14 DAY TRIAL // The FBI's Internet Crime Complaint Center (IC3) has issued a warning about a vulnerability in the Asterisk open source telephony engine that can supposedly allow attackers to compromise legit VoIP servers and perform thousands of fake phone calls per hour. Digium, the company behind Asterisk, says the warning is extremely vague, and claims that it was unsuccessful in attempting to contact the FBI in order to clarify this issue.
Vishing is a form of phishing that uses social engineering techniques over the phone in order to trick people into disclosing their personal information. The term itself is the combination of “voice” and “phishing.” Vishing attacks can differ in tactics used to reach the individuals, but the end-result is generally the same, an automated response that instructs the users to dial in their confidential information such as credit card or account numbers.
The attackers use e-mail scams or make automated phone calls, in which they impersonate banking institutions. The potential victims are informed that there are some concerns with their banking activity, and they are instructed to call a phone number in order to address the issue. When calling in, the individuals are greeted with yet another automated message that asks for their personally identifiable information (PII).
“The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. […] The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour,” reads IC3's warning.
John Todd, Digium's community director, has written a response on the company's blog in which he notes that “the nature of the warning is extremely vague, and has left us guessing as to what the exact issue is that they reference, and how Asterisk is involved.” He admits that the company and the developers of the open source version of the Asterisk platform are unaware of any new vulnerability that might fit the description in the FBI warning.
However, he notes that a vulnerability that would fit the symptoms was discovered and fixed many months ago, back in March. The fact that it was fixed is also suggested by the IC3 notification, which claims that it affects “early versions of the Asterisk software.” If that's the case, Mr. Todd says that, to his knowledge, the fix has been widely adopted since March, and there would be no reason for such a late warning.
According to him, another explanation would be poor security practices on behalf of the companies using Asterisk, like weak passwords and pass phrases, the lack of secured VPNs or firewall rules, and so on. These, however, do not originate in the software's code and are not directly related to the popular platform, while they might expose Asterisk installations to security risks.
Todd has also expressed disappointment over how this problem has been handled by the FBI. “We’re concerned that the FBI has issued this warning without specific details and without contacting anyone involved with the project that we know of - Digium would be a natural choice. Typically, Law Enforcement Agencies would contact vendors or OSS project leads directly or via a CERT clearinghouse, before posting publicly,” he writes.
However, even if specific details are yet to be revealed, the recommendation made by the IC3 still stands and is welcomed - “Consumers should not release personal information in response to unsolicited telephone calls.” The Federal Trade Commission (FTC) and several telecom companies have replaced the automated fake messages for telephone numbers that have been suspended under the suspicions of such illegal activities with similar warnings. This might prove to be hard to do in the future, if vishers start using compromised legit VoIP servers in their attacks.