FBI warns of vishing threat due to software bug

Share this article:
The FBI is warning of a vulnerability that could be exploited by cybercriminals to make rapid-fire vishing telephone calls.

The flaw in open-source toolkit Asterisk, which lets businesses connect to Voice over Internet Protocol (VoIP) services, could allow fraudsters to "auto-dial" thousands of  people in just an hour, the FBI said in an advisory posted on the Internet Crime Complaint Center.

In some cases of vishing, call recipients are greeted with a fake voice message, which provides them with a fraudulent phone number to call back and divulge sensitive information, said Ken Dunham, director of global response for threat intelligence firm iSight Partners.

For example, the bogus call may claim to be coming from an individual's bank, and the recipient would be asked to call back to update his or her account information.

Dunham told SCMagazineUS.com that crooks do not need security vulnerabilities to accomplish the scam. Instead, there are legal services available on the internet that provide mass dialing to legitimate customers.

"I've never seen them use a vulnerability like this because there are a wide variety of services on the internet where you can do broadcast dialing," he said.

The vishing problem is growing in scope, and there is little that end-users can do, Dunham said.

"It's like the blitzkrieg of phishing attacks," he said "It happens very fast, and mitigation is very difficult."

He suggested users be skeptical of unsolicited phone calls from anyone -- even trusted people.

An Asterisk spokesperson could not be reached for comment on Monday. But according to reports, the software has security measures in place to prevent extreme auto-dialing.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.