FBI Vaguely Warns of Asterisk Vishing Vulnerability 57
coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.
Can you hear me now? (Score:3, Insightful)
Hello? Hello? May I speak to my friend the honorable Mr. JohnSmith@bigcompany.com, President?
I am Mr. Dramane Yadi, I work in the Accounts/ Operations Department of a Prime banks here in Abidjan Cote D'Ivoire. I actually have an urgent and very confidential business proposal for you. I got your contact from Internet and decided to contact you immediately.
*CLICK**DIALTONE*
Hello? Hello? Can you hear me now?
"Digium wasn't certain" (Score:4, Insightful)
...what vulnerability the FBI was referencing.
Nice. How many do they have?
Re:asterisk phishing? (Score:4, Insightful)
Re:Vishing = Voice Phishing (Score:5, Insightful)
Actually, I thought the use of the phrase "vishing telephone calls", while technically redundant, also served to beautifully highlight what a stupid term "vishing" is.
How exactly is "vishing" different than those idiots who called the other day to tell me I'd won an all expense paid trip to Bermuda, only they needed my credit card information to make the reservations?