obtain information or exploit unwitting users under false pretences. Using VoIP, providers can place unwanted advertising for their products or services, for example. SPIT (Spam over IP Telephone), as well as SPAM, which is already a widespread email phenomenon, costs the receivers time and money. Depending on their frequency, SPIT calls are not only a nuisance, but they can also significantly disrupt work flows in an organisation under some circumstances.

Sending SPIT is relatively inexpensive for a provider. If a packet-based connection can be established to a user over the internet, the provider does not incur any additional telephone costs. By dimensioning the internet connection accordingly, the provider can send numerous advertisements at the same time.

SPIT may just be an advertising slogan, for example. In this case, a recording is played when the person called picks up the phone. This way, products or services can be advertised However, SPIT with fraudulent intentions can also be sent An example of this type of SPIT is Vishing.

Vishing (Voice Phishing) is an attack used to obtain personal information of one or more victims. In this case, a VoIP-based dialler calls a large number of VoIP addresses the attacker has collected. When the call is answered, a voice message is played intended to make the victim believe the call is from a trustworthy organisation, such as the bank where the victim is a customer. During the call, the victim is requested to provide information such as account numbers, PINs, and TANs.

Vishing

The term "Vishing" means "Voice Phishing" or "Phishing via VoIP" and describes the organised theft of data via phone by inciting the users, similarly to Phishing (see T 5.157 Phishing and Pharming), to disclose confidential or financially relevant information by means of well-through stories. Here, both attack preparation and information tapping may be performed via the telephone.

• Within the framework of one form of Vishing, VoIP-based diallers call a large number of collected VoIP addresses. When the call is answered, a voice message is played intended to make the victim believe the call is from a trustworthy organisation, such as the bank where the victim is a customer. During the call, the victim is requested to provide information such as account numbers, PINs, and TANs.
• Within the framework of a different attack variant, fraudsters send emails requesting the recipient to call a voice box using a specified phone number by means of well-thought texts. This voice box then retrieves PIN data and other confidential information in a targeted manner. This attack type may be dangerous, because it takes advantage of the advice of many financial institutions to not to react to alleged emails, but to seek contact via the telephone.

The aim of Vishing is to mislead as many victims as possible and to prompt them to disclose their access data, passwords, credit card information, etc. This way, fraudsters can collect sufficient information in order to debit money from accounts on behalf of the customer: name, credit card and account number, PIN and TAN numbers.

Examples:

• A customer receives an electronic message from his/her bank. The sender's address is forged, which the victim is not aware of. The message prompts the victim to test his/her online banking access by informing his/her adviser via a voice mailbox. When the call is answered, a voice message is played intended to make the victim believe the call is from a trustworthy organisation, such as the bank where the victim is a customer. During the call, the victim is requested to provide information such as account numbers, PINs, and TANs.
• An email contains the plausible information that the credit or debit card was misused. Furthermore, the recipients are requested to clarify the matter "safely" over the phone. When calling the phone number provided, the customers are requested to disclose their personal access data using the buttons in order to resolve the problem.