What are we going to call it

| Comments (10) | Misc
OK, we've got spam and spit (spam over VoIP) and spim (spam over IM). As soon as people actually start using VoIP—and I'm talking end-to-end VoIP where you "dial" a URL—we're going to start seeing phishing with VoIP. What'll that be called? "phit", "phitting"? Somebody make it stop.

UPDATE: Now that I've slept on it, I predict "vishing". In fact, it sounds so familiar I fear I've heard it already.


oh god no, not more stupid neologisms. what about "VoIP phishing"?

Yup, Wikipedia has had a vishing entry since July 2006.

I've been predicting VoIP-originated spam/phishing in unmanageable volumes as a driving force to move people to VoIP for a while, but I've been amazed that it hasn't yet come to pass. Why have the spammers not yet adopted sending VMs to peoples phones via VoIP? Setting up asterisk as a robot to send ten million voice mails to robo-dialled phone numbers from somewhere "offshore" (with the robo-dialling happenning massively in parallel) or using a botnet to originate the calls with a simple VoIP client seems like it'd be simple. You ultimately need an IPvoice gateway, but stealing those by phishing Vonage or SkypeOut seems like it'd be pretty trivial. The technical sophistication required, vs the response rate you'd get from leaving a few thousand voicemails which say "This is your bank. We are calling you due to an important notice about your account. Please call us back immediately at . To protect your privacy, when you phone in, you will be asked a few personal questions to identify you." seems like a huge win on both fronts, relative to say SMS spam.

VoIP phishing doesn't need end-to-end VoIP--and it's already begun. I received a voice mail message a few months ago claiming to be from my credit card company, saying they needed some information from me because of a recent transaction, and asking me to call an 800 number. When I called the company (using the phone number on the back of the credit card), I was reassured that there was no problem with any recent transactions, that the 800 number I was given had nothing to do with them, and that I should ignore the call. (I was a bit disturbed that they didn't seem to care in the least that someone was attempting to defraud their customers by posing as them, but there wasn't much I could do about that...)

The best part: the caller ID number recorded by the voice mail message was, in fact, the correct phone number of the credit card company. Welcome to the magic of VoIP...

What makes you think this was VoIP? You can do this perfectly well with standard digital POTS gear.

...But at considerably greater cost, if I'm not mistaken. Presumably phishers don't want to invest too much in telephony hardware.

Also, this kind of phishing is no doubt much safer when performed from offshore. Does POTS gear allow you to spoof a US caller origin from overseas?

And for pharming, we have "varming". A miscreant who mounts such an attack being, of course, a "varmint".

The goggles, they do nothing!!

We will call it social engineering.

The culprit has already appologized for vishing claiming he did not mean it to be taken seriously.

I thought it was called "wire fraud."

That's the problem with anything Internet-based. You get all the problems that come with it. E-mails security problems are often compared to the possible problems VoIP face. In this case, phishing, vishing, or whatever you want to call it, is going to be a problem. Hopefully people are as aware of it as email phishing... but now that I think of it, a lot of people aren't. We're in trouble.


Leave a comment