Here is an article from earlier in the year on VoIP phishing/vishing. This is a growing issue, especially since it is so easy for the attacker to automatically generate these robocalls to many consumers or enterprise users.
The FTC held a recent summit conference and has created a challenge to the industry to identify solutions to unwanted robocalls. We have all received these unwanted voice SPAM, voice phishing/vishing, and other types of harassing calls on our mobile phones, home phones, and enterprise desk phones. I included links to several videos on the FTC web site that describe the issue, steps the FTC is taking, along with a discussion of the challenge to industry:
Here is a discussion of a recent voice phishing or vishing attack against hotel guests. It is really more of a social engineering attack, but thats ok. Apparently someone calls into hotels late at night, poses as a hotel employee, and tries to trick guests into disclosing personal information, including name, credit card info, etc.
It doesn't seem like a very effective attack - most guests would be furious that they were woken up.
Check out our webinar on threats to contact centers. Telephony Denial of Service (TDoS), social engineering and fraud, harassing calls, voice SPAM, voice phishing (vishing), and traffic/call pumping are all discussed:
There was a recent post on another blog about
different types of phone or toll fraud. I want to make a few comments about
call/traffic pumping, which is a relatively new attack that is being seen in
IVRs and contact centers.
Call/traffic pumping occurs when the goal of the
attacker is to share part of 1-800 revenue. This attack normally targets IVRs/contact
centers with 1-800 service. A well designed call pumping attack will spoof the
caller ID/ANI for calls, possibly vary the length of calls, and most
importantly, stay in an IVR as long as possible. I have seen attacks that loop
in the IVR by playing the main menu tone over and over. This could be extended
to calls that do the same thing, but use a more randomized pattern that is
harder to detect. I have also seen attacks using selected audio, which is also
effective, but if the calls last long enough to leave the IVR and are received
by agents, they are detected. Of course detection is a lot different than
mitigation – the attacks can go on and on, tie up the IVR and agent time. If
the attack involves more than a few simultaneous calls, then these negative
value calls time up resources, waste agent time, and create some level of a
Telephony Denial of Service (TDoS) condition. If enough calls are generated or target a specific part of an
IVR/contact center, then a TDoS condition will definitely occur.
Actual TDoS attacks are really not that much
different – it is more of a case of attacker intent and volume of calls.
Solving call pumping requires a solution that
works with TDM and SIP. Fraud has nothing to do with SIP trunking – the fraud
will occur no matter what type of trunking you have. Do you think the attacker
cares? No they just generate calls. Trying to solve fraud with an SBC does
nothing for TDM and most SBCs won’t detect more sophisticated fraud and call
pumping. I recognize that many contact centers have moved or are moving to SIP,
but this is a slow process and if you are being attacked, you need a solution
now, not in a year or two after you have migrated a large IVR or contact
center. For information on solutions, see our website at www.securelogix.com.
While VoIP and UC specific attacks get a lot of media attention
and indeed present quite a few vulnerabilities, the real threat lies with
voice-application attacks. The means of attack is not an IP scan, malformed
packet, or flood of packets; rather, it is malicious calls exchanged between
the Public Voice Network and the enterprise. As I have said before, the Public Voice Network has become much more hostile and it is so much easier for attackers to originate inbound malicious call attacks. Also, attacks such as toll fraud, which involve outbound calls, continues to be an issue and are getting worse.
Some of the types of malicious calls and their impact on the network include:
Harassing calls - calls that harass or threaten users, attempt to sell produces/services, and trick users into calling a number to gather personal information
Call pumping - artificially drive traffic into 1-800 contact centers to share revenue.
Social engineering/fraud - calls that attempt to trick agents into performing illicit financial transactions
Telephony Denial of Service (TDoS) - so many calls, that the target site is overwhelmed and can't process legitimate calls.
Toll Fraud - cause the enterprise financial loss through long distance abuse and toll fraud.
Modem access - either to a key computing resource or outbound to an ISP,
creating a backdoor into the enterprise data network.
Some of these issues affect all parts of the enterprise. Certain issues either only affect contact centers or are certainly more acute in contact centers. TDoS is an example of an attack where it can affect any part of the enterprise, but is more acute in contact centers because of the value of calls and the ease of which an attacker can set up an attack (all they need is a 1-800 number).
Here is a brief video, that describes a Telephony Denial of Service (TDoS) service for hire. The owner shows a rack of centrally managed PCs, each running Skype, and used to coordinate an attack on an enterprise, consumer, contact center, etc. This service would certainly overwhelm a consumer and could be used to prevent the consumer from receiving a confirmation call from their bank, when an attacker is emptying their bank account. This service could also create a TDoS attack on a small enterprise or contact center.
Hosted IP is a VoIP deployment where the service
provider hosts the IP PBX and other voice application servers. The enterprise
simply deploys IP phones and softphones. This deployment offers the classic
advantages and disadvantages over an enterprise-deployed IP PBX. However,
unlike classic Centrex, Hosted IP can be delivered, expanded, and reduced much
more quickly and cost effectively.
From a security point of view, Hosted IP offers
some advantages because the enterprise does not need to worry about securing
the complex IP PBX, its devices, services, and supporting applications. This requires effort and expertise. However, the enterprise should still be concerned about threats such as
eavesdropping and possibly malware delivered to softphones from the service
provider. Also, the enterprise will now have many connections open to the
service provider, which they will need to secure, especially if the Internet is
used to deliver the Hosted IP service.
More importantly, the enterprise is just as
vulnerable to voice application attacks, such as toll fraud, social
engineering, harassing calls, voice SPAM, voice phishing, and TDoS, but now depends upon the service
provider to address these threats. I included a figure below to illustrate this:
Below is a recent article talking about voice phishing, also known as vishing. The idea is familiar - the attacker sends an email or call, trying to trick the victim into calling a number, which uses prompts that try to get the user to disclose personal information. I see more and more of these on my personal cell phone - I usually call them back and try to see how clever they are. They really don't have to be that clever - if the email or call mentions an issue with a warranty, traffic ticket, insurance, or the right bank, users will often be tricked into calling back. The attacker just calls a ton of numbers (through cheap VoIP), mentions "Chase" and there is a good chance they will reach a good number of Chase customers...
I will be participating in a NoJitter webinar on October 10th, on the topic of Voice, VoIP, UC security in contact centers. Many of the security issues I cover in this blog, such as harassing calls, Telephone Denial of Service (TDoS), call pumping, voice SPAM, are particularly acute in contact centers. Attackers can easily get 1-800 numbers, can make money through call pumping, and can have an incentive to generate TDoS.
Here is a link to the webinar. I hope you can listen in: