Crooks Deliver Call Blizzards Via a Bug in Asterisk

by Sam Dean - Dec. 08, 2008Comments (2)

How would you like to be on the receiving end of thousands of scam phone calls in an hour? In an auto-dialing nightmare, that's exactly what's happening thanks to a bug in an older version of Digium's Asterisk open source VoIP (voice-over-IP) software. The FBI has warned users of Asterisk to upgrade to the most current version, although it has not specified which version has the bug.

Asterisk is one of the more mature open source VoIP platforms, and its parent company Digium has continued to develop commercial success even as it has improved its open source offering, as we wrote about here. Quite a few businesses use older versions of Asterisk, though, and that's the problem according to this advisory from the FBI:

"The FBI has received information concerning a new technique used to conduct vishing attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBXii systems with Voice over Internet Protocol (VoIP), digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour."

The term vishing normally refers to hackers setting up scam call centers, duping people into calling them, and then fleecing personal information from them. In the new twist on the concept, hackers are taking command of Asterisk installations and direct dialing in with blizzards of calls.

Asterisk has been around for more than a decade, and gets its bugs patched fairly regularly.┬а In this case, though, anyone using an older version would be wise to upgrade.