Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1389419
  • 博文数量: 140
  • 博客积分: 8518
  • 博客等级: 中将
  • 技术积分: 1822
  • 用 户 组: 普通用户
  • 注册时间: 2005-03-01 22:23
个人简介

嘿嘿!

文章分类
文章存档

2016年(2)

2015年(5)

2014年(6)

2013年(11)

2012年(11)

2011年(3)

2010年(4)

2009年(4)

2008年(8)

2007年(23)

2006年(26)

2005年(37)

分类: 网络与安全

2006-08-09 16:00:21

Possibly the most disturbing news out of the Black Hat security conference last week was how Asterisk, the open source PBX, is being increasingly used by hackers in a wide variety of hard-to-stop VoIP hacks. Everyone, from home users to corporate networks, could become a target.

 

Talks at the show explained just how easily an Asterisk-based PBX can be used to launch attacks, notably "vishing" attacks, in which hackers use VoIP calls instead of phony Web links to steal personal and financial information.

Asterisk has become the hacker's favored tool because it's free, easy to use, and works with cheap, off-the-shelf hardware. Install Asterisk on an inexpensive PC, do a little tweaking, and you've got a full-blown PBX, something that previously would have been extremely expensive and time-consuming to do.

A vishing attack is simple to launch using Asterisk. War-dial using an Asterisk-based PBX, and send a recorded message to thousands of people, telling them their credit card number has been stolen, and that they need to call a phone number to solve the problem.

The number, of course, is the Asterisk-based PBX set up by the hacker. An automated message tells them to enter their credit card number and other personal information, for verification purposes. The PBX records the number and information, and the hacker now has a credit card to use.

Other hacks can be launched from Asterisk as well. There's the "man-in-the-middle" attack, in which a PBX-initiated call lures someone into calling a bank, credit card company, or other financial institution. The PBX answers, and forwards the caller to the real customer service number --- and then listens in and records the entire call. Again, the hacker comes away with personal and financial information he can use.

The upshot? Just as you shouldn't trust any unsolicited email, you also shouldn't trust any unsolicited phone calls. Asterisk-based vishing and similar attacks make fraud too easy these days.

看来Asterisk已经开始受到关注了。挺有意思的!
阅读(2186) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~