FBI: Criminals auto-dialing with hacked VoIP systems

The FBI is warning users of the Asterisk VoIP system to upgrade, saying that scammers are exploiting a bug in it to dial vishing calls.

Criminals are taking advantage of a bug in the Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn't say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

Digium representatives were not immediately available to comment for this story.

More about: Asterisk, Digium, FBI, Federal Bureau of Investigation, Linux
References show all

Comments

1

Paul Liew

Tue 09/12/2008 - 13:06

Digium's Response

As Australian Technology Partnerships (ATP) are Digium's Distributor in the region, we feel obliged to reply.

Digium had made a response to the original posting by the security organisation (without being contacted first); and have made further statements to say that this vulnerability was related to an issue raised in March 2008 and has been resolved. The majority of Asterisk users would have upgraded to the latest stable and would not be subject to the said attacks.

Digium's response can be found at

http://blogs.digium.com

Your team would have found this article easily as part of the research and included it in your column.

Australian Techonlogy Partnerships (ATP) P/L

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: asterix, digium, fbi
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/165/billings/

Billings

Billings allows you to present clients with professional looking invoices. There are 30 templates to choose from and you can add your own logo and ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia