Voice Phishing Hits PayPal

Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."

Not in the VoIP era

[Andy Dodd]

There are now plenty of companies (such as StanaPhone) that provide a free DID, all you need to do is register with them. Their business model is that they make money on outgoing calls, but most of them don't require payment until you actually decide to make such a call.

Got that yesterday...

[canavan]

I've gotten that phishing mail yesterday, and called the number (1-805-214-4801) immediately. The system's recordings were chopped and barely intellegible, and I was prompted to enter "my 16 digit credit card number" (which was indeed verified to at least follow the basic rules of correctess or be rejected), and its expiry date, but nothing like a name or even the paypal account data.

Where can one complain about such fraudulent 1-8xx numbers to get them shut down? Additionally, how much does calling a 1-805 cost in the US, and is any part of the cost passed to the operator?

not surprising

[v1]

There's a small degree of higher risk, but if you get a new disposable cell phone every three days and move around all day you'd be a hard mark to hit.

Too many people are now aware of the "don't click the link" aspect of phishing, but I'm sure there are still pleanty of suckers that assume if they have your phone number you must be legit. I would not be surprised if they find a way to do this through US Mail in a way that hides their identity.

It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.

I wager that alone would eliminate 80% of successful phishes.

Re:Passwords

[tomhudson]

One guy up here was convicted for "hacking" into the local police squad's voicemail system.

Everyone's password was (and I'm not making this up, and its NOT a Spaceballs reference) "1" "2" "3" "4" "5"

For months he listened into all sorts of messages for the detectives, including from informants, wives and girlfriends (nice to be able to blackmail a cop by threatening to tell his wife about his action on the side), etc.

You KNOW most systems have an easy password (or still have the default password).

Convicted, sentenced ... and caught doing it again - they hadn't changed the passwords a year later!!! Of course, once the story made the news, they HAD to change them (hint: if you remember the story and the police station, try "54321")

Woah, timely!

[Kid Zero]

Just got mine in the email this morning.

(530) 204-6800 is a land line based in Davis, CA
The registered service provider is 01 Communications**.
Detailed listing information is not available.

Re:Got that yesterday...

[Anonymous Coward]

I happen to know some "test" credit card numbers that validate properly in may cases and are easy to remember. In some places you can actually use them to pay for actual services, like WLAN access, document downloads etc, because the operators don't perform a full check. The most expensive thing I've ever bought with it was a full week of WLAN access on an exhibition I didn't attend for about EUR 420. If those things work, I usually alert the operator of the site.

Re:"Latest" attack?

[beebware]

I've had my (now ex)-bank's anti-fraud system automatically call me. "This is an automated telephone call from Lloyds TSB for Mr xxxxxx. To confirm you are the card holder, please enter in your 16 digit card number." Needless to say, I hung up and called the number printed on the back of my card. I asked the person what it was about and then asked if they would have entered their number onto an automated system that randomly called them - nope(!)

Re:Tracability?

[tomhudson]

You're confusing number with proportion. How many people EVER go to jail for phishing? Try reporting it to your local cop shop - you'll get the "we don't handle that here" bit. Then you're told to post your complaint to such-and-such a web site ... and nothing happens, because they're after the easy-to-bust ones - they guys running boiler-rooms going "You've just won a vacation, just send us the money for the taxes and duties."

They HAVE the tools to deal with that, so that's what they do. They DON'T have the tools to deal with phishers.

Catch 22?

[wbean]

The other day I got an atuomated call from a credit card company asking me to call an 800 number to review account details. When I called I was in the voice-mail system that sounded like the company but without any explanation of what I was to do. When I finally managed to get to an operator she wouldn't discuss the matter with me without the last four digits of my social security number, and I wouldn't give her those. So there we were, she didn't know who I was and I didn't know who she was. I got through two levels of supervisor and still never found out what the call was about.