Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Vaguely Warns of Asterisk Vishing Vulnerability

Posted by kdawson on from the do-not-call-back dept.

coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.

4 of 57 comments (clear)

  1. Vishing = Voice Phishing by iammani · · Score: 5, Informative

    Wouldnt hurt to mention it, in the summary, would it.

  2. asterisk phishing? by syrinx · · Score: 5, Funny

    So, this?

    --
    Quidquid latine dictum sit, altum sonatur.
  3. Vampire dictated? by Rik+Sweeney · · Score: 5, Funny

    "FBI Vaguely Warns of Asterisk 'Vishing' Vulnerability"

    what's next:

    "FBI Vaguely Warns of People 'Vanting' To Suck Your Blood"

    --
    Summation 2
  4. Social engineering is easier than engineering this by virtualXTC · · Score: 5, Interesting

    Oddly, about a 1/2 hr before this story was posted I received a similar vishing scam. CallID said +23456, a guy with an American name but Indian-like accent claiming to be from the "United States Federal Grant Program" said that he was going to send me $5000 in grant money. He explained this was because I was a good taxpayer, that I didn't have any felonies, and that I can be given this money for a variety of reasons ranging from family care to school etc.. His accent, and sentence composition totally gave away that he wasn't a US paid telemarketer. Curious about how the scam worked I played along, verifying information about my address that he some how already had. He continued to explain how his company would be transferring money to me as soon as I send back the info they are going to send me. He went on to explain further, then eventually he asked for my bank account info; I deferred him until later, claiming I didn't have it, hung up and called the FBI.

    Oddly, he had such a long story, and the way he extracted info (aside from his accent) seemed pretty reasonable. I could totally see some fool (my mother) assuming that since the incoming number wasn't a normal one, that only possible explanation was that the government could be calling them.

    Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!! It's no wonder there's such a problem with this type of scamming.