FBI Warns of Vishing Attacks with comprimised Asterisk Systems. Time to Upgrade.

December 8, 2008

Last Friday the FBI warned of a potential flaw in Asterisk PBX that would allow attackers to create thousands of calls per hour for vishing. Vishing, is "phishing over VOIP" incase you've been living under a rock for the past couple of years. The flaw in Asterisk, or more likely, the flaw in the Asterisk Administrators running the system, will allow for people to register to your system as a local extension and then they'll setup an auto dialer to call out from your system and grab unsuspecting people's credit card numbers.

The FBI is pretty vague as to what vulnerability it specifically is, but we assume this is because it's just "use secure passwords, and protect your system with a firewall and other security measures", which I think (hope) most of us do anyway.

Here's what the FBI says:

"Early versions of the Asterisk software are known to have a vulnerability," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."

And here's the followup from Digium:

"Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability "basically allowed you to take over the account of one individual," he said. "In the worst possible case, you could make thousands of calls in an hour."

"However, the attack described by the FBI would be extremely hard to pull off, Todd said."

And after a discussion on the -users list, here's what people suspect the vulnerability they are reffering to is: