Thanks to our reader Glenn for alerting us of this scheme: He received an automated phone call, telling him that his ATM card has been deactivated. The system then offered him to re-activate it. He didn't fall for it, and instead called his bank. His bank told him that they had multiple reports like that, and the calls are false.

Lessons learned:

• first of all, the bank should somehow identify itself by telling you something only they know. Your account number maybe?
• better: call them back at a listed number. Do not ask them what number to call. Usually, the fraudsters will use an automated system to call you, not a human (but they may).
• never provide confidential information like account numbers, social security numbers, PINs, passwords over the phone.

This event reminds me of one result our web-application honeypot project yielded so far: Attackers are actively looking for open VoIP web based admin interfaces like asterisk/trixbox/freepbx. Don't forget to secure them with passwords AND limit admin access to machines from your IP address space. It is likely that compromissed VoIP systems are used to launch these attacks.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute