VoIP Attacks: Reverse Vishing, SEO and Phone Number Authentication
Last Updated: 2008-09-08 23:24:46 UTC
by Raul Siles (Version: 2)
At the end of last month we talked about some Vishing enhancements, or how attackers record voice snippets of the target IVR (Interactive Voice Recording) system to provide credibility about their fake environment, something they have been doing for some time and that definitley is going to grow. This is trivial for an attacker, in a similar way it is trivial to duplicate a Web site in a traditional Phising scam (except for the SSL certificate), and it can be easily acomplished by acquiring a SIP number (or set of numbers), an associated VoIP/SIP trunk, and setting up an IVR using an open-source VoIP PBX/server, such as Asterisk. The attacker simply gets the voice recording from the company to impersonate, and setup the recorded files in Asterisk.
Some of the best practices against Vishing attacks suggest the victim to:
- Verify that the number she is calling to belongs to the "calling" company, typically through the company Web page or other printed material, but unfortunately, lot of users are used to check in search engines.
- Directly call the company number instead of trusting a received call ensuring XYZ is calling you with a very important or juicy request, even if the caller ID is the right one.
Websense recently published details about Reverse Vishing attacks in China. These attacks focus on making useless the two previous recommendations by:
- Using search engine optimisation (SEO) poisoning techniques to position the fake phone numbers associated to legitimate organisations on top of search engines.
- Encouraging the victim (through the initial fake e-mail) to call the fake number.
If the victim checks the number through a search engine, the "authentication" is successful :( If the victim is cautious and performs the verification of the number through the company Web page... let's hope the attackers didn't break into the Web server too to subtlely modify this information. I'v not seen this in the wild yet, but with the huge amount of Web vulnerabilities nowadays, keep an eye on this in the future!
When talking about VoIP security (and traditional telephony), any reference to a phone number or the "so many times trusted and easily spoofable" caller ID must be verified and authenticated. With the recent DNS vulnerability this summer, it is mandatory to take a look at the impact on ENUM, the phone number (E.164) to domain names translation protocol (e164.arpa), and add secure capabilities, especially authentication, to it!
Meanwhile, it is recommended to verify and correlate phone numbers (got by e-mail, IM, caller ID...) using different sources: the company Web page, printed material from the company, multiple search engines and specific phone queries (like Google's "phonebook:" operator), and specific phone searching services, like Who Called Us, 800Notes, NumberZoom, Switchboard.com, Whitepages.com, Reversephonedirectory.com, or Phonenumber.com. Unfortunately, most of them mainly apply to the US, so you need to find a similar service for your country.
Raul is author and teaches the SANS VoIP Security course; see you in Dubai and London!
UPDATE: Thanks Dan for the notification about the "vhising" typos; of course, "vishing" is the right term!