Threat Management, Incident Response, TDR

Phishing campaign uses VoIP to target dozens of banks, steal card data

Criminals in Eastern Europe have targeted dozens of U.S. banks over the past few years with an elaborate phishing scheme designed to capture victims' payment card data.

According to PhishLabs, a Charleston, S.C.-based cyber crime prevention firm, the fraudsters are currently compromising as many as 400 payment cards per day through “vishing” attacks, a social engineering ruse that phishes individuals via voice over internet protocol (VoIP) technology.

In the campaign, scammers use email-to-SMS gateways to pose as legitimate financial institutions by spamming bank customers with text messages, a Tuesday blog post by PhishLabs CEO John LaCour said.

The messages direct recipients to call their bank to reactive their payment card, but victims who call the number actually reach an interactive voice response (IVR) system set up by attackers, which requests their card and PIN number. With the stolen card data, members of the gang use the information to make online or phone purchases, or withdraw cash from ATMs using counterfeit cards, the firm revealed.

In a Tuesday interview with, PhishLabs' LaCour said that the attackers have mostly targeted small banks or credit unions, striking approximately 50 financial institutions in the past three years.

“We believe that these attackers have been at this for several years,” LaCour said. “It's still ongoing, and they've changed banks in the past 24 hours. The previous bank may have fixed the security issue, or [attackers] may feel like they've gotten all the cards they can."

“It's common for these attackers to target a bank for a few days and then move to another,” he continued.

LaCour estimated that around $120,000 in ATM cash outs, alone, may be stolen per day under the scheme, given the number of cards compromised and the $300 per day withdrawal limit on many ATM cards.

After uncovering a cache of stolen payment card data, PhishLabs initially determined that the group was stealing the data of as many as 250 cards per day. As of Tuesday, however, LaCour told that the count had increased to around 400 cards per day. 

To thwart potential “vishing” attacks, PhishLabs advised that banks require CVV1 (card validation value) or CVC1 (card validation codes) to be validated by card processors, as this data is stored on the magnetic stripes of cards, and not readily available to customers inadvertently revealing their card information to scammers.

PhishLabs also recommended that mobile service providers aid in prevention by employing strong anti-spam measures for email-to-SMS gateways.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.