The FBI
has identified a new technique used to conduct "vishing" attacks,
where hackers exploit a known security vulnerability in Asterisk
phone software.
Asterisk is free and widely used software developed to integrate
Private Branch Exchange (PBX) systems with voice over internet
protocol (VoIP) digital internet voice calling services.
However, early versions of Asterisk are known to have a
vulnerability, which can be exploited by cyber criminals to use the
system as an auto dialler, generating thousands of vishing
telephone calls to consumers within one hour.
Vishing is similar to e-mail phishing, as attackers pretend to
be someone they're not. The difference is that they use voice
rather than data services.
Digium, the original creator and primary developer of Asterisk,
released a
security advisory (AST-2008-003) in March 2008, which contains
the information necessary for users to configure a system, patch
the software, or upgrade it to protect against the reported
vulnerability.
If consumers and firms fall victim to this exploit, their
personally identifiable information (PII) will be compromised, said
the FBI. To prevent further loss of PII and to reduce the spread of
this new technique, the FBI said it is imperative that businesses
using Asterisk upgrade their software to a version that has had the
vulnerability fixed.
In addition, consumers should not release personal information
in response to unsolicited telephone calls. "Providing your PII
will compromise your identity," the FBI said.
"As with all types of scams, whether by computer, phone or mail,
using common sense can protect you," said special agent Richard
Kolko, chief of the national press office in Washington DC.