Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.
In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.
The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.
Hackers made headlines for breaking into phone company systems more than 20 years ago -- a practice that was known as phreaking -- but as the traditional telephone system has become integrated with the Internet, it's creating new opportunities for fraud that are only just beginning to be understood.
VoIP (voice over Internet Protocol) hacking is "a new frontier in the crossover world of telecom and cyber [crime]," said Erez Liebermann, assistant U.S. attorney for the district of New Jersey. "It is an ongoing threat and a serious threat that companies need to be worried about."
Attacks on one of the most popular VoIP systems, called Asterisk, are now "endemic," said John Todd, who works for the product's creator, Digium, as open-source community director. "It's like stealing a baseball bat to break into a car. The first step is to break into Asterisk."
Asterisk hacking began evolving from a fairly "low-level problem" into a much more serious issue around September of 2008, when easy-to-use tools were first published, Todd said. "There are now people doing videos on it and there are blogs and podcasts," he said. "The information is out there."
With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office's local area network to a network provider such as AT&T, which connects the calls to the rest of the world.
The hacker tries to guess the VoIP system's passwords, making thousands of guesses. While an Internet program such as Gmail will block visitors after a handful of failed password guesses, VoIP systems are often not configured this way and will often let any computer connect to them. So hackers pound away at them, trying to guess working phone extensions. Once they find an extension, they run their dictionary attack software. If the password is easy to guess, they're in the network and can phone out for free.
That's what happened to Innovative Technologies, based in Wheeling, West Virginia. It was hacked in early October, apparently by Romanian cyber criminals who used its VoIP system to make telephone-based phishing calls to customers of Liberty Bank, a small regional bank with offices in California.
"They had scanned a whole bunch of IP addresses on the Internet in order to find [VoIP] servers," said Terry Lewis, CEO of Innovative Technologies.
On Oct. 3, Lewis started getting voicemail from Liberty customers who had received the scam calls. He checked his VoIP system logs the next day and found that the hackers had made about 300 calls over the weekend -- not so many calls that it would normally have even been noticed.
Once the VoIP system is hacked, the criminals use it to perform phone-based phishing attacks, sometimes called vishing. Vishing attacks have been around for a few years now, but they've largely flown under the radar, because they often target smaller regional banks rather than high-profile national institutions. The scammers move from bank to bank each week after completing their campaigns.
According to Liberty Bank, other regional institutions have also been hit with vishing attacks from hacked VoIP systems in
Comments
So as is unfortunately typical, some of the quotes I made of course been taken out of proportion. My quote was not that "Asterisk attacks are endemic", but that SIP-based brute force attacks are endemic. Every SIP system that is open to the "public" Internet is seeing large numbers of brute-force attacks. Sites that have weak username and weak password control will be compromised - this is little different than email accounts being taken over by password-guessing systems and used for sending floods of email. The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets people's attention very quickly. I hear reports of these types of attacks now all the time - it's not unusual, and it's not just Asterisk. We had a blog about this a year ago; this is just a re-packaging of the same news a year later, when recently I unsurprisingly said that attacks are no longer even newsworthy because they're so frequent (hence, the term "endemic".) Apparently, not being newsworthy means... it's newsworthy!
This has little to do with Asterisk other than it happens to be the most prevalent SIP-based platform on the Internet currently. It has everything to do with protocol attacks by script kiddies, or more professional attackers. Bad passwords = easy penetration. The upside on this is that it yet again gets the attention of administrators who might not otherwise know that their password of '1234' might be guessed by criminal users.
The bug that was mentioned? Old news. Really, really old news. And really not even that much of a threat for most people the way they have their systems configured even if they haven't upgraded.
Asterisk, Broadsoft, Cisco, Kamailio, OpenSER, FreeSwitch, Avaya - they're all vulnerable to the brute force attacks if adequate network and username/password security is not implemented. There are ways to minimize, if not eliminate these threats with very standard security policies that should be familiar to any network administrator (ACLs, random passphrases, random client usernames, adequate exception logging, and limits on account usage, to name a few.)
Just as an aside, the Digium SwitchVox platform, which is our commercial re-packaging of Asterisk, has as an element of it's GUI a tool that indicates the relative strength of passwords. We'd encourage any other re-packagers or users of Asterisk to implement a similar UI hint that forces good password behavior by users and local admins. It's really not something that can be done in the core of Asterisk; it has to be done by whatever is the layered UI on top of Asterisk for configuration, or just by good policy.
http://blogs.digium.com/2009/03/28/sip-security/
http://blogs.digium.com/2008/12/06/sip-security-and-asterisk/
John Todd
Digium, Inc.
Asterisk Open Source Community Director
On any system the best defense is a STRONG password. If your password is a word, it will easily be broken, if it is a simple number combination, it will easily be broken, if you use that password also for forums etc..., it will be broken. Be smart, use strong passwords. I also run my TrixBoxen behind firewalls to further protect them.
Chris Brandstetter
http://www.ahblawyers.com
Network Administrator
Post new comment