Phishers have branched out beyond e-mail, a security researcher said, and are now exploring both VoIP and text messaging as attack avenues.
Voice over IP is attractive to identity fraudsters, said Zulfikar Ramzan of Symantec's Advanced Threat Research group, in a company blog entry Tuesday, because it's an affordable way to dial large numbers of phone numbers. Dubbed "vishing" for voice phishing, "such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment," Ramzan said. Phishers substitute phone numbers for URLs in traditional e-mailed come-ons or dial consumers directly, circumventing e-mail entirely.
Another tactic, said Ramzan, is "smishing," for SMS phishing. "A victim might receive a phone [text] message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn't cancelled," he said. "In a panic, the victim then visits the site to cancel the order [but] in the process the victim will end up with malicious software on his or her machine."
Symantec also has accumulated evidence that shows that some phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using one-time, quickly disposed URLs to avoid site blacklisting, a common anti-phishing technique.
"Phishers have demonstrated that they really mean business," Ramzan said. "Their attacks have become more frequent, more varied, and quite frankly more innovative. We must continuously out-innovate them and persistently redouble our efforts."