[Dshield] Thoughts on article - 'Phishers try a phone hook'
cef at optus.net
Sat Apr 29 07:27:03 GMT 2006
On Saturday 29 April 2006 02:46, Neil Richardson wrote:
> From the little I understand about such technologies, I'd assume that
> such a system could be set up (on the low-end) using one of the
> open-source PBX systems and a couple of phone lines (although couldn't
> the phone number be traced back to the owner?) so the story seems
> plausible, but before I start alerting my friends/family/co-workers I
> wanted to find out what you guys think: is this an urban myth, a
> possible-but-unlikely threat, or the something we need to actively
> watch from now on?
VMBs (Voice Mail Boxes) have been used for a LONG time (since the 1980's,
possibly earlier) to trade information without direct calling (like credit
card numbers or crack/hack details and techniques). Most of these were
corporate systems that had unused mailboxes with easy to crack or default PIN
numbers. Of course, the only way you notice is if you monitor the system
usage and see stuff out of the ordinary, but many people running such systems
didn't notice any problems, or ignored the activity as it wasn't personally
Given the increasing use of computers in PBX's, it's not hard to imagine that
if you can get administrative access across a network to some companies PBX
system, you could change the system about to do anything it was designed to
be possible to do. Things such as auto-attendants, voice menus, remote
calling groups and even call queues could be configured. Many systems can
also do this via a phone, and on a system with a badly configured setup or
possibly with the defaults, it seems quite possible that someone could do it
that way as well.
All you'd need to clone another system would be access to the audio (eg:
recorded over the phone), a way of getting the audio into the other system
(many allow http upload, or you can always record via the phone), and a
knowledge of the menu, prompts and the system itself.
Many PBX systems have very lax security, mainly because they're little boxes
that sit in the corner and are ignored till something goes wrong. Most
probably still have default username/password combinations set on them. As
always, people underestimate the problems that lax security can cause,
because they don't visualise the possible threats, or deem them to be
I would personally see this being quite possible.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list