[Dshield] Thoughts on article - 'Phishers try a phone hook'

Cefiar cef at optus.net
Sat Apr 29 07:27:03 GMT 2006

On Saturday 29 April 2006 02:46, Neil Richardson wrote:
> From the little I understand about such technologies, I'd assume that
> such a system could be set up (on the low-end) using one of the
> open-source PBX systems and a couple of phone lines (although couldn't
> the phone number be traced back to the owner?) so the story seems
> plausible, but before I start alerting my friends/family/co-workers I
> wanted to find out what you guys think: is this an urban myth, a
> possible-but-unlikely threat, or the something we need to actively
> watch from now on?

VMBs (Voice Mail Boxes) have been used for a LONG time (since the 1980's, 
possibly earlier) to trade information without direct calling (like credit 
card numbers or crack/hack details and techniques). Most of these were 
corporate systems that had unused mailboxes with easy to crack or default PIN 
numbers. Of course, the only way you notice is if you monitor the system 
usage and see stuff out of the ordinary, but many people running such systems 
didn't notice any problems, or ignored the activity as it wasn't personally 
damaging them.

Given the increasing use of computers in PBX's, it's not hard to imagine that 
if you can get administrative access across a network to some companies PBX 
system, you could change the system about to do anything it was designed to 
be possible to do. Things such as auto-attendants, voice menus, remote 
calling groups and even call queues could be configured. Many systems can 
also do this via a phone, and on a system with a badly configured setup or 
possibly with the defaults, it seems quite possible that someone could do it 
that way as well.

All you'd need to clone another system would be access to the audio (eg: 
recorded over the phone), a way of getting the audio into the other system 
(many allow http upload, or you can always record via the phone), and a 
knowledge of the menu, prompts and the system itself.

Many PBX systems have very lax security, mainly because they're little boxes 
that sit in the corner and are ignored till something goes wrong. Most 
probably still have default username/password combinations set on them. As 
always, people underestimate the problems that lax security can cause, 
because they don't visualise the possible threats, or deem them to be 

I would personally see this being quite possible.

 Stuart Young - aka Cefiar - cef at optus.net

More information about the list mailing list