Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asterisk Vishing Attacks "Endemic"

Posted by Soulskill on from the enter-your-ssn-if-you-concur dept.

Ian Lamont writes "Remember the report last year that the FBI was concerned about a 'vishing' exploit relating to the Asterisk IP PBX software? Digium played down the report, noting that it was based on a bug that had already been patched, but now the company's open-source community director says that attacks on Asterisk installations are 'endemic.' There have been dozens of reported vishing attacks in recent weeks, says the article: 'The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.'"

7 of 141 comments (clear)

  1. Moral of the story by Random2 · · Score: 5, Insightful

    Don't give sensitive information away unless in person. If you bank says there's something wrong with your account, either call them via their listed phone number or go visit them in person.

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
  2. Fishing, phishing, vishing, what's next? by noidentity · · Score: 5, Funny

    Fast-forward to 2109... ghoting attacks are on the rise, but nobody knows what the hell they are.

  3. Re:Vishing? by jittles · · Score: 4, Funny

    Actually, the attack is named after my Indian friend Vishal. But everyone calls him Vish. No really, I didn't just make this up.

  4. Re:_All_ prerecorded calls are spam. by Deanalator · · Score: 4, Informative

    I was getting a recorded message from a spoofed cid at 000-000-0000 and would always kill the call as I saw it come in. Turns out it was the my gas company trying to resolve some billing issues.

    A note to all "legit" businesses out there, blocked numbers and especially spoofed cids are super sketchy, don't do it.

  5. Complete crap by screeble · · Score: 4, Insightful

    What a load of crap. Asterisk developers patch security holes relatively quickly. This isn't an Asterisk "endemic."

    Brute forced passwords are a bad administrator "endemic."

    If your password policy is so stupid that you can be wordlisted then the issue may just be a PICNIC problem and not a fault of an application.

    Asterisk isn't a security application. It's an enterprise-grade VoIP server and PBX.

    Connecting Asterisk to a public network without some sort of border control is just stupid.

    1. Re:Complete crap by spiffmastercow · · Score: 4, Interesting

      True enough about the admin fail.. But it sucks as a developer to work with software like that. I have to be both the admin and the developer for a small asterisk IVR, and it's really frustrating to have to dick with all the permissions just to get started coding. It should come relatively secure by default, in a repo with a reasonable update schedule. Don't get me wrong, Asterisk is a great tool, but there's definately times when I get that "duct tape and shoe string" impression when I'm coding apps for it.

  6. Re:I got one of those calls. by ColdWetDog · · Score: 5, Funny

    I hung up and immediately called the FBI. I'm glad they are actually doing something about it.

    If you're like me (and most of Slashdot), you don't need to call the FBI at all. Just look straight into the webcam and tell them what the problem is.

    Don't believe the naysayers that tell you that government is inefficient.

    --
    Faster! Faster! Faster would be better!