Last Friday, the FBI issued a warning about a security vulnerability that could be used by cybercriminals to make vishing telephone scams.
Vishing (combining phishing and voice) uses Voice over IP (VoIP) features to gain access to company information. In this case, the flaw was found in a free and widely used open source toolkit – Asterisk.
According to a posting on the Internet Crime Complaint Center, hackers who gain access and exploit the Asterisk flaw can potentially auto-dial thousands of people in an hour.
Security risk news spreads like wildfire and the FBI vishing warning was no exception — bloggers everywhere began weighing in. It was quickly learned, however, that the security scuttlebutt was actually an old issue.
According to a Digium blog post, the bug was originally found in March (AST-2008-03, a SIP guest permissions problem) and was patched for 1.2 and 1.4 versions of the software (1.6 releases were not vulnerable). The bug did not allow the arbitrary setting of caller ID and would work in only a limited set of circumstances.
It sounds quite similar to the telephone scams already known, no VoIP hacking necessary! The Federal Communications Commission already warns us about everything from the Mexico Collect Call Scam to the 90# Telephone scam.
Just another reminder to keep your information safe by making your passwords safer … and do your homework before going off on new exploits.