With India adding almost 8 million cellphone subscribers per month - and SMS being the largest-used service - hackers find vishing a great tool to target gullible users.
Rakshita Kolaskar (name changed) was pleasantly surprised to receive a SMS recently, announcing her as the winner of a $3 million (around Rs 12.5 crore) prize from the Shell International Mobile Draw.
The message prompted her to mail her claim and asked her to call an international number. However, when her excitement died, she tried hard to recall if she ever used any Shell product or service, as the SMS stated.
She soon realised that she had never done so. So why was this SMS sent, especially, when a Shell official confirmed that it had not issued any such award?
Welcome to the world of Vishing or voice phishing, wherein hackers are using a combination of voice over internet protocol, SMSs and the internet to fool and redirect users into dialling a phone number and collect critical information for financial gain. In Kolaskar's case, both mobile spam and vishing were used.
Phishing-related losses have been estimated at $2.8 billion with a single victim losing $1,244 in 2006, compared with $257 in 2005, according to Gartner.
According to some recent reports, phishing attacks on banks have increased since the beginning of the year.
Globally, the first vishing attack was registered in 2006, but there have been reports that these are increasing. Earlier this year, the FBI's Internet Crime Centre said it received multiple reports on different variations of vishing. These attacks against US financial institutes and individual users continue to rise.
Many feel that India is a compelling market for this kind of an attack. With almost 8 million subscribers added per month - and SMS the largest-used service - experts feel this could be the best way to target Indian users.
Rohas Nagpal, president, Asian School of Cyberlaw, feels that the above is an social engineering attack could be later used for a fraudulent activity or it could also be the first step towards vishing.
Security experts are of the opinion that more than the technology solutions, it is the ease of database availability from the telecom operators that is responsible for this in India. "If you go to Nehru place in New Delhi, you can get a mobile number database for a few thousands of rupees," says a security specialist.
Many feel that laws should be strengthened. Kartik Shahani, regional director, India, McAfee, says: "Everyone knows that databases are sold by network operators. One can also specify the type of database based on a user's ARPU spend. Besides, the rules and regulations on providing database access to other users are very weak in India."
He also believes that if the attack is taking place from the net, then there are solutions that can help users detect the authentic site. But in case of vishing, it becomes difficult.
Howard Schmidt, president and CEO, R&H Security Consulting and a former special advisor for cyberspace security for the White House, had told Business Standard that with the mobile usage increasing, the next wave of security threats will target handhelds.
He said: "Five years from now, the mobile will be used like we use PC and laptops today. So, the attacks will be using the data on the handheld. The problem is that while solutions are available people are not using it."
Niraj Kaushik, country manager, India and Saarc, Trend Micro, cautions that though vishing is still at a nascent stage, very few operators are providing any security solutions that can control spam on mobile handsets.
The Nigerian scam
Phishing is a common phenomeon on the internet. It is a form of internet fraud that aims to steal valuable information such as credit card details, social security numbers, user IDs and passwords for financial gains.
Several top banks in India have reportedly been hit by phishing. A popular email scam is the Nigerian scam.
The email, in this case, is sent by a prominent official from an African country asking the recepient to help him/her in depositing money into a local bank and also offers to share the bounty.