It seems like ‘vishing‘ (basically Phishing – but utilising VoIP call services) as it’s known is getting bigger, especially since the scammers have been using a flaw in Asterisk systems that allows them to hijack the VoIP exchange.

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World

Vishing, now there’s a new term for you. Basically its Phishing – but utilising VoIP call services, which makes it very easy to spoof the Caller ID.

Even though Caller ID Spoofing was Made Illegal in the USA – people will still continue to do it, remember the FCC said it’s still easy to spoof caller ID. This scam as always includes some Social Engineering, it’s not that easy after all to get people to give up their important info over the phone.

Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven’t given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.

The calls begin with a recording that makes a tempting offer – usually for a lower credit-card interest rate or an extended car warranty – and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.

So be careful, don’t be tempted by lower credit card rates or any kind of nonsense offers that you receive from strangers. Honestly I don’t believe any readers of Darknet would fall for this kind of thing..but as always educate those you aren’t so savvy and you are doing your part.

The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.

Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.

It’s worrying, people are getting spammed, scammed and phished from every direction now. All these frauds and spammers are making technology more complex and polluting the Internet with stuff like CAPTCHAs.

I guess it’s here to stay though, so we have to accept with it and deal with it as best we can.

Source: The Register