May 27th, 2008

Scam calls... something we've forgot about?

Posted by Nathan McFeters @ 10:23 am

Categories: Data theft, Governments, Phishing, Privacy, Spam and Phishing, United States of America

Tags: Do-Not-Call, Credit Card, Phishing, Government, Identity Theft, Sales Channel, Cyberthreats, Financial Services, Spam, Security

I was thinking about the problem of identity theft today and looked back at notes I took during Nitesh Dhanjani and Billy Rios’s presentation at Black Hat and Blue Hat recently and I came to the realization that our government should be doing more about this crap.

You see, identity theft is an economy itself.  It has demand, thieves trying to use the stolen information for their own financial gain, and supply, the stolen IDs.  In fact, there’s a whole sales process of selling phishing kits, IDs, skimmers, etc.  Think of all the places that keep record of your personal information… banks, your employer, your cell phone provider, your cable company, your apartment complex, the government, your doctor, etc. etc. etc.; now also think of all the places where you readily scan your information to be stored, ATMs, the Redbox, etc.  All of these data warehouses are potential places where your data could be stolen from.  The attacks are well known these days, phishing, web application compromise, skimming, etc., but we’ve forgotten about something.  Scam calls.

For the past 20 days I’ve been getting calls from the number 480-543-1320, listed as SSPL.  It appears I’m not alone.  For me, I’ve never heard anything but dead line on the other end.  Calls back have been met with a busy tone.  However, for others, they’ve received prank calls, calls asking for their social security number or credit card directly (not very intelligent callers it would seem), claiming the call recipient has won a free cruise (just provide your SSN and credit card number), or claiming the call recipient has won free gas (just provide your SSN and credit card number).

You know, I thought this crap was illegal.  Apparently it is, but only if you are on the “Do Not Call” list… well, I joined that a long, long time ago.  There’s also been  a lot of complaints registered against this number, yet nothing has been done.  I thought it was interesting and thought, maybe I should investigate the 480 area code (Arizona).  The list of scam calls from that area code is absurd, but I have no idea if it is any more than any other.

Being a security consultant in my primary job, I know just how easy it is to social engineer someone into giving you something you want.  I hope our government is considering more proactive measures than this “Do Not Call” registry, as obviously all the complaints against this number have done nothing to punish those making the calls.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.