Wednesday, January 21, 2009

Phone phreaks are now using call forwarding features to make free phonecalls!

Actually, they have been doing that for quite a while; say a couple of years. Yet it still works, and we only hear about it when some organization is hit with a hefty phone bill because their PBX server has been abused.

The West Australian is running a feature article on various (undisclosed) cases where PBX systems, some traditional while others are IP-based (and exposed on the Internet) were abused to make phonecalls to foreign countries.

While looking for more information, an article from 2005 showed up which describes what happened to a couple of organizations (hospitals and businesses). The telco companies tend to ask the victim organizations to pay up the phone bill for calls that the phone phreaks made.

But now things are moving more towards the Internet, where attackers can be anywhere in the world and the cost of a packet is much less than that of a phonecall!

Tuesday, January 6, 2009

VOIPPACK released

Yep its out! Check out the announcement on EnableSecurity. For more information about VOIPPACK refer to the products page.

This video is a demo of sipautohack in action (looks and sounds better than the previous):

Demonstrating sipautohack from Sandro Gauci on Vimeo.

VOIP Scanning on the increase

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:
If you came across any such scans or related stories drop me an email.