FBI warns of Asterisk IP PBX vishing vulnerability

The FBI today issued a warning that open source IP-PBX software from Asterisk can be used to conduct vishing attacks on private information.  VoIP-based vishing takes advantage of  caller ID spoofing to try to weasel out personal information from victims.

The FBI said recent fraud attacks were conducted by hackers exploiting a security vulnerability in Digium's Asterisk software. Asterisk is free and widely used software developed to integrate PBX systems with VoIP. The FBI wasn't specific about which version of Asterisk was at risk but said early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.

Digium reported more than 1 million Asterisk downloads in 2007.

            Earlier this year the Internet Crime Complaint Center (IC3)  said Vishing attacks against US financial institutions and consumers was climbing at an alarming rate and that at the time text messaging were a growing concern. The IC3 said text messages are sent to cell phones claiming the recipient's on-line bank account has expired. The message instructs the recipient to renew their on-line bank account by using the link provided.

Vishing operates like phishing by persuading consumers to divulge their personal information, claiming their account was suspended, deactivated, or terminated.  Recipients are directed to contact their bank via telephone number provided in the e-mail or by an automated recording. Upon calling the telephone number, the recipient is greeted with "Welcome to the bank of ..." and then requested to enter their card number in order to resolve a pending security issue.

Layer 8 in a box

Check out these other hot stories:

FBI: Copper thieves jeopardize US infrastructure

NASA writes $1.09B check for Lockheed to build future weather satellites

DARPA targets ultimate artificial intelligence wizard

Telemarketing poppycock elimination laws take effect today

NASA goes iTunes with free podcasts

FAA  greenlights satellite-based air traffic control system

Top 10 wicked cool algorithms

IBM supercomputers greenest, fastest

Wal-Mart blows into wind power in a big way

Jack of all dark trades: Swatter, botnet herder, hacker pleads guilty

NASA exploring 8 new space expeditions

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022