Voice Phishers Dialing for PayPal Dollars
eWeek.com, July 7, 2006
Internet security experts have discovered a new phishing scam that uses voice recordings to pilfer money from PayPal accounts.
In the newest social engineering attack, identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information.
Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details.
eWEEK has confirmed that the phone number embedded in the e-mail was active and accepting credit card entries at midday on July 7.
It is a Southern California area code (805) that greets callers with the following automated voice recording: "Welcome to account verification. Please type your 16-digit card number."
The automated message simply urges users to enter credit card numbers. If incorrect card details are entered, a request for re-entry is made, further enhancing the appearance of legitimacy of the fraudulent telephone number.
"Users that type in their card information may think they're verifying their PayPal account, but in actual fact, they're handing their details over to cyber-criminals on a plate," said Graham Cluley, senior technology consultant at Sophos, in Lynnfield, Mass.
"Although it's an American telephone number, the fact that PayPal is used globally means that anyone could potentially be tricked into making the call," Cluley added.
The PayPal scam is the second major voice phishing attack detected in recent weeks. On June 23, malware researchers at Websense Security Labs warned that customers of Santa Barbara Bank & Trust were being targeted by spam mail with an embedded 805 phone number.
In both attacks, the phone response does not mention PayPal or the bank's name, suggesting that the same number is being used for fraud against other entities.
The Santa Barbara Bank & Trust spam attack warned the target that the bank account had been locked as a security measure and asked that the recipient call the phone number to verify the account and user's identity.
According to Cluley, the voice phishing scam "underlines a real problem" for online companies in how they communicate with their customers. "Many users are beginning to learn to not click on links in unsolicited e-mails and only visit the legitimate Web site," he said. "But how many would know whether a phone number for their Web site is genuine or not?