Imagine a DDoS attack, via phone...
From:
http://www.nytimes.com/2014/01/20/technology/ ... ner=rss&emc=rssSwindlers Use Telephones, With Internet’s Tactics
By NICK WINGFIELD JAN. 20, 2014
SEATTLE — Phone swindles are practically as old as the telephone itself. But new technology has led to an onslaught of Internet-inspired fraud tactics that try to use telephone calls to dupe millions of people or to overwhelm switchboards for essential public services, causing deep concern among law enforcement and other groups.
People, businesses and government agencies across the country are combating the new schemes, in which scammers use the Internet to send huge volumes of calls at the same time. Many of the attacks bombard individuals with automated requests for personal data, in a variation of their email-scam cousins. But others are more vicious, flooding entire phone systems when demands are not met, similar to some attacks against websites.
“You can blast out 100 million calls from the comfort of your keyboard,” said Kati Daffan, a lawyer in the bureau of consumer protection at the Federal Trade Commission.
In October, the Department of Homeland Security advised federal agencies, local governments and other organizations to be prepared for so-called denial of service attacks, which flood phone systems with calls, making them unusable by legitimate callers. The warning came after attacks against a sheriff’s office in the Southern United States and another against a Coast Guard cutter. The department said there had been over 200 such attacks identified against public sector groups.
As they are for most forms of Internet fraud, the latest phone schemes are also difficult to track and investigate because of their frequency, their layers of anonymity and their global nature. Several investigators could not name a successful prosecution of the latest wave of phone swindles, though cybercriminals who committed other forms of fraud have been arrested.
In Tarrant County, Tex., the phone lines of several emergency dispatch centers were disabled in the last year because of a surge of automated calls, said Wanda S. McCarley, director of operations for the Tarrant County 911 District, which includes Fort Worth. The attacks lasted up to an hour and were aimed at 10-digit phone emergency numbers at the centers, which are accessible to callers outside the area, rather than 911 lines, which are not.
Something similar happened to a Texas hospital two years ago, when an intensive care unit’s phone lines were disabled for about six hours, said the chief information officer for the hospital chain that owns the facility, who spoke on the condition that he not be named to avoid unwanted attention for his employer. To defend itself, the hospital started using a service from SecureLogix, a telephone-security company, which the hospital’s chief information officer said had been effective.
In both cases, employees at the facilities were contacted by callers who said they were debt collectors seeking repayment of loans taken out by the workers. If the employees did not pay up, the callers threatened, the lines at the employees’ workplaces would be brought down. The attackers then overwhelmed the lines with repeated calls, causing busy signals for legitimate callers.
It is not clear how or why the specific employees were chosen, though law enforcement officials believe that swindlers in such cases may find names on public staff directories or professional sites like LinkedIn.
Some pay up in such swindles, often out of uncertainty about whether they owe the money or to avoid embarrassment at their workplaces, law enforcement officials said. Ralph A. Gagliardi, agent in charge with the Colorado Bureau of Investigation’s identity theft and mortgage fraud units, said he traced payments from the victim in one such attack in Colorado to Nigeria via an intermediary in Florida.
Michael J. McKeown, supervisory special agent for the Federal Bureau of Investigation in Pittsburgh, said, “If people do pay, that makes their problems stop, but it may make it more lucrative for people to do this.”
For years, government officials have warned the public of email frauds that request personal information, known as phishing. Over time, the public education has made it harder to trick people over email. But there has been less public outreach about similar new types of phone schemes, sometimes called vishing.
These more traditional swindles, which ask individual recipients to provide personal or financial information, appear to be up sharply as well. In 2012, the Federal Trade Commission said, telephone calls accounted for 34 percent of the fraud complaints it received from people who reported how they had been contacted, up from 20 percent in 2010. Phone fraud was second only to email, which accounted for 38 percent of complaints in 2012.
Automatic dialing software and Internet phone services make it easy to place huge volumes of calls from anywhere in the world. Often, swindlers create messages in a synthesized voice and say they are from a financial institution. The call prompts the recipients to enter personal data through their phone keypads.
Because making phone calls over the Internet is so inexpensive, the practice can be lucrative even if only a tiny percentage of the people provide information. Personal financial data obtained this way can be easily sold on the black market. Financial and government officials say it is unclear how much money is lost to such schemes.
Jimmy Forester of Portland, Ore., is one person who didn’t fall for a phone swindle. A message he received a few weeks ago told him his credit card needed to be reactivated and asked him to enter his account information. Instead, he punched in random numbers because he was curious to see the fraudulent call through to its end.
“Fake emails are usually pretty easy to spot because you can look and see if it came from Bank of America or from FreeEmailAddressInEgypt.com,” said Mr. Forester, 29, who is an electrician. “With the phone, you don’t have that option of researching.”
Banks have begun warning their customers to avoid providing any personal data through their phones when they receive such a call. Officials worry that the new threats are particularly effective against older Americans, who use phones more than computers and who seem to be more trusting.
“Some of these people are so darned convincing,” said Debbie Matz, chairwoman of the National Credit Union Administration, the agency that regulates federal credit unions.
Mr. Gagliardi began receiving complaints in Colorado last fall in a case that illustrates how phone frauds can ripple across the country. Residents were receiving calls saying that their cellphone or bank accounts were compromised, and that they needed to provide credit card information.
The deceptions did not end there. The swindler used software to make the calls look as if they were originating from a law firm in Palo Alto, Calif. Many people called the firm to complain, and they were directed to call the local police department instead. The police department, as a result, was swamped with more than 2,000 phone calls over several days, causing busy signals for other callers.
“People have gotten trained now that you don’t just click on random stuff in email,” said Henning Schulzrinne, the chief technologist with the Federal Communications Commission. “People don’t necessarily understand how nontrustworthy caller ID has become.”
Reply to topic