Criminals Auto-Dialing With Hacked VoIP Systems - FBI

Posted By AVAD Business Editor on 6-06-09

Criminals are taking advantage of a bug in the Asterisk Voice over IP phone systems that lets them make thousands of telescam phone calls in an hour using an unsuspecting businesses telephone system, the U.S. Federal Bureau of Investigation warned Friday.

The Federal Bureau of Investigations didn't say which versions of Asterisk were vulnerable to the attack, but it advised users to upgrade to the latest version of the VoIP software. Asterisk is an open-source system that lets users turn a Linux computer into a business VoIP telephone system.

In these vishing attacks, scammers hack a business VoIP system running on Asterisk to set up a phony call-center and then use phishing e-mails to trick victims (business customers) into calling the center believe they were calling a legitimate company. Once there, they are prompted to give private information, such as banking and credit card user names and passwords. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

"Early versions of Asterisk software are known to have several vulnerabilities," the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. "The vulnerability has been exploited by a number of cyber criminals to use the system as an auto-dialer, generating thousands of vishing telephone calls to consumers within one hour." This has ruined several companies as their customers have been scammed by cyber crimminals accessing a legitimate company database.

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

Digium representatives were not immediately available to comment for this story.