Scammers Using Asterisk VoIP Systems to Make Calls

Keep on Guard!


It seems like ‘vishing‘ (basically Phishing – but utilising VoIP call services) as it’s known is getting bigger, especially since the scammers have been using a flaw in Asterisk systems that allows them to hijack the VoIP exchange.

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World

Posted in: Exploits/Vulnerabilities, Phishing, Social Engineering

, , , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


One Response to Scammers Using Asterisk VoIP Systems to Make Calls

  1. theamoeba December 9, 2008 at 9:05 am #

    How very nice, I work for a company that implements Asterisk VoIP solutions. I am just wondering how the spammers gain access to the Asterisk server, do they hack the password, or how do they do it?

    Cool post, though your posts are always useful.

    Thanks