Vishing! Is that still a thing?

Yes, it is. The voice over IP scam is also called vishing for VoIP phishing. The fraudsters set up a fake call center using VoIP. They have different ways of implementing the calls. Some have already infected the victim’s machine and collected a set of information on their victims. One victim mentioned on a forum that the criminals knew his/her name, device model number, and serial number. The criminals use different lures to call their victims; we have observed calls regarding MS Windows license, infected computers, toners, printers, where criminals claim to be the companies’ helpdesk. We assess the level of this threat to be medium as several actors are active and involved in this line of fraudulent activity.

We have collected a few VoIP numbers they used in the past 12 months:
866-756-0309 – call back number 646-751-8831

Reasons for calling:
Criminals claimed Windows license expired
Criminals claimed to be getting a “StrangeSignal” from the victim’s PC
Criminals claimed victim had malware and viruses that had to be removed immediately
Criminals claimed you need new toners for your printers

Extort money from victims under pretense
Request access to victim’s machine via tool like –
Criminals told victims needed a new product ID and should go to CVS and purchase a $300 iTunes gift card for this
Criminals asked victims to pay them over $400 for “lifetime” support from them
Criminals will oversell toners ten times the real price

Threat actor associated with this kind of activity:
The vishing topic is discussed a lot on Alphabay, a marketplace on the TOR network. Last September 2016, the threat StripeCarder ( made the following post:

“I want to do some vishing but want to create a team to do it for me. I have hired XXXXX in the past but how can I convince someone to work for me if it is obviously illegal. Any ideas?”

Several threat actors replied and offered their services and said they were willing to do it. The threat actors who replied are kingjames221, anti-troll, johnathanramos, founder45 (ICQ 701299145), max0074, colombianx99. The threat actor StripeCarder also uses a network of money mules collecting money for him before sending it over to him and seems to be involved in a boiler room scam as well. On December 18th, 2016, StripeCarder showed an interest in a post, from a threat actor using the handle nicola27 advertised on Alphabay his calling service where he claims to have a team of American and British speakers using real numbers and not google voice or VoIP numbers. We advertise users that if you receive a call like this, hang up, go to the vendor website and find the support phone number and call them to verify the claims.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s