The FBI today issued a warning that open source IP-PBX software from Asterisk can be used to conduct vishing attacks on private information. VoIP-based vishing takes advantage of caller ID spoofing to try to weasel out personal information from victims.
The FBI said recent fraud attacks were conducted by hackers exploiting a security vulnerability in Digium's Asterisk software. Asterisk is free and widely used software developed to integrate PBX systems with VoIP. The FBI wasn't specific about which version of Asterisk was at risk but said early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.
Digium reported more than 1 million Asterisk downloads in 2007.
Earlier this year the Internet Crime Complaint Center (IC3) said Vishing attacks against US financial institutions and consumers was climbing at an alarming rate and that at the time text messaging were a growing concern. The IC3 said text messages are sent to cell phones claiming the recipient's on-line bank account has expired. The message instructs the recipient to renew their on-line bank account by using the link provided.
Vishing operates like phishing by persuading consumers to divulge their personal information, claiming their account was suspended, deactivated, or terminated. Recipients are directed to contact their bank via telephone number provided in the e-mail or by an automated recording. Upon calling the telephone number, the recipient is greeted with "Welcome to the bank of ..." and then requested to enter their card number in order to resolve a pending security issue.
Layer 8 in a box
Check out these other hot stories: