FBI Vaguely Warns of Asterisk Vishing Vulnerability 57
coondoggie writes in to let us know about a fraud alert issued by the FBI's Internet Crime Complaint Center, warning that an unspecified bug in unspecified versions of Asterisk IP PBX software could allow criminals to generate "thousands of vishing telephone calls to consumers within one hour." PC World checked with Digium, developer of Asterisk, and found some puzzlement as to what bug the FBI had in mind. "In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system. Digium wasn't certain what vulnerability the FBI was referencing in its advisory. However John Todd, the company's Asterisk open-source community director, believes that it was probably this March bug. That vulnerability 'basically allowed you to take over the account of one individual,' he said. ... However, the attack described by the FBI would be extremely hard to pull off, Todd said." Update: 12/09 02:54 GMT by KD : Digium has put out a statement on the IC3 warning (further details), confirming that what the FBI had in mind was an old bug and difficult in the extreme to exploit.
Social engineering is easier than engineering this (Score:5, Interesting)
Oddly, he had such a long story, and the way he extracted info (aside from his accent) seemed pretty reasonable. I could totally see some fool (my mother) assuming that since the incoming number wasn't a normal one, that only possible explanation was that the government could be calling them.
Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!! It's no wonder there's such a problem with this type of scamming.
Re:Social engineering is easier than engineering t (Score:3, Interesting)
Strangely, the FBI took my call and I spoke with a detective, however, they were unwilling to work with me to try and catch this guy, because the amount of money he was scamming wasn't high enough; apparently he has to scam $300,000 before they will allocate any resources toward the case!!!
A minimum scam of $300,000 before the FBI gets involved is +1, Informative, right there. Further to that, any pretense that the cops have about "Crime doesn't pay" is busted right there. Not that I believed them prior to this, but, by itself, that pretty much proves itself right there. Assuming a smart criminal (ok, that's a stretch), you could go out, scam $290,000, and fly under the FBI's radar. That's approximately equivalent to $400,000 at approximately a 25% income tax rate (assuming you don't file with the IRS). If you then lived off that at the median income rate (according to Wikipedia [wikipedia.org], that's about $50k for a household, before taxes), which means you're doing reasonably well for yourself, until it ran out, you'd be living off the scam for about 8 years before having to do it all over again. The statute of limitations would likely kick in, and you could do it all over again.
Sounds like crime pays to me...
Re:Vishing = Voice Phishing (Score:4, Interesting)
This problem is that most people of average intelligence and not wealthy are ready and willing to be taken in by almost any sales approach. Trying to outlaw "deceptive marketing" to these people would mean you couldn't sell them a newspaper subscription.
There are some organizations that go out of their way to mislead people, but most people are very willing to be misled all by themselves and even encourage it. So is it worth trying to explain to someone that if all they want is the Sunday paper that it is actually cheaper to get the whole week's papers because that is how it is sold? Is it really deceptive to give the person what they think they want, regardless that it costs more? Lots of folks would say selling someone what they want when it is more expensive than some alternative is indeed "deceptive". With this in mind, I'd say you would have to get rid of all sales, marketing and advertising to avoid "deceiving" most people of average intelligence.
Re:Social engineering is easier than engineering t (Score:2, Interesting)
We are always on our * console so it was shut down immediately. We called the a$$hole back too and listened to him sweat while driving in traffic. Still, weird stuff... I was considering filing an FBI report, but your experience is not very encouraging.
Re:Social engineering is easier than engineering t (Score:1, Interesting)
it rises on a yearly basis it seems. just 4 years ago it was $50,000, two years ago it was $100,000.
And even then, that's not necessarily true. I work for a payroll company, we basically handle the direct deposits. Some scammers are very good and manage to take some of the more idiotic sales guys for millions and we still have issues getting feds involved.
Works something like this, they create a fake company with several other guys who are in on it, rent a building for a few days, put on a show for the sales guys, start moving money, act like they're growing, and after 6-7 months, or longer, are moving millions. The only catch is that the money isn't always paid to the payroll company before cash is deposited into employee's bank accounts, and bam! they take off with it.
I know, always make sure they get the money first, etc. but with long standing customers they want to keep relations and money taking a day to clear banks usually isn't an issue. Biggest take was about 2.5mil from a scammer who was using us for about 3 years. How he got the money to fund that in the meantime, I don't know, but boy is he rich now.