FBI: Criminals Auto-dialing With Hacked VoIP Systems
FBI: Criminals Auto-dialing With Hacked VoIP Systems: Via Business Center - PC World
Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.
The FBI didn't say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.
In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.
"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."
The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.
Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability "basically allowed you to take over the account of one individual," he said. "In the worst possible case, you could make thousands of calls in an hour."
However, the attack described by the FBI would be extremely hard to pull off, Todd said.
Most Asterisk systems are protected by firewalls or other security software and even if one could be accessed by a visher, administrators generally limit the number of calls any one account can make simultaneously, he explained. "Most of the time you would not be able to create thousands of calls in an hour."
The flaw affects older versions of Asterisk but not the most current version 1.6, he said.
Read Original Article (Via Business Center - PC World .)
Twitter
Digg
StumbleUpon
Technorati
del.icio.us
Facebook
Furl
LinkedIn
YahooRecent blog posts
- In Bid to Sway Sales, Cameras Track Shoppers
- Unprecedented 25-Year Sentence Sought for TJX Hacker
- EFF Appeals Dismissal of Warrantless Wiretapping Case
- Viacom Makes Its Case Against Yesterday's YouTube
- Obama supports Senators draft plan to rework U.S. immigration policy - Includes National Biometric ID card for all.
- Domain Names Can't Defend Themselves
- Hacker Disables More Than 100 Cars Remotely
- Judges Approves $9.5 Million Facebook ‘Beacon’ Accord
- Hooking Up The Big Brother Machine... And Fighting It
- Court: State Can Dump Non-Sex Offenders Into Registry
