Received a news tip that fraudsters are using Asterisk as a "collection tool" for their credit card scam. While that's nothing new by itself, since there are plenty of scammers leveraging Asterisk, I found it fascinating to be able to actually call into the scammer's system.Asterisk has become hacker's tool of choice because it's free, flexible, and feature-rich. Just install Asterisk on an inexpensive PC and you have yourslf a powerful PBX that can war dial hundreds of phone numbers while forging the outbound CallerID. Often referred to as "vhishing" or voice phishing, a vishing attack is easy to do using Asterisk.
You can war dial and leave a recorded message to hundreds of people, telling them that their credit card number has been stolen and that they need to call a specific phone number to resolve the issue.
Anyway, a reader told me today he just received an email "from" Capital One asking to call (866) 473-0719 for fraud verification. He believes that this number is routed to an Asterisk box since he recognized that the scammer is using Festival text-to-speech (TTS) to ask the questions. It certainly sounds like Festival to me as well. Yeah, like a credit card company would 100% TTS for their credit card verification system.
Well, a sucker is born every minute, so some people might fall for it.here's the email he received:
We detected irregular activity on your debit card on 08/03/2008.
We have attempted to contact you to verify your account information, and unfortunately all methods of contact have been unsuccessful.
For your protection, your account has been disabled until we are able to verify your information to prevent any misuse of your account.
Please call customer service at (866) 473-0719 to activate your account.
Interestingly, the scammer is not checking if the credit number entered is valid or not - you can enter 16x 0 and the system will accept it.
What's odd is that the autoattendant is saying stuff about "credit card activation" not credit card fraud verification. So who is going to call this number and activate a CapitalOne card that they've owned (& already activated)? I guess we need to see P.T. Barnum's "there's a sucker born every minute" again to answer that question.
Also, the VoIP or TTS quality on their line stinks. Very choppy. Some of the TTS words were garbled or completely cut off. Maybe the mass blast spam they're sending out is using all their VoIP bandwidth?
Well, nothing like having some fun with dumb criminals. So go have some fun and pester the scammer with invalid credit card numbers.
Technorati
Del.icio.us
Slashdot
Digg
twitter
Leave a comment