Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Communications Security Technology

Asterisk Vishing Attacks "Endemic" 141

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"
This discussion has been archived. No new comments can be posted.

Asterisk Vishing Attacks "Endemic"

Comments Filter:
  • Vishing? (Score:4, Insightful)

    by Red Flayer ( 890720 ) on Wednesday October 28, 2009 @10:46AM (#29898213) Journal
    Vishing? Really?

    What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

    I'm sure we could come up with a better term than "vishing".
    • Re: (Score:3, Funny)

      I'm sure we could come up with a better term than "vishing".

      Like voice phishing? ;)

    • Re:Vishing? (Score:4, Insightful)

      by Carewolf ( 581105 ) on Wednesday October 28, 2009 @10:55AM (#29898331) Homepage

      Vishing? Really?

      What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

      I'm sure we could come up with a better term than "vishing".

      If the alternative is phreashing and phreammers, then I'll prefer "vishing". That said, I doubt most cases are using an actual "bug" in Asterisk, it is much more likely there are different setups, were some are incorrectly setup to handle _one_ of the many combinations of diversion, refer, redirection, route, proxy, RFC and draft SIP features that Asterisk "supports".

      • Re: (Score:2, Insightful)

        by VoltageX ( 845249 )
        It's pretty hard to set Asterisk up properly, let alone secure it. The cynic in me says this is so Digium can make more money on support and training.
    • Re:Vishing? (Score:4, Insightful)

      by natehoy ( 1608657 ) on Wednesday October 28, 2009 @11:06AM (#29898499) Journal

      Yeah, "Phishing" still seems to apply as an appropriate term to describe social engineering attempts by email, which is already a pretty specialized term, where "email fraud" would have worked just as well to start with (since it is closely related to an existing term "mail fraud" which indicates the snail mail version of the same attempt). As usual, a term was invented to describe something that is harder for the layman to understand than the original term. Hey, we're geeks, new confusing terms are cool, so deal. 1337 n3w w0rdz0rz ru1z!

      A phisher is still sending someone an email and asking them to take a specific action that, if you take it, will result in you giving up important information to someone wearing a black hat. We don't need separate terms to describe every possible nuance of the way you would potentially send the information back. If someone sends me an email with form they want me to fill out and mail, do I have to call that mhishing? And what if they want me to fax it? fhishing? What if they simply want me to reply to them with some information? rhishing?

      What if you get an email that gives a bad link *AND* a scammer's phone number? pvhishing? Or does the order of the "p" and "v" depend on which appears in the email fraud attempt first, so it could be pvishing or vphishing? And do I read that right-to-left or top-to-bottom to determine "first"?

      Is there a 3-week class on this new terminology, or a 12-step program to get people to stop using it?

      • Never mind, I did read, but failed to comprehend, the article. Stupid me.

        Anyway, I still don't think we need a new term. In fact, I think we already have one. "Telephone fraud".

        • Well, more pedantically it should be something like "telephone impersonation fraud" to account for the fact the scammers attempt to trade on an existing relationship of trust ... and now we're up to 9 syllables.
          • Re: (Score:3, Insightful)

            by natehoy ( 1608657 )

            But all 9 syllables refer to concepts already stored in my brain. "Code Re-use"!

          • But as natehoy pointed out in his original post, is it really necessary to coin a new term -- or even a new combination of existing terms -- for every possible permutation of communication media that scammers seek to exploit? How about just saying a scammer is a scammer is a scammer, whether (s)he is using e-mail, snail mail, voice mail, fax, or smoke signal?

            IMHO, "FBI warns of scam exploiting Asterisk PBX software" is far more meaningful to more people than "FBI warns of vishing attack e
          • Comment removed based on user account deletion
    • From a link [computerworld.com] from TFS: "Vishing is much like phishing, but instead of urging e-mail recipients to click on a link (to a bogus website) this message instructs the reader to call a telephone number to rectify a problem with your account."

      I agree - "vishing" is a stupid term.
    • Re:Vishing? (Score:4, Funny)

      by jittles ( 1613415 ) on Wednesday October 28, 2009 @11:16AM (#29898623)
      Actually, the attack is named after my Indian friend Vishal. But everyone calls him Vish. No really, I didn't just make this up.
    • What is that, voice phishing? What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

      Nah, following the "vishing" substitution logic, I come up with telemarketing spammers = tammers and phreaker hackers would be phackers.
    • Re: (Score:3, Funny)

      by MiniMike ( 234881 )

      What's next, we're going to call telemarketers "vammers"? And we'll call phreakers "vackers"?

      How about varmints [merriam-webster.com] and pharmints?

      Telemarketers don't deserve a new word, especially when an existing one fits so well. Phreakers at least are exhibiting some level of skill, even if it is in a somewhat antisocial manner (so I assume, at least).

    • Re: (Score:3, Informative)

      by Tony Hoyle ( 11698 )

      vishing is what Dracula does on his holidays.

    • I'm sure we could come up with a better term than "vishing".

      I second this sentiment. Let's reserve "Vishing" for people pretending to be Vishnu [wikipedia.org].

    • those Phreaking Vishers........

    • Yes, really. Not only that but soon there will be virtual actors or vactors.

    • Re: (Score:3, Funny)

      by jo42 ( 227475 )

      "Vishing" is what it is called when Vishnu [wikipedia.org] goes fishing [wikipedia.org].

    • by mcgrew ( 92797 ) *

      I wondered the same thing, so I googled. Vishing is the criminal practice of using social engineering over the telephone system [wikipedia.org]

      I do vish they'd have come up with a better name... but considering GNU, TWAIN, Windows, iPod, (and especially that abominably named "WiFi"), we as a group are pretty bad at coming up with good names.

    • How about thieves, frauds, con-men, or scam artists ?? I find it hard to believe this is actually a problem. Is there REALLY anyone out there STUPID enough to give up your pin ? C'mon folks the real bankers don't need it to do what they do,ANYONE asking for your PIN is a thief, plain and simple. If you give anyone your PIN other than your more significant half you are a fool of the worst possible kind, and likely deserve what is coming to you. Tell you parents and grandparents that there is NEVER an emergen

    • by jsiren ( 886858 )

      I'm sure we could come up with a better term than "vishing".

      You might vant to throw a coin in the vishing vell.

  • I always hang up as soon as I recognize them for what they are. On the rare occasions when someone who actually has something to say that I need to hear tries to use one they always follow up with a real phone call or a letter.

    • by Deanalator ( 806515 ) <pierce403@gmail.com> on Wednesday October 28, 2009 @11:21AM (#29898677) Homepage

      I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

      A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

      • by mcgrew ( 92797 ) *

        And robocalls. When I hear "please wait" when I answer the phone, I don't bother waiting around to see what moronic company is trying to spam me, I just hang up.

    • by drpimp ( 900837 )
      I actually think I got one of these calls sometime last week. The recording left a message and is still in my box, well half of it. Apparently their dialer script doesn't have that great of, if any, PAMD. The audio is what sounds like a native English speaker, speaking very fast but sometimes stumbling, likely reading from a written script asking for account numbers and ATM codes. I immediately knew it was a scam but I am sure others receiving the call might have not have been so lucky to recognize that.
      • The problem is nobody should *ever* fall for this, no matter how good the caller sounds.

        Someone phones you. CLID can be faked. Can't trust that. Unless they have some way of authenticating themselves to you treat them as unknown.
        That phone call contains another number. Ignore it. Go to the website of your bank, find a published customer service number and ask them.

        It's exactly the same as anyone with any sense has been doing for years.. telephone scams aren't new. Now if the bank's calling system is c

        • > Now if the bank's calling system is compromised..

          My credit union has a branch six miles away and head offices at about 25 miles. If I ever get something purports to be a recorded call from them I won't be contacting them by phone.

    • I always hang up as soon as I recognize them for what they are.

      Not me. I set the phone on my desk, press the "mute" button and tie up the telemarketers' phone lines for as long as possible while I get back to reading /.^w^w^wwork. Kind of a low-tech La Brea tar pit [sourceforge.net].

    • When my credit card company detects a charge that might be fraud, they send a robo call telling me to call the number on the back of my card to discuss a possible fraud issue. I like that a lot better than having someone I can't verify call me and ask for personal information. When I call the number printed on my card I can be reasonably certain that I know which company is going to be on the other end of the line. If an attack is so advanced that a thief knows the number printed on the back of my card a
  • Asterix was fishing when he was attacked by the Romans again? Where was Obelix? He'll win in the end, he always does.
  • Vishing (Score:3, Informative)

    by camperdave ( 969942 ) on Wednesday October 28, 2009 @10:55AM (#29898335) Journal

    Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP)

    http://en.wikipedia.org/wiki/Vishing [wikipedia.org]

    Either that or it's an old world ethnic pronunciation of the word "wishing".

  • Sounds like some banks haven't been keeping things up to date...

    Security patches are there for a reason. Security.
    • by drpimp ( 900837 )
      If you RTFA, it's not referring to the actual banks PBX getting hijacked. Regardless, yes there appears to have been an exploit due to a bug and should be fixed now, but the many businesses that use Asterisk and haven't applied patches are those affected.
  • Moral of the story (Score:5, Insightful)

    by Random2 ( 1412773 ) on Wednesday October 28, 2009 @11:01AM (#29898419) Journal

    Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

    • Re: (Score:3, Informative)

      by tsm_sf ( 545316 )
      Or, as I preach to older relatives just getting into computers:

      You go to your bank, your bank doesn't come to you.
    • Exactly! The same tactic that defeats Phishing emails also works for Vishing or any other type of social engineering in the direction of the company to the consumer. It however doesn't fix the problem of when the customer (or someone pretending to be them) calls the company.
      • > It however doesn't fix the problem of when the customer (or someone
        > pretending to be them) calls the company.

        That, however, places the liability on the company.

        • > It however doesn't fix the problem of when the customer (or someone > pretending to be them) calls the company.

          That, however, places the liability on the company.

          Unfortunately, for checking and savings accounts in the US, it does not. If someone empties your bank account via false identification, your bank is not liable for your losses.

    • by CRiMSON ( 3495 )

      Yup, keep yer money in your sock like I do! No one gets it, and you ever get in trouble you can bust out the sock and weild that shit like a blackjack tear it up!

    • If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

      This is missing the point of the article. It's the banks voice mail systems that were compromised. So even if you call them back at their official listed number, you may still be duped by their re-programmed voice mail system.

      • Which article said that? So far as I can tell, the compromised phone systems belong to random businesses. Calls are then made from the compromised system, meaning the attacker doesn't have to pay for the calls they're making, and also makes it harder to trace the scam back to them.

        It's just like spammers using compromised/"zombie" machines to send their spam. They're offloading the cost and risk to others, while still providing the benefit to themselves.

  • by noidentity ( 188756 ) on Wednesday October 28, 2009 @11:03AM (#29898451)
    Fast-forward to 2109... ghoting [wikipedia.org] attacks are on the rise, but nobody knows what the hell they are.
  • Usage guide (Score:1, Insightful)

    by Anonymous Coward

    Vishing is pronounced "wishing," as in "I am vishing to see your nuclear vessels."

  • I hung up and immediately called the FBI. I'm glad they are actually doing something about it.
    • by ColdWetDog ( 752185 ) on Wednesday October 28, 2009 @12:03PM (#29899251) Homepage

      I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

      If you're like me (and most of Slashdot), you don't need to call the FBI at all. Just look straight into the webcam and tell them what the problem is.

      Don't believe the naysayers that tell you that government is inefficient.

      • If you do buy into the inefficiency thing then go old school and send an email that begins...

        "Dear Uncle bin laden, what is your new address again?"

  • Actually, it's lock down your phones, your VM systems, your IVRs, etc. etc. Many years ago I had someone guess a password on a VM system and I had forgotten to disable "external transfers"... oops. Toll fraud. Now I use safe telecom practices. Practice number 1: Use FreeSWITCH instead of anything else. While any system can be configured unsafely and insecurely, at least the initial FreeSWITCH config is "paranoid by default." -MC
    • Just using FreeSWITCH is not a security solution. It isn't like Asterisk is designed to route toll calls for all callers as a default or something. Software has bugs. Some bugs are security problems. Make sure you apply security updates ASAP. Asterisk even has a mailing list specifically for security updates which makes it super simple to know when you really need to apply a patch.

      • by mishehu ( 712452 )
        I do believe that is in fact what mercutioviz was saying. First pick a better tool, then make sure that tool is in proper configuration and working order. There are just somethings that FS is designed to do differently that make it easier implement good security practices. One example is having one SIP profile (UA) for one IP:port combination. I can have multiple SIP UA's with various levels of security bound to various different dialplan contexts all at the same time. There's none of 1 IP 1 port or al
      • Kasparov, I am in total agreement with you. Putting FreeSWITCH into an insecure environment isn't a "complete solution" by any stretch, and that certainly wasn't my point. Like mishehu mentioned in his post, I believe in using the best tools available and using them properly with good security best practices. FreeSWITCH is simply a better tool in many cases. (Note that I said "in many cases" and not "in ALL cases")

        VoIP is an enabling technology, and like all enabling technology both consumers and crimin
    • I agree with mercutioviz, FreeSWITCH is a much better tool than anything else I ever seen in the OSS or proprietary world when it comes to VoIP and telecommunications.
  • Complete crap (Score:4, Insightful)

    by screeble ( 664005 ) <jnfullerNO@SPAMgmail.com> on Wednesday October 28, 2009 @11:43AM (#29898993)

    What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

    Brute forced passwords are a bad administrator "endemic."

    If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

    Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

    Connecting Asterisk to a public network without some sort of border control is just stupid.

    • Re: (Score:1, Interesting)

      Asterisk is by no means a carrier-grade server, and it has many problems, these problems include bugs, deadlocks, etc.

      You probably never worked on the telecom field to say that, the fact is that there is a much better alternative and that alternative is FreeSWITCH.

      Just take a look at this:

      "How does FreeSWITCH compare to Asterisk?"
      http://www.freeswitch.org/node/117
      • Re: (Score:2, Interesting)

        by screeble ( 664005 )

        I work in engineering design for an ILEC and admin Asterisk on a day-to-day basis within our test facilities.

        I completely agree that Asterisk is not carrier-grade but that doesn't negate the fact that it's being used for carrier-grade applications by many operators.

        Hell, most linux distros aren't carrier grade. We're not arguing that point. I agree completely.

        To me, Asterisk is a perfect drop-in replacement for a legacy pbx when serving in-house sip clients. Perhaps saying the app is enterprise-class is a b

        • Re: (Score:2, Informative)

          Linux is ok for carrier-grade in my opinion, at least it's very stable and performs well.

          I can't say the same with Asterisk really because I had many bad experiences with it, some of these bad experiences includes: deadlocks, crashes, transcoding problems, corrupted sound issues, etc.

          I work in the telecom industry as well and I was an Asterisk user who migrated to FreeSWITCH for the reasons that is more stable and performs better, I have also worked for companies such as Teliax Inc, etc. I'm also starting m
          • Re: (Score:2, Interesting)

            by screeble ( 664005 )

            DISCLAIMER: I sometimes use ubuntu server so I can't really point any fingers re: CGL

            Be careful, "ok for carrier-grade" isn't the same as being CGL 4.0 compliant. There are only a handful of certified CGL's.

            http://www.linuxfoundation.org/collaborate/workgroups/cgl [linuxfoundation.org]

            I've personally had great experiences with Asterisk but we're using it in a completely nonstandard (if there is such a thing) way.

            We do a lot of code hacking to emulate customer troubles with presentation, etc.

            For us, it's great and filled our need

        • Re: (Score:3, Interesting)

          by kasparov ( 105041 ) *

          I've used Asterisk in installations with 10s of thousands of users--and this was probably 4 years ago or so. It certainly wasn't initially designed for it--but it will most certainly do the job if you are willing to put in the work. And it is light years ahead of where it was when I was using it for carrier-grade operations.

          Don't get me wrong, there are certainly things that need improvement--especially in the area of being able to do live migrations and failover w/o dropping calls, but there are some trul

      • Re: (Score:3, Interesting)

        by kasparov ( 105041 ) *

        I remember you...you were that guy that spammed the asterisk bug tracker saying that people should switch to FreeSWITCH on about 10 different bugs. Nice to see that some things never change.

    • Re:Complete crap (Score:4, Insightful)

      by rantingkitten ( 938138 ) <<gro.sedahsrorrim> <ta> <nettik>> on Wednesday October 28, 2009 @03:37PM (#29902277) Homepage
      Most of the security problems I've seen actually exploited are not a problem with asterisk as such, or even border control, but of retarded admins. For example, many IP phones expect to connect to a fileserver of some sort and download some xml files containing their SIP information. Admins will routinely just create an ftp account somewhere, using the default login and password of the phones, and dump the files there. They'll frequently allow that ftp user to have shell access too, or forget to disable directory listing on the ftp directory, or do anything else that resembles common sense and security.

      It would be trivial to portscan far and wide, find some asterisk boxes, and exploit these terribly common mistakes made by clueless admins. I have demonstrated to clients how I was able to log into their server armed only with the knowledge of what the default ftp username and password is, then download all their users' config files containing all the information I'd need to fraudulently use their phone lines. Sometimes it takes a dramatic demonstration like that to make people wake up.
      • It's worse than that, actually. Cisco 7960's are pretty brain dead. They pull their configs off tftp based on the mac address. Flip the phone over and write down some digits and you're halfway there. Keys to the kingdom on the bottom of the phone.

  • positing to undo incorrect moderation. nothing to see here, move along...
  • Why someone would still use Asterisk is beyond me, just use FreeSWITCH, it's a much better alternative.
    • Remember, just dropping FreeSWITCH into an insecure environment isn't a solution. As systems integrators we still have to do our due diligence for security. Locking down Asterisk installs is always a good policy.

      I think the real question is why there are so many Asterisk-based systems out there with little or no security in place. My guess is that it's because a lot of people just download it and throw it onto a customer's site. Oopsie.

      The advantage that FreeSWITCH gives is that it makes security easie
  • "You keep using that word. I do not think it means what you think it means." I'm not entirely sure anyone here knows what "endemic" means. "Endemic" is not newsworthy, unless we've been searching and searching for where these vishing attacks come from. "Pandemic" might be newsworthy. Or "epidemic" might be newsworthy. "Endemic" not so much.
  • by Rememberthisname ( 464554 ) on Wednesday October 28, 2009 @04:03PM (#29902581)

    So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!

    This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.

    The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.

    Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)

    Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.

    http://blogs.digium.com/2009/03/28/sip-security/ [digium.com]
    http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/ [digium.com]

    John Todd - jtodd@digium.com
    Digium, Inc.
    Asterisk Open Source Community Director

    • Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins.

      There's no good algorithm for telling the strength of a password (password strength is related to the Kolmogorov complexity [wikipedia.org] of the password, which is incomputable), and every

      • by Qwell ( 684661 )

        I'm not familiar with how Switchvox determines the strength of a password, however...

        It should strike everybody here as obvious that '1234' on an account '1234' would be a poor password. I could say with some confidence that 'apple' would be universally considered to be a poor password, just based on it being a common dictionary word.

        Unfortunately, there are many people who don't share this understanding. It most certainly isn't unique to VoIP.

    • Re: (Score:3, Interesting)

      by cheros ( 223479 )

      John, one of the ways I got people to use "good" passwords is by getting them a Yubikey [yubico.com] and setting it to static mode. It then always generates the same password instead of an OTP, but it's a very long one and as it pretends to be a keyboard it types it in itself. The challenge is always to make it long enough to be safe, but short enough to actually fit in the entry field.

      It is a simple way to both SET a decent password and to preserve that setting in other than a file..

      Just a tip, and no, I don't work f

  • by lennier ( 44736 ) on Wednesday October 28, 2009 @07:54PM (#29905015) Homepage

    'Vishing', eh? Vot are we going to call 'video phishing'?

    Pishing?

If all else fails, lower your standards.

Working...