Phishing campaign uses VoIP to target dozens of banks, steal card data

Share this article:
$30 RAT, WinSpy, involved in two phishing campaigns
Phishing campaign targets banks, steals cards

Criminals in Eastern Europe have targeted dozens of U.S. banks over the past few years with an elaborate phishing scheme designed to capture victims' payment card data.

According to PhishLabs, a Charleston, S.C.-based cyber crime prevention firm, the fraudsters are currently compromising as many as 400 payment cards per day through “vishing” attacks, a social engineering ruse that phishes individuals via voice over internet protocol (VoIP) technology.

In the campaign, scammers use email-to-SMS gateways to pose as legitimate financial institutions by spamming bank customers with text messages, a Tuesday blog post by PhishLabs CEO John LaCour said.

The messages direct recipients to call their bank to reactive their payment card, but victims who call the number actually reach an interactive voice response (IVR) system set up by attackers, which requests their card and PIN number. With the stolen card data, members of the gang use the information to make online or phone purchases, or withdraw cash from ATMs using counterfeit cards, the firm revealed.

In a Tuesday interview with, PhishLabs' LaCour said that the attackers have mostly targeted small banks or credit unions, striking approximately 50 financial institutions in the past three years.

“We believe that these attackers have been at this for several years,” LaCour said. “It's still ongoing, and they've changed banks in the past 24 hours. The previous bank may have fixed the security issue, or [attackers] may feel like they've gotten all the cards they can."

“It's common for these attackers to target a bank for a few days and then move to another,” he continued.

LaCour estimated that around $120,000 in ATM cash outs, alone, may be stolen per day under the scheme, given the number of cards compromised and the $300 per day withdrawal limit on many ATM cards.

After uncovering a cache of stolen payment card data, PhishLabs initially determined that the group was stealing the data of as many as 250 cards per day. As of Tuesday, however, LaCour told that the count had increased to around 400 cards per day. 

To thwart potential “vishing” attacks, PhishLabs advised that banks require CVV1 (card validation value) or CVC1 (card validation codes) to be validated by card processors, as this data is stored on the magnetic stripes of cards, and not readily available to customers inadvertently revealing their card information to scammers.

PhishLabs also recommended that mobile service providers aid in prevention by employing strong anti-spam measures for email-to-SMS gateways.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.