Asterisk Vishing Attacks "Endemic"

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

Vishing?

[Red Flayer]

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

Re:Vishing?

[Carewolf]

Vishing? Really?

What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

I'm sure we could come up with a better term than "vishing".

If the alternative is phreashing and phreammers, then I'll prefer "vishing". That said, I doubt most cases are using an actual "bug" in Asterisk, it is much more likely there are different setups, were some are incorrectly setup to handle _one_ of the many combinations of diversion, refer, redirection, route, proxy, RFC and draft SIP features that Asterisk "supports".

Moral of the story

[Random2]

Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

Re:Vishing?

[natehoy]

Yeah, "Phishing" still seems to apply as an appropriate term to describe social engineering attempts by email, which is already a pretty specialized term, where "email fraud" would have worked just as well to start with (since it is closely related to an existing term "mail fraud" which indicates the snail mail version of the same attempt). As usual, a term was invented to describe something that is harder for the layman to understand than the original term. Hey, we're geeks, new confusing terms are cool, so deal. 1337 n3w w0rdz0rz ru1z!

A phisher is still sending someone an email and asking them to take a specific action that, if you take it, will result in you giving up important information to someone wearing a black hat. We don't need separate terms to describe every possible nuance of the way you would potentially send the information back. If someone sends me an email with form they want me to fill out and mail, do I have to call that mhishing? And what if they want me to fax it? fhishing? What if they simply want me to reply to them with some information? rhishing?

What if you get an email that gives a bad link *AND* a scammer's phone number? pvhishing? Or does the order of the "p" and "v" depend on which appears in the email fraud attempt first, so it could be pvishing or vphishing? And do I read that right-to-left or top-to-bottom to determine "first"?

Is there a 3-week class on this new terminology, or a 12-step program to get people to stop using it?

Usage guide

[Anonymous Coward]

Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

Complete crap

[screeble]

What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

Brute forced passwords are a bad administrator "endemic."

If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

Connecting Asterisk to a public network without some sort of border control is just stupid.

Re:Vishing?

[natehoy]

But all 9 syllables refer to concepts already stored in my brain. "Code Re-use"!

Phone Phishing

[gd2shoe]

Phone Phishing. That way it's clear, and you get an alliteration as a bonus.

Re:Complete crap

[rantingkitten]

Most of the security problems I've seen actually exploited are not a problem with asterisk as such, or even border control, but of retarded admins. For example, many IP phones expect to connect to a fileserver of some sort and download some xml files containing their SIP information. Admins will routinely just create an ftp account somewhere, using the default login and password of the phones, and dump the files there. They'll frequently allow that ftp user to have shell access too, or forget to disable directory listing on the ftp directory, or do anything else that resembles common sense and security.

It would be trivial to portscan far and wide, find some asterisk boxes, and exploit these terribly common mistakes made by clueless admins. I have demonstrated to clients how I was able to log into their server armed only with the knowledge of what the default ftp username and password is, then download all their users' config files containing all the information I'd need to fraudulently use their phone lines. Sometimes it takes a dramatic demonstration like that to make people wake up.

Re:Vishing?

[VoltageX]

It's pretty hard to set Asterisk up properly, let alone secure it. The cynic in me says this is so Digium can make more money on support and training.

[OT] Re:Complete crap

[kasparov]

No, I was just annoyed at your impolite behavior at the time with all of the spamming. Then I noticed this story and saw that you are still at it. I'm glad you found a solution that works for you. Many people have also found other solutions that work great for them, including Asterisk.

Part of having such a huge user community is that the Asterisk devs have 100s of feature requests or bug reports at any given time. If someone is having a problem that is only having an effect on a very small number of people, sometimes it takes longer to fix than other problems. Everyone has to prioritize.

Also, the quality of the debugging information that is presented is also a major factor in how long it takes to get a problem fixed. This [asterisk.org] is a good example of 3 or 4 actual Asterisk developers trying work on one of your issues and you being rude to them and not giving them the debug information they requested.

I understand that having an issue that is affecting you take a while to get closed is annoying, but something being open for a week with no real information provided to help track it down is certainly no reason to get react the way you did.

And us Asterisk users aren't pissed about FreeSWITCH existing--that is just silly. The more choices out there, the better! We just don't like people coming over and shouting YOU SUCK and doing the equivalent of spray painting our walls with "FreeSWITCH RULEZ!" like you did with the bug tracker. That is just childish. There are many excellent and polite freeswitch users and developers--I just don't think that you are one of them.