Scammers Using Asterisk VoIP Systems to Make Calls


It seems like ‘vishing‘ (basically Phishing – but utilising VoIP call services) as it’s known is getting bigger, especially since the scammers have been using a flaw in Asterisk systems that allows them to hijack the VoIP exchange.

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World

Posted in: Exploits/Vulnerabilities, Phishing, Social Engineering

, , , ,


Latest Posts:


GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.


One Response to Scammers Using Asterisk VoIP Systems to Make Calls

  1. theamoeba December 9, 2008 at 9:05 am #

    How very nice, I work for a company that implements Asterisk VoIP solutions. I am just wondering how the spammers gain access to the Asterisk server, do they hack the password, or how do they do it?

    Cool post, though your posts are always useful.

    Thanks