FBI Vaguely Warns of Asterisk Vishing Vulnerability 57
coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.
Vishing = Voice Phishing (Score:5, Informative)
Re:"Digium wasn't certain" (Score:4, Informative)
Might be this (Score:2, Informative)
Back in October, one of our servers was compromised using an ssh vulnerability to gain access to the system. What they did was to install Asterisk on our compromised system, and then try to compromise other Asterisk systems on the network. I am not sure as what the actual vulnerability the FBI is talking about, however I do know that they were using asterisk against other PBX systems.
Re:Vampire dictated? (Score:3, Informative)
Re:Vishing = Voice Phishing (Score:1, Informative)
Ask them to mail you a letter stating the prize and reply in certified mail with a return receipt. If you do not receive what they claim, they will be guilty of a felony - mail fraud.