Making a PBX 'botnet' out of Skype or Google Voice?
Flaws in popular Internet-based
telephony systems could be exploited to create a network of hacked
phone accounts, somewhat like the botnets that have been wreaking havoc
with PCs for the past few years.
Researchers at Secure Science recently discovered ways to make
unauthorized calls from both Skype and the new Google Voice
communications systems, according to Lance James, the company's
cofounder.
An attacker could gain access to accounts using techniques discovered
by the researchers, then use a low-cost PBX (private branch exchange)
program to make thousands of calls through those accounts.
The calls would be virtually untraceable, so attackers could set up
automated messaging systems to try and steal sensitive information from
victims, an attack known as vishing. The calls might be a recorded
message asking the recipient to update their bank account details, for
example.
"If I steal a bunch of [Skype accounts], I can set up [a PBX] to
round-robin all those numbers, and I can set up a virtual Skype botnet
to make outbound calls. It would be hell on wheels for a phisher and it
would be a hell of an attack for Skype," James said.
In Google Voice, the attacker could even intercept or snoop on incoming
calls, James said. To intercept a call, the attacker would use a
feature called Temporary Call Forwarding to add another number to the
account, then use free software such as Asterisk to answer the call
before the victim ever heard a ring. By then pressing the star symbol,
the call could then be forwarded to the victim's phone, giving the
attacker a way to listen in on the call.
Secure Science researchers were able to access accounts they had set up using an online service called spoofcard, which allows users to make it appear as though they are calling from any number they wish.
Spoofcard has been used in the past to access voicemail accounts. Most
famously, it was blamed when actress Lindsay Lohan's BlackBerry account
was hacked three years ago and then used to send inappropriate messages.
The attacks on Google Voice and Skype use different techniques, but
essentially they both work because neither service requires a password
to access its voicemail system.
For the Skype attack
to work, the victim would have to be tricked into visiting a malicious
Web site within 30 minutes of being logged into Skype. In the Google Voice attack
(pdf), the hacker would first need to know the victim's phone number,
but Secure Science has devised a way to figure this out using Google
Voice's Short Message Service (SMS).
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Skype
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
