RealTime IT News

Phishers Hit The Phone Bank With Asterisk

As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.

LAS VEGAS –- It wasn't that long ago that phishing was an e-mail-only issue. But that has recently changed with the introduction of terms such as vishing into the security lexicon.

In a presentation here at the Black Hat conference, Security Researcher Jay Shulman explained how to execute a phishing scam with the help of Asterisk PBX.

The Asterisk VoIP PBX project is perhaps the most well known and popular open source VoIP project in the world today.

It is lowering the barrier to telephony entry for millions, including hackers out to steal your money and personal information.

The economics of voice phishing have also changed, thanks to open source Asterisk.

"Five years ago you would have had to buy a commercial system; the fact that there is an open source one available just makes this a lot more accessible," Shulman said.

Shulman was careful to qualify that his presentation was not intended to inspire others to follow his lesson plan.

"I'm trying to show the power of the tools, not trying to show you what to do," Shulman.

He did however describe, demonstrate and detail several attack vectors for executing voice-based phishing scams.

In one scenario, the victim is sent an e-mail and asked to call a 1-800 number, which the attacker sets up.

At the receiving end is the Asterisk PBX which answers the call and asks the caller identifying questions, such as account number and ZIP code. The PBX records and handles the call and then hangs up.

The second attack vector was a man-in-the-middle type of approach where the victim calls into the attacker's 1-800 number.

The attacker's PBX then transparently forwards the call to a real customer service phone number, while still staying on the line and recording all of the information.

Shulman describes that particular approach as being very manual, and yet very difficult to detect.

The third attack is a combination of the first two approaches.

The victim calls into the 1-800 number, the attacker's PBX asks for the personal information and the call is then transferred to a real customer service operator.

To add further insult to injury, Shulman suggested that the attacker could use the CallerID information from the victim and use it to have the PBX call the user back to confirm the call.

"It would encourage them that that they've done something right, when in fact they've done something quite wrong," Shulman said.

Though most of Shulman's talk was about exploitation paths using Asterisk, he ended his talk with a few suggestions of how to prevent voice-based phishing attacks.

One suggestion was that people should only ever call the 1-800 number listed on the back of their bank or credit cards.

The financial institutions should also step up and warn and educate users about the risks of voice phishing.

Shulman also suggested that call center representatives should ask which 1-800 they dialed to further ensure that the call is not part of a phishing exploit.

"The only reason why this works is because social engineering works," Shulman said.

"This is all still relatively new but we need to do something to point out to people that they've called the wrong number."