Friday, June 24, 2011

Vishing and VoIP Forensics

Royal Canadian Mounted Police (2006) defines Vishing (or Voice Phising) as “the act of leveraging a new technology called Voice over Internet Protocol (VoIP) in using the telephone system to falsely claim to be a legitimate enterprise in an attempt to scam users into disclosing personal information”. Vishing could be viewed as natural evolution of Phishing which uses Email messages by the con artists to glean private information such as credit cards, social insurance numbers and PIN numbers. While the general public is getting more and more familiar with this type of con as well as Email software vendors include functionality to prevent Phishing attacks, the fraudsters are moving on to the technology still trusted by the users – telephony.
Traditionally, in the world of public switched telephone network (PSTN), although possible (Art of Hacking, 2000) it was much harder to spoof Caller ID (CID) as “each circuit on either end of the call is assigned a phone number by the phone company.” (Reardon M. 2009). Today, with the the move to SIP trunks and VoIP technology, spoofing caller ID is fairly trivial. Moreover, there are legitimate ways to acquire a telephone number in a any region in the world such as Skype Online Number. According to Adam Boone (2011), “telecom security researchers over the past two years have reported a very sharp rise in attacks against unsecured VoIP systems”. As a result, phishers have access to infrastructure which could be used to launch vishing attacks as demonstrated in scam targeting Motorola Employees Credit Union, Qwest customers and Bank of the Cascades (Krebs B. 2008).
In most cases, vishing attack involves calling someone using either a war dialler or legitimate voice messaging company. When call is answered, an automated message informs the caller that either the credit card or their bank account has an suspicious activity, and asks to call a predefined number to verify their account by entering their credit card number.
Digital forensic investigation of a vishing suspect is not a trivial matter. Since the attack is usually initiated by calling or texting (SMS) a large number of phone numbers, an investigator could look for unusual behaviour pattern. A number of forensic software can parse Skype artifacts, either in memory (RAM) or on an acquired image, such as Skypeex, Nir Sofer Skype Log Viewer and Belkasoft Skype Analyzer. For other software such as Astrix, a manual review of the log file will be required. Moreover, a forensic investigator utilize foremost command to look for .wav or .mp3 files which could be used as a recorded message. Finally, the SIP trunk service provide which was used by the frtaudsters could provide information such as user-id. This information could be used in the string search (srch_strings command) in acquired memory or non volatile storage images to identify suspected hardware.


  • 'Beware of phishing--and vishing' 2006, Nursing, 36, 12, p. 66, Academic Search Complete, EBSCOhost, viewed 24 June 2011.
  • Art of Hacking (2000), “Beating Caller ID” [online]. Available from: (accessed: June 24, 2011).
  • Boone, A 2011, 'Return of the Phone Phreakers: Business Communications Security in the Age of IP', Security: Solutions for Enterprise Security Leaders, 48, 4, pp. 50-52, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Chow, S, Gustave, C, & Vinokurov, D 2009, 'Authenticating displayed names in telephony', Bell Labs Technical Journal, 14, 1, pp. 267-282, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Krebs B. 2008, “The Anatomy of a Vishing Scam” [online]. Available from: (accessed: June 24, 2011).
  • Swarm, J 2007, 'A Closer Look at Phishing and Vishing', Community Banker, 16, 7, p. 56, Business Source Premier, EBSCOhost, viewed 24 June 2011.
  • Reardon M. 2009. “Protect yourself from vishing attacks” [online]. CNET News. Available from: (accessed: June 24, 2011).
  • Royal Canadian Mounted Police (2006), “Vishing or Voice Phishing” [online]. Available from: (accessed: June 24, 2011).

No comments:

Post a Comment