FBI: Hackers auto-dialing through open source VoIP systems

Asterisk vishing vulnerability lets scammers take over systems

By Robert McMillan, IDG News Service | Published 09:50, 08 December 08

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the US Federal Bureau of Investigation warned Friday.

The FBI didn't say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call centre and then use phishing e-mails to trick victims into calling the centre. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Dynamics reported a bug that could allow an attacker to take control of an Asterisk system.

Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability "basically allowed you to take over the account of one individual," he said. "In the worst possible case, you could make thousands of calls in an hour."

However, the attack described by the FBI would be extremely hard to pull off, Todd said.

Most Asterisk systems are protected by firewalls or other security software and even if one could be accessed by a visher, administrators generally limit the number of calls any one account can make simultaneously, he explained. "Most of the time you would not be able to create thousands of calls in an hour."

The flaw affects older versions of Asterisk but not the most current version 1.6, he said.

Slideshows: 13 markets you might not associate with Cisco

Also in slideshows :

Access Computerworld on your mobile

Get the latest news & updates from Computerworld UK on the move. Find out more

BlackBerry 10

Check out our latest articles about BlackBerry's new mobile OS BlackBerry 10.

Virtualising the heart of your business

Explore ways to meet the requirements of today's cloud computing and Big Data challenges.

Cloud storage

Check out our latest articles about cloud storage on Computerworld UK.

Microsoft Lync: The pros and cons for enterprises

Unified communications but heavy on the bandwidth

BskyB finalises £49 million fibre deal with Virgin Media Business

The core of the network will be in place by the end of 2013

How to hack WPA wireless security in one minute

Switch to WPA2, users urged

How to set up secure Wi-Fi for BYOD environments

QuickConnect and XpressConnect offer cloud-based methods to automate BYOD client configuration and connection

Virgin Media Business sets sights on enterprise ahead of Liberty buy-out

Virgin Media Business's new MD Tony Grace speaks exclusively to Computerworld UK about his new role

13 common ERP mistakes and how to avoid making them

To help ensure your ERP implementation is a success, we surveyed dozens of ERP experts

Negotiating with Gigabit Ethernet

Dealing with a rogue ISP.

gTLD applications - Tech giants lead grab for new domains

Google and Amazon spend millions to bet on names like BUY, GAME and SHOP

U.S. gets flood of H-1B petitions on first day

Sky customers furious after troubled email migration from Gmail to Yahoo!

Universal Credit in the spotlight again as pilot timetable changes

Blogs

EU Vote on Clinical Trials Data - Please Contact MEPs Now

I've written a few times about open data in the context of clinical trials - the information that must be provided when new drugs seek approval. As I noted, there is a growing movement to make such basic safety data...read more »

Reading Shakespeare: the Next Act of Open Data

As readers of this blog will have noticed, much of the most innovative work in the field of openness is taking place in open data. One of the largest stores of data is held by government, and the argument for...read more »

Approaching the cyberwar precipice

Can governments resolve the uncertainties quickly enough?read more »

The Spreadsheet and BYOD anarchy

Rekindling the revolutionary fervour of ITread more »

more blogs ..

Nokia files cases against HTC One in the US

IT Business >>

Google ready to start shipping Glass to #ifihadglass Explorers

Infrastructure >>

U.S. urged to let companies 'hack-back' at IP cyber thieves

Security >>

Windows 8 users snub 'Modern' apps, stick to desktop

Applications >>

Cloudian connects with Citrix for easier cloud rollouts

Cloud Computing >>

Google to boost speed, cut data use on mobile devices

Operating Systems >>

Slideshows
White Papers
Videos
Newsletters

Login

Please login to ComputerworldUK.com

Forgot password?

Not a member yet?

Register for a Computerworld UK Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.
Register