Vishing and Toll Fraud – VoIP Vulnerability

Vishing and Toll Fraud

Vishing is quite similar to the term Phishing and it means collecting private information over the telephone system.

In the technical language the terminology of phishing is a recent addition. The main concept behind phishing is that –mail is sent to user by an attacker. The e-mail looks like a form of ethical business. The user is requested to confirm her/his info or data by entering that data on the web page, such as his/her “social security number”, even “bank or credit card account” number, “birth date”, or mother’s name. The attacker can then take this information provided by the user for unethical purposes.

Phishing is quite similar to the term vishing which is referred to as collecting such information over the telephone system. Since many users often trust the security or protection of a telephone against the protection of the web site, some users easily share their confidential information over the phone. Educating users is the most popular way to fight against the vishing attacks.

There is one more kind of scam occurred against telephony systems is called toll fraud. The basic idea of toll fraud is that an attacker using the telephony system uses to place calls he should not be permitted to make. For example a corporate telephony use rule that long distance personal calls are not permitted. If an employee disobeyed that policy and made a personal long distance call, that would be taken as one of the important examples of toll fraud.

More improved forms of toll fraud involve taking the advantage of vulnerability in the telephony system to place calls. “Cisco Unified Communications Manager” has many features that help fight toll fraud. The examples are “partitions” and “calling search spaces” that can be used to recognize that which phone numbers can be called from particular Cisco IP Phones. Another example, a “Forced Authorization Code” (FAC) can be used to require a user to enter a code to call a specific location.

There’s more

There are different types of attacks that can be directed to voice networks. In this series of articles we will discuss all four types of VoIP vulnerabilities and attacks. This will certainly be enough to explain how VoIP telephony communication can be disabled or reduced in quality.  The main four VoIP Vulnerabilities are:

  • SPIT – spam over IP telephone (SPIT) includes, for example, sending unwanted messages to an IP phone’s display or making the IP phone to ring time to time.
  • Vishing – is just like phishing, the difference is that the victim provides her/his personal information over the telephone rather than on website.
  • Toll fraud – it happens when users incorrectly use a telephone system to make toll calls (for example international and or long distance calls) that they do not have approval to make.
  • SIP attacks – they try to develop SIP’s use of famous protocols to intercept or manipulate SIP messages. Also, an attacker may trigger a DoS attack against a SIP server.

Leave a Reply