Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI Vaguely Warns of Asterisk Vishing Vulnerability

kdawson posted more than 5 years ago | from the do-not-call-back dept.

Security 57

coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.

Sorry! There are no comments related to the filter you selected.

Vishing = Voice Phishing (5, Informative)

iammani (1392285) | more than 5 years ago | (#26014971)

Wouldnt hurt to mention it, in the summary, would it.

Re:Vishing = Voice Phishing (3, Funny)

mrsteveman1 (1010381) | more than 5 years ago | (#26015057)

Oh PHishing! I thought i was just supposed to yell at the fish, but it didn't work =(

Re:Vishing = Voice Phishing (1, Funny)

Anonymous Coward | more than 5 years ago | (#26017377)

Vhen you vish upon a *...

Re:Vishing = Voice Phishing (0)

Anonymous Coward | more than 5 years ago | (#26015067)

Ah. I thought the Slashdot editors had misspelled rishing [wikipedia.org] .

Re:Vishing = Voice Phishing (0)

Anonymous Coward | more than 5 years ago | (#26024415)

Oh! Personally, I thought they misspelled vishnuing [wikipedia.org] , the art of waving and shaking someone's hand with your two arms---while picking their pockets with your two *other* arms ;) [no offense to hindu slashdot readers, i'm not saying vishnu is deceptive, just playing with the fact that he traditionally is depicted with four arms, which reminds me of the expression "two-faced"]
-os

Re:Vishing = Voice Phishing (4, Insightful)

ceoyoyo (59147) | more than 5 years ago | (#26015169)

Actually, I thought the use of the phrase "vishing telephone calls", while technically redundant, also served to beautifully highlight what a stupid term "vishing" is.

How exactly is "vishing" different than those idiots who called the other day to tell me I'd won an all expense paid trip to Bermuda, only they needed my credit card information to make the reservations?

Re:Vishing = Voice Phishing (0)

Anonymous Coward | more than 5 years ago | (#26015275)

Don't you know? The less technical and more silly it sounds, the easier it is for the layman to understand.

Re:Vishing = Voice Phishing (0)

Anonymous Coward | more than 5 years ago | (#26015289)

"How exactly is "vishing" different than those idiots who called the other day to tell me I'd won an all expense paid trip to Bermuda, only they needed my credit card information to make the reservations?"

In this case it seems that difference is that they call others via your hacked asterisk machine, leaving you with a bill.

Re:Vishing = Voice Phishing (1)

lysergic.acid (845423) | more than 5 years ago | (#26015429)

it's different because those calls aren't trying to steal your credit card info. they're trying to sell you something using, what seems at first glance, an enticing risk-free offer. one is a bait-and-switch tactic, the other is just phishing over the phone. they might both be scams, but the first one is legal and the second one is not.

i mean, a lot of companies use fine print to lure unsuspecting consumers into really unfavorable contracts. but would you consider that phishing as well? i agree they're both equally scummy and there is a large consumer advocacy movement against deceptive business practices, but there's still a big difference between things like predatory lending and phishing, and it's not just that one is institutionalized and the other isn't.

Re:Vishing = Voice Phishing (3, Interesting)

cdrguru (88047) | more than 5 years ago | (#26015713)

This problem is that most people of average intelligence and not wealthy are ready and willing to be taken in by almost any sales approach. Trying to outlaw "deceptive marketing" to these people would mean you couldn't sell them a newspaper subscription.

There are some organizations that go out of their way to mislead people, but most people are very willing to be misled all by themselves and even encourage it. So is it worth trying to explain to someone that if all they want is the Sunday paper that it is actually cheaper to get the whole week's papers because that is how it is sold? Is it really deceptive to give the person what they think they want, regardless that it costs more? Lots of folks would say selling someone what they want when it is more expensive than some alternative is indeed "deceptive". With this in mind, I'd say you would have to get rid of all sales, marketing and advertising to avoid "deceiving" most people of average intelligence.

Re:Vishing = Voice Phishing (1)

Alex Belits (437) | more than 5 years ago | (#26018349)

Is it really deceptive to give the person what they think they want, regardless that it costs more?

Yes.

Next question, please.

Re:Vishing = Voice Phishing (1)

compro01 (777531) | more than 5 years ago | (#26015933)

Imagine that someone calls you claiming to be your bank/credit card company/etc. AND the caller ID says it is your bank/credit card company/etc.

Re:Vishing = Voice Phishing (1)

nobaloney (1012719) | more than 5 years ago | (#26021069)

Phunny you should say that ...

Just yesterday I got a telephone call from the local city-owned electric company. The phone call eventually failed as they were trying to transfer me, and when I called back from my caller-ID display the recording said the number was no longer in service.

It really was the city-owned electric company, and my point is that forging caller-ID is now both prevalent and acceptable.

Which blends the line so much that it's becoming harder to tell who's legit and who isn't.

Re:Vishing = Voice Phishing (1, Informative)

Anonymous Coward | more than 5 years ago | (#26017747)

Ask them to mail you a letter stating the prize and reply in certified mail with a return receipt. If you do not receive what they claim, they will be guilty of a felony - mail fraud.

Re:Vishing = Voice Phishing (1)

Zontar The Mindless (9002) | more than 5 years ago | (#26015653)

Thanks for that. I was starting to feel old and behind the times because I had to Google it... :)

I Vish I May, I Vish I might... (0)

Anonymous Coward | more than 5 years ago | (#26017927)

Ven I vish upon a star,
Dos not matter who you are,
Vor vish vill come true.

Re:Vishing = Voice Phishing (1)

lxs (131946) | more than 5 years ago | (#26018569)

Visher's anthem.

When you vish upon a star
Makes no difference who you are
Anything your heart desires
Will come to you

Then what are we going to call video phishing? (1)

lennier (44736) | more than 5 years ago | (#26024479)

Vidishing?
Camishing?
Pishing?

Can you hear me now? (3, Insightful)

davidwr (791652) | more than 5 years ago | (#26014977)

Hello? Hello? May I speak to my friend the honorable Mr. JohnSmith@bigcompany.com, President?

I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately.
*CLICK**DIALTONE*
Hello? Hello? Can you hear me now?

Re:Can you hear me now? (2, Funny)

couchslug (175151) | more than 5 years ago | (#26016037)

"I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately."

"This is Mr Smith. I would be delighted to do business with you, and you called at the ideal time!
I have a choice portfolio of mortgage-backed securities and would like to offer you the opportunity...

*CLICK**DIALTONE*

Re:Can you hear me now? (1)

scottrocket (1065416) | more than 5 years ago | (#26017071)

"I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately."

"This is Mr Smith. I would be delighted to do business with you, and you called at the ideal time! I have a choice portfolio of mortgage-backed securities and would like to offer you the opportunity...

*CLICK**DIALTONE*

A "Real Genius" moment strikes again:}

asterisk phishing? (5, Funny)

syrinx (106469) | more than 5 years ago | (#26014989)

So, this [bash.org] ?

Re:asterisk phishing? (3, Insightful)

Lord Lode (1290856) | more than 5 years ago | (#26015159)

Oh gee, you slashdotted a bash.org quote, look at the score of that quote rising now!

"Digium wasn't certain" (3, Insightful)

rrohbeck (944847) | more than 5 years ago | (#26015041)

...what vulnerability the FBI was referencing.

Nice. How many do they have?

Re:"Digium wasn't certain" (1)

machine321 (458769) | more than 5 years ago | (#26015073)

Nice. How many do they have?

All of them.

Re:"Digium wasn't certain" (4, Informative)

e9th (652576) | more than 5 years ago | (#26015089)

Why not see [asterisk.org] for yourself?

Re:"Digium wasn't certain" (0)

Anonymous Coward | more than 5 years ago | (#26015173)

Many, as with any complexe software. And they are fixed on a daily basis in svn. So if you're using an asterisk version that eight month old, you're out of luck.

Vampire dictated? (5, Funny)

Rik Sweeney (471717) | more than 5 years ago | (#26015161)

"FBI Vaguely Warns of Asterisk 'Vishing' Vulnerability"

what's next:

"FBI Vaguely Warns of People 'Vanting' To Suck Your Blood"

Re:Vampire dictated? (0)

Anonymous Coward | more than 5 years ago | (#26015407)

I am the viper, I have come to vash and vipe your vindows.

Re:Vampire dictated? (2, Informative)

Ethanol-fueled (1125189) | more than 5 years ago | (#26015461)

+1 obscure [propadeutic.com] G.I. Joe cartoon reference. Man, that episode was funny as hell!

Re:Vampire dictated? (2, Funny)

Amazing Quantum Man (458715) | more than 5 years ago | (#26015489)

Are you crazy? That was old back in the '60s!

Phone rings
I am the Viper! I am coming!
Woman panics

Phone rings
I am the Viper! I am coming!
Woman panics more

Door knock
I am the Viper! I am here to vipe the vindows!

Might be this (2, Informative)

mlgunner (219100) | more than 5 years ago | (#26015205)

Back in October, one of our servers was compromised using an ssh vulnerability to gain access to the system. What they did was to install Asterisk on our compromised system, and then try to compromise other Asterisk systems on the network. I am not sure as what the actual vulnerability the FBI is talking about, however I do know that they were using asterisk against other PBX systems.

Oh! It's hard to pull off. That's a relief. (1)

psnyder (1326089) | more than 5 years ago | (#26015245)

That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off , Todd said.

Oh it's difficult! (^_^) Good, then it probably wont be exploited.

Oh... [ic3.gov]

The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software.

I think the FBI fears the Asterisk (1)

TristanGrimaux (841255) | more than 5 years ago | (#26015293)

Because Asterisk is an Open Source project that will really hurt their ability to TAP communications.

Re:I think the FBI fears the Asterisk (1)

Frosty Piss (770223) | more than 5 years ago | (#26015313)

Because Asterisk is an Open Source project that will really hurt their ability to TAP communications.

If they wanted to use * to "tap communications", why would they reveal the bug? Anyway, maybe they tap in before it gets to the PBX, like at the phone company?

Re:I think the FBI fears the Asterisk (1)

TristanGrimaux (841255) | more than 5 years ago | (#26015441)

have you ever heard about FUD?

Social engineering is easier than engineering this (5, Interesting)

virtualXTC (609488) | more than 5 years ago | (#26015387)

Oddly, about a 1/2 hr before this story was posted I received a similar vishing scam. CallID said +23456, a guy with an American name but Indian-like accent claiming to be from the "United States Federal Grant Program" said that he was going to send me $5000 in grant money. He explained this was because I was a good taxpayer, that I didn't have any felonies, and that I can be given this money for a variety of reasons ranging from family care to school etc.. His accent, and sentence composition totally gave away that he wasn't a US paid telemarketer. Curious about how the scam worked I played along, verifying information about my address that he some how already had. He continued to explain how his company would be transferring money to me as soon as I send back the info they are going to send me. He went on to explain further, then eventually he asked for my bank account info; I deferred him until later, claiming I didn't have it, hung up and called the FBI.

Oddly, he had such a long story, and the way he extracted info (aside from his accent) seemed pretty reasonable. I could totally see some fool (my mother) assuming that since the incoming number wasn't a normal one, that only possible explanation was that the government could be calling them.

Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!! It's no wonder there's such a problem with this type of scamming.

Re:Social engineering is easier than engineering t (1)

TristanGrimaux (841255) | more than 5 years ago | (#26015425)

but... do you have an Asterisk PBX?

Re:Social engineering is easier than engineering t (2, Interesting)

Tanktalus (794810) | more than 5 years ago | (#26015479)

Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!!

A minimum scam of $300,000 before the FBI gets involved is +1, Informative, right there. Further to that, any pretense that the cops have about "Crime doesn't pay" is busted right there. Not that I believed them prior to this, but, by itself, that pretty much proves itself right there. Assuming a smart criminal (ok, that's a stretch), you could go out, scam $290,000, and fly under the FBI's radar. That's approximately equivalent to $400,000 at approximately a 25% income tax rate (assuming you don't file with the IRS). If you then lived off that at the median income rate (according to Wikipedia [wikipedia.org] , that's about $50k for a household, before taxes), which means you're doing reasonably well for yourself, until it ran out, you'd be living off the scam for about 8 years before having to do it all over again. The statute of limitations would likely kick in, and you could do it all over again.

Sounds like crime pays to me...

Re:Social engineering is easier than engineering t (1)

adolf (21054) | more than 5 years ago | (#26016469)

I find your ideas intriguing, and would like to subscribe to your newsletter.

What version of Asterisk was that, again?

Re:Social engineering is easier than engineering t (1, Troll)

jlarocco (851450) | more than 5 years ago | (#26016603)

Sounds like crime pays to me...

Sigh.

It's $300k before the FBI gets involved. The OP is an idiot, and should have contacted his local police or state bureau of investigation. Believe it or not, not everything is a federal problem. You wouldn't call the FBI if your car was vandalized, or if your neighbors were fighting really loud, so why would you call them for this?

If the local people get enough calls about it, they'll route it to the FBI when it gets over $300k.

Re:Social engineering is easier than engineering t (0)

Anonymous Coward | more than 5 years ago | (#26016725)

>You wouldn't call the FBI if your car was vandalized, or if your neighbors were fighting really loud, so why would you call them for this?

You don't call the local police because the local police are only allowed to investigate crimes within their jurisdiction. Unless the caller was in your county, they would need to know where he's from so they can call the police department there and open a joint investigation.

Ask a police officer if they are allowed to randomly give out even something as simple as a speeding ticket outside of their county. They'll tell you they aren't going to get in trouble for it, but unless they talk about it with the other police department, it'll just cause problems and likely nobody will prosecute. So why bother?

Re:Social engineering is easier than engineering t (1)

jlarocco (851450) | more than 5 years ago | (#26017255)

You don't call the local police because the local police are only allowed to investigate crimes within their jurisdiction. Unless the caller was in your county, they would need to know where he's from so they can call the police department there and open a joint investigation.

LOL! You don't even know where the caller is, though. Maybe it's a big national crime scam, or maybe it's just your next door neighbor fucking with you. Report it to the police, and if they find it's outside of their jurisdiction, ask them to pass it up to the next level. Jumping straight to calling the FBI is just silly.

Re:Social engineering is easier than engineering t (1)

virtualXTC (609488) | more than 5 years ago | (#26121337)

Unless you know of some other agency that sits between the state level and the FBI, I'd can't imagine who else I'd contact; the call is more than likely out of country, not to mention out of state. Further, I have a NJ number, the caller was pretending to be in DC, and my bill goes to MA. Perhaps where you live the police are helpful, in NJ and MA I'd be lucky to convince the staties to touch it.

Re:Social engineering is easier than engineering t (0)

Anonymous Coward | more than 5 years ago | (#26020863)

(assuming you don't file with the IRS)

If you don't report those earnings, then you are committing another crime, one that probably *will* be investigated.

Re:Social engineering is easier than engineering t (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26022595)

it rises on a yearly basis it seems. just 4 years ago it was $50,000, two years ago it was $100,000.

And even then, that's not necessarily true. I work for a payroll company, we basically handle the direct deposits. Some scammers are very good and manage to take some of the more idiotic sales guys for millions and we still have issues getting feds involved.

Works something like this, they create a fake company with several other guys who are in on it, rent a building for a few days, put on a show for the sales guys, start moving money, act like they're growing, and after 6-7 months, or longer, are moving millions. The only catch is that the money isn't always paid to the payroll company before cash is deposited into employee's bank accounts, and bam! they take off with it.

I know, always make sure they get the money first, etc. but with long standing customers they want to keep relations and money taking a day to clear banks usually isn't an issue. Biggest take was about 2.5mil from a scammer who was using us for about 3 years. How he got the money to fund that in the meantime, I don't know, but boy is he rich now.

Re:Social engineering is easier than engineering t (0)

Anonymous Coward | more than 5 years ago | (#26023059)

sorry, $25mil, not 2.5mil

Re:Social engineering is easier than engineering t (2, Interesting)

SunSpot505 (1356127) | more than 5 years ago | (#26017245)

We have also been subject to an Asterisk Vishing scam. We are an outbound autodialer, and somebody compromised a testing account that did not have a good password and attempted to use our PBX to pass on their Vishing message. It was for a bank and asking people to verify account information. Seriously??

We are always on our * console so it was shut down immediately. We called the a$$hole back too and listened to him sweat while driving in traffic. Still, weird stuff... I was considering filing an FBI report, but your experience is not very encouraging.

My mones is on.. (1)

necromcr (836137) | more than 5 years ago | (#26015453)

..terrorist threats. It's one of those "There is a critical flaw but it's impossible to happen but we just wanted to make sure we did." and few months later: "(they) exploited the impossible flaw!" Insert "terrorists", "russians", "chinese hackers" into (they).

That's just me being paranoid, what do YOU think?

At least get the f***in agency right (0)

Anonymous Coward | more than 5 years ago | (#26015547)

Look, I know editors are sloppy here but honestly...how hard is it to identify the correct agency who issued the alert?

It's not the FBI, you dolts.

It's the IC3 [ic3.gov] -- which is a "partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C)"

For a tech site, "close" is not good enough. Details matter.

Re:At least get the f***in agency right (1)

deniable (76198) | more than 5 years ago | (#26016863)

"National White Collar Crime Center" I think I have to give these guys a call and see if they can help with my next business.

"Vishing" (0)

Anonymous Coward | more than 5 years ago | (#26015555)

This just goes to show that stupid portmanteaux must die. And the fidiots who use them.

Aside from a possible bug, ... (1)

fractalspace (1241106) | more than 5 years ago | (#26015853)

.. write access to a single file under Asterisk configuration grants you full control of the dialer. A number of hacking techniques, as well as a misconstrued box can lead to this. Moreover, if it happens to be running under Windows, then possibilities are limitless.

Re:Aside from a possible bug, ... (0)

Anonymous Coward | more than 5 years ago | (#26016269)

as well as a misconstrued box

I'm pretty sure that misconstrued doesn't mean what you think it does, Sparky. How about using "misconfigured", instead?

HTH. HAND.

Asterisk/Digium reply (1)

Rememberthisname (464554) | more than 5 years ago | (#26021881)

Digium posted an "official" reply here:
    http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

There was a bug in Asterisk that allowed unauthenticated callers to access the guest context, but in order for that to be a threat one would have to configure the dialplan such that guests were able to dial out on whatever PSTN trunk (SIP or analog/digital trunk) was attached to the system. Unlikely a huge threat, and that bug was fixed 9 months ago for 1.2 and 1.4, and doesn't exist for 1.6.

More likely is that this is a password guessing attack, so there is some confusion as to how this is an "Asterisk bug" and not just a matter of poor password choices.

Just use FreeSWITCH instead of Asterisk (1)

diego.viola (1104521) | more than 5 years ago | (#26025463)

Just use FreeSWITCH instead of Asterisk, it's a lot better. Asterisk is worthless and broken software.

FBI Update: Yes, it's an old bug. (1)

Rememberthisname (464554) | more than 5 years ago | (#26040363)

FBI updates the release and says yes, it's just a re-hash of an old security notice that went out in March.

http://www.ic3.gov/media/2008/081205-2.aspx

See the Asterisk [UPDATE] here:

http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?