Are the Con Artists Back? A Preliminary Analysis of Modern Phone Frauds

Phishing is the practice of eliciting a person´s confidential information such as name, date of birth or credit card details. Typically, the phishers use simple technologies (e.g., e-mailing) to spread social engineering attacks with the goal of persuading a large amount of victims into voluntarily disclose sensitive data. Phishing based on e-mail and web technologies is certainly the most popular form. It has indeed received ample attention and some mitigation measures have been implemented. In this paper we describe our study on vishing (voice phishing), a form of phishing where the scammers exploit the phone channel to ask for sensitive information, rather than sending e-mails and cloning trustworthy websites. In some sense, the traditional a-lá-Mitnick phone scams are streamlined by attackers using techniques that are typical of modern, e-mail-based phishing. We detail our analysis of an embryonic, real-world database of vishing attacks reported by victims through a publicly-available web application that we build for this purpose. The vishing activity that we registered in our preliminary analysis is targeted against the U.S. customers. According to our samples, we analyzed to what extent the criminals rely on automated responders to streamline the vishing campaigns. In addition, we analyzed the content of the conversations and found that words such as ``credit´´, ``press´´ (a key) or ``account´´ are fairly popular. In addition, we describe the data collection infrastructure and motivate why gathering data about vishing is more difficult than for regular e-mail phishing.