There have been several articles about a bust of at least 70 people in India, who are behind some of the IRS scam phone scam. We have been working the the IRS/TIGTA, the FTC, and DHS CSD on this issue - it is good to see that at least one of the fraud rings has been busted. Hopefully this will result in at least a temporary reduction in this scam.
Here are articles from the Wall Street Journal and CNN. You can find several more:
A new Internet based tool is available now to simplify making calls with spoofed calling number. The main difference with this tool, is that it only accepts Bitcoin, so it is more anonymous. It certainly lowers the bar provides another tool for those performing social engineering. I included a few links below the image with more information.
Check out the following article. It states that over 200,000 voice phishing/vishing calls into Korea, from other countries, were blocked in January and February. Some additional statistics are given as well that break the calls down by type, bank, etc. Most of them are imitating Korean banks. Unfortunately, there isn't any information about how these calls are blocked, I presumably by Korean service providers.
It seems like US-based service providers could do the same thing - block international calls claiming to be US-based finanical institutions. This isn't trivial though, you need technology at the right location in your network and managing blacklists of numbers takes a ton of work (I know, we do it too).
Here is an interesting report on a variety of fraud issues. One thing that struck me is that voice has become the preferred channel for fraud. Voice SPAM, scams, vishing, social engineering into contact centers, etc. Voice used to be the most trusted communications medium, but now it has become the LEAST trusted. Public voice has a ton of issues - is it any wonder that users are moving to closed systems for voice and messaging???
There has been quite a bit of press about a voice phishing/vishing scheme in the UK that has netted the crooks some $7,000,000 pounds. Whether this is one attack or several isn't clear, but it should be no surprise that attackers to use robocalls and then "vish" information out of individuals, is a very effective attack.
The attacker uses robocalls to call and leave messages on landlines, smart phones, and enterprise desk sets. The attacker simply picks numbers and leaves a message from a well-known financial enterprise, such as a top 5 bank. Odds are that if they call 10,000 numbers, a good percentage of the targets will just happen to work with that bank. While people have grown distrustful of phishing email, they tend to trust voice calls a little ore.
Individuals call back, usually to a 1-800 number, with an IVR that requests some sort of personal information, such as a credit card and PIN. Once the attacker has that information, they are good to go.
Here are a couple of links. You can find quite a few more.
I just finished a chapter in my upcoming book, Hacking Exposed: VoIP and UC on Social Engineering and Voice Phishing. The attacks are focused around gathering Personal Information (PI) and using it to enact illicit financial transactions. I will provide a more detailed post in the future. In the meantime here is a recent article on the subject. I will also be adding a bunch of articles to my list on this topic:
Collaboration Security, Mark Collier, robocalls, SecureLogix, TDoS, Telephony Denial of Service
Harassing calls, UC Security, Unified Communications Security, Voice Over IP Security, Voice Security, VoIP Security
SecureLogix just released our 2013 Voice and Unified Communications State of Security Report. Rod Wallace and myself authored the report. The report covers the most significant voice and UC threats. the report describes the threats and why they have recently and continue to become more severe. The report is also unique in that it presents real-world data collected from several hundreds assessments and managed service engagements, using our technology, on enterprise voice and UC networks. We present trending data and santized attack examples for each threat.
Here is a link to the report. Please give it a read and let me know what you think:
Check out our webinar on threats to contact centers. Telephony Denial of Service (TDoS), social engineering and fraud, harassing calls, voice SPAM, voice phishing (vishing), and traffic/call pumping are all discussed:
a number of reports and surveys on general data security. These are good reports,
but only mention voice, VoIP, and UC security in passing. I believe this is
because UC security in terms of a data-only security issue, hasn’t really
developed yet. These data-oriented reports don’t focus on the application-level
issues that affect UC networks (harassing calls, toll fraud, social
engineering, TDoS, etc.).
reports are based on surveys. The report we generated is based upon data from
hundreds of UC security deployments. The report includes 3 major sections:
Threat overview – where the threat is now and why
it is getting worse.
Threat taxonomy – provides a simplified taxonomy of
the key (less than 10) threats.
Real-world data – data and information that backs
up our threat assessment.
We also make predictions of where the threats are
Voice network security has been an issue for years for
enterprises, with voice application threats such as toll fraud, social
engineering, harassing calls, and modem abuse posing the largest threats.
However, with the proliferation of VoIP/UC in both the service provider and
enterprise networks, the threat to voice networks has dramatically increased.
This is not because VoIP itself is being attacked through packet
vulnerabilities, but rather that VoIP creates many new vectors of attack and makes
the overall voice network more vulnerable and hostile. Attackers do not target
VoIP per se; they leverage VoIP to perform the same voice application attacks
they have been perpetrating for years. Even the PSTN, which used to be mostly a
closed network, has become much more hostile due to the proliferation of VoIP
call origination: it is increasingly resembling the Internet from a security
standpoint. Also, social networking sites such as Facebook and Twitter are
being used to organize mass calling campaigns, creating a new method of
generating harassing calls or even Denial of Service (DoS) attacks.
The following diagram illustrates several concepts,
including how campus/internal VoIP has changed (and not changed) the voice
network threat level.
This diagram and the two that follow use a
simplified enterprise voice network to illustrate several concepts. In this
voice network, the IP PBX is shown as a collection of servers providing various
functions. This is typical of a modern IP PBX, which uses many different
devices to provide different services. A large enterprise often duplicates this
configuration for each site, likely using equipment from multiple vendors. The
diagram also shows different user devices, such as IP phones, softphones on the
data VLAN, fax machines, modems, and legacy phones.
Internal/Campus VoIP systems are complex and
involve many servers and components. A typical IP PBX has many devices and many
protocols that are exchanged over the internal network. Large enterprises have
many separate systems, configurations, and equipment from multiple vendors.
These systems offer many operating systems, network stacks, applications,
protocols, and configurations to attack. The primary threats to these systems are
different forms of Denial of Service (DoS) and eavesdropping.
The major IP PBX and VoIP vendors are progressively
doing a better job of securing their systems, including improving default
configurations and offering security features, such as encryption. However,
security is often not the primary consideration during deployment of new voice
network systems, and quite a few vulnerabilities exist. This is especially true
for critical devices, such as call control, media gateway, and support servers.
It is also particularly true for highly critical voice applications, such as
Internal VoIP vulnerabilities are similar to those
in other critical internal enterprise applications. Different forms of DoS and
eavesdropping represent the greatest vulnerabilities. An attacker with internal
network access and the right motivation and tools can attack these devices.
However, if an attacker has internal access to a corporate network, broader
security issues are present than just voice security. The good news, and this
is very important, is that other than disruption and selected eavesdropping
scenarios, no significant financial incentive exists to exploit these internal
vulnerabilities. Virtually no publicized, real-world attacks have occurred on
internal/campus VoIP networks. SecureLogix has conducted numerous
internal/campus VoIP network assessments and identified only a few actual
attacks, and these focused on an existing voice application attack not unique
to VoIP—toll fraud. SecureLogix recommends that enterprises always follow good
data networking security practices when deploying internal/campus VoIP systems.
These best practices include defining a corporate security policy, prioritizing
network security, securing critical servers, and using the security features each
vendor provides. However, the threat level does not justify deployment of
specialized VoIP security devices to secure the internal/campus VoIP network.
As shown in the diagram above, the connection to
the service provider is still TDM in the majority of enterprises. The IP PBX
uses an integrated or separate device that provides the media gateway function.
The diagram also shows the Public Voice Network, which is an evolution of the
PSTN, where much of the call origination and transport uses VoIP. The real
threat lies in the connection to the Public Voice Network. Attackers do not
attack VoIP itself; rather, they attack the voice application and network,
often using VoIP to enable, simplify, and/or reduce the cost of the attack. The
real threats to voice networks are the types of attacks that are always present
at the voice application layer, whether the underlying network is legacy TDM,
VoIP, or a combination. Attackers exploit voice networks for a reason, such as
stealing usage, engaging in social engineering, harassing users, instigating disruption,
and making money. They do not care what the transport technology is, unless, of
course, VoIP makes it easier to execute the attacks.
As shown in the above diagram, the major threats to
enterprise voice networks are toll fraud, social engineering, and modems. These
threats have been high for years, and VoIP availability is either making them
worse or keeping them constant. Threats such as harassing calls and Telephony
DoS (TDoS) have historically been a medium threat, but as described in
subsequent sections, are getting worse.
The diagram above shows a voice firewall on the
connections to the Public Voice Network, because that is the best practice for
dealing with the most critical threats. The diagram also shows attackers lurking
on both the internal network and in the Public Voice Network.