News
FBI: Criminals Auto-Dialing with Hacked VoIP Systems
Criminals are taking advantage of a bug in the Asterisk Internet telephony system
By Robert McMillan, IDG News Service (San Francisco Bureau)
December 08, 2008 — IDG News Service —
Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.
The FBI didn't say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.
In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.
"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."
The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Dynamics reported a bug that could allow an attacker to take control of an Asterisk system.
Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability "basically allowed you to take over the account of one individual," he said. "In the worst possible case, you could make thousands of calls in an hour."
However, the attack described by the FBI would be extremely hard to pull off, Todd said.
Most Asterisk systems are protected by firewalls or other security software and even if one could be accessed by a visher, administrators generally limit the number of calls any one account can make simultaneously, he explained. "Most of the time you would not be able to create thousands of calls in an hour."
The flaw affects older versions of Asterisk but not the most current version 1.6, he said.
Other stories by Robert McMillan
Copyright 2009 IDG News Service, International Data Group Inc. All rights reserved.
Asterisk systems
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Implementing Best Practices for Web 2.0 Security
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- A Security Blueprint Delivered From within the Network
- Comparing Research In Motion and Microsoft Mobile Solutions
- The Total Economic Impact of Network Security Intrusion Prevention
- Protecting Your Intellectual Property White Paper
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
