Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Vaguely Warns of Asterisk Vishing Vulnerability

Posted by kdawson on from the do-not-call-back dept.

coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.

17 of 57 comments (clear)

  1. Vishing = Voice Phishing by iammani · · Score: 5, Informative

    Wouldnt hurt to mention it, in the summary, would it.

    1. Re:Vishing = Voice Phishing by mrsteveman1 · · Score: 3, Funny

      Oh PHishing! I thought i was just supposed to yell at the fish, but it didn't work =(

    2. Re:Vishing = Voice Phishing by ceoyoyo · · Score: 4, Insightful

      Actually, I thought the use of the phrase "vishing telephone calls", while technically redundant, also served to beautifully highlight what a stupid term "vishing" is.

      How exactly is "vishing" different than those idiots who called the other day to tell me I'd won an all expense paid trip to Bermuda, only they needed my credit card information to make the reservations?

    3. Re:Vishing = Voice Phishing by cdrguru · · Score: 3, Interesting

      This problem is that most people of average intelligence and not wealthy are ready and willing to be taken in by almost any sales approach. Trying to outlaw "deceptive marketing" to these people would mean you couldn't sell them a newspaper subscription.

      There are some organizations that go out of their way to mislead people, but most people are very willing to be misled all by themselves and even encourage it. So is it worth trying to explain to someone that if all they want is the Sunday paper that it is actually cheaper to get the whole week's papers because that is how it is sold? Is it really deceptive to give the person what they think they want, regardless that it costs more? Lots of folks would say selling someone what they want when it is more expensive than some alternative is indeed "deceptive". With this in mind, I'd say you would have to get rid of all sales, marketing and advertising to avoid "deceiving" most people of average intelligence.

  2. Can you hear me now? by davidwr · · Score: 3, Insightful

    Hello? Hello? May I speak to my friend the honorable Mr. JohnSmith@bigcompany.com, President?

    I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately.
    *CLICK**DIALTONE*
    Hello? Hello? Can you hear me now?

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Can you hear me now? by couchslug · · Score: 2, Funny

      "I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately."

      "This is Mr Smith. I would be delighted to do business with you, and you called at the ideal time!
      I have a choice portfolio of mortgage-backed securities and would like to offer you the opportunity...

      *CLICK**DIALTONE*

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  3. asterisk phishing? by syrinx · · Score: 5, Funny

    So, this?

    --
    Quidquid latine dictum sit, altum sonatur.
    1. Re:asterisk phishing? by Lord+Lode · · Score: 3, Insightful

      Oh gee, you slashdotted a bash.org quote, look at the score of that quote rising now!

  4. "Digium wasn't certain" by rrohbeck · · Score: 3, Insightful

    ...what vulnerability the FBI was referencing.

    Nice. How many do they have?

    --
    thegodmovie.com - watch it
    1. Re:"Digium wasn't certain" by e9th · · Score: 4, Informative

      Why not see for yourself?

  5. Vampire dictated? by Rik+Sweeney · · Score: 5, Funny

    "FBI Vaguely Warns of Asterisk 'Vishing' Vulnerability"

    what's next:

    "FBI Vaguely Warns of People 'Vanting' To Suck Your Blood"

    --
    Summation 2
    1. Re:Vampire dictated? by Ethanol-fueled · · Score: 2, Informative

      +1 obscure G.I. Joe cartoon reference. Man, that episode was funny as hell!

    2. Re:Vampire dictated? by Amazing+Quantum+Man · · Score: 2, Funny

      Are you crazy? That was old back in the '60s!

      Phone rings
      I am the Viper! I am coming!
      Woman panics

      Phone rings
      I am the Viper! I am coming!
      Woman panics more

      Door knock
      I am the Viper! I am here to vipe the vindows!

      --
      Fascism starts when the efficiency of the government becomes more important than the rights of the people.
  6. Might be this by mlgunner · · Score: 2, Informative

    Back in October, one of our servers was compromised using an ssh vulnerability to gain access to the system. What they did was to install Asterisk on our compromised system, and then try to compromise other Asterisk systems on the network. I am not sure as what the actual vulnerability the FBI is talking about, however I do know that they were using asterisk against other PBX systems.

  7. Social engineering is easier than engineering this by virtualXTC · · Score: 5, Interesting

    Oddly, about a 1/2 hr before this story was posted I received a similar vishing scam. CallID said +23456, a guy with an American name but Indian-like accent claiming to be from the "United States Federal Grant Program" said that he was going to send me $5000 in grant money. He explained this was because I was a good taxpayer, that I didn't have any felonies, and that I can be given this money for a variety of reasons ranging from family care to school etc.. His accent, and sentence composition totally gave away that he wasn't a US paid telemarketer. Curious about how the scam worked I played along, verifying information about my address that he some how already had. He continued to explain how his company would be transferring money to me as soon as I send back the info they are going to send me. He went on to explain further, then eventually he asked for my bank account info; I deferred him until later, claiming I didn't have it, hung up and called the FBI.

    Oddly, he had such a long story, and the way he extracted info (aside from his accent) seemed pretty reasonable. I could totally see some fool (my mother) assuming that since the incoming number wasn't a normal one, that only possible explanation was that the government could be calling them.

    Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!! It's no wonder there's such a problem with this type of scamming.

  8. Re:Social engineering is easier than engineering t by Tanktalus · · Score: 2, Interesting

    Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!!

    A minimum scam of $300,000 before the FBI gets involved is +1, Informative, right there. Further to that, any pretense that the cops have about "Crime doesn't pay" is busted right there. Not that I believed them prior to this, but, by itself, that pretty much proves itself right there. Assuming a smart criminal (ok, that's a stretch), you could go out, scam $290,000, and fly under the FBI's radar. That's approximately equivalent to $400,000 at approximately a 25% income tax rate (assuming you don't file with the IRS). If you then lived off that at the median income rate (according to Wikipedia, that's about $50k for a household, before taxes), which means you're doing reasonably well for yourself, until it ran out, you'd be living off the scam for about 8 years before having to do it all over again. The statute of limitations would likely kick in, and you could do it all over again.

    Sounds like crime pays to me...

  9. Re:Social engineering is easier than engineering t by SunSpot505 · · Score: 2, Interesting

    We have also been subject to an Asterisk Vishing scam. We are an outbound autodialer, and somebody compromised a testing account that did not have a good password and attempted to use our PBX to pass on their Vishing message. It was for a bank and asking people to verify account information. Seriously??

    We are always on our * console so it was shut down immediately. We called the a$$hole back too and listened to him sweat while driving in traffic. Still, weird stuff... I was considering filing an FBI report, but your experience is not very encouraging.