Just got hit with a new attack vector
User mailbox was compromised. The attacker called into the extension and left a voicemail while spoofing the number they wanted to call, then called back, logged into the mailbox, retrieved the message, and used the "Callback Caller" option from the playback menu to originate a call back to the spoofed number. I disabled the option in the voice portal to mitigate further attacks. Figured it would be worth sharing.
On Sat, Nov 17, 2012 at 9:23 PM, Robert Dawson <RDawson at alliedtelecom.net> wrote:
User mailbox was compromised. The attacker called into the extension and left a voicemail while spoofing the number they wanted to call, then called back, logged into the mailbox, retrieved the message, and used the "Callback Caller" option from the playback menu to originate a call back to the spoofed number.
So much effort and smarts wasted trying to steal services. It's a shame really. Thanks for sharing. Interesting approach. Best, Gabe
On Sun, 18 Nov 2012, Robert Dawson wrote:
User mailbox was compromised. The attacker called into the extension and left a voicemail while spoofing the number they wanted to call, ?then called back, logged into the mailbox, retrieved the message, and used the "Callback Caller" option from the playback menu to originate a call back to the spoofed number.
Pretty clever really. What software did the attack compromise? An Aserisk release? Custom rolled or a popular ISO release? Broadsoft? Something else? Thanks, matt at g4.net
I disabled the option in the voice portal to mitigate further attacks. Figured it would be worth sharing.
This was a Broadworks platform, though any system with similar functionality could be exploited. Sent from my iPad On Nov 17, 2012, at 11:35 PM, "Matt Yaklin" <myaklin at g4.net> wrote:
On Sun, 18 Nov 2012, Robert Dawson wrote:
User mailbox was compromised. The attacker called into the extension and left a voicemail while spoofing the number they wanted to call, then called back, logged into the mailbox, retrieved the message, and used the "Callback Caller" option from the playback menu to originate a call back to the spoofed number.
Pretty clever really.
What software did the attack compromise? An Aserisk release? Custom rolled or a popular ISO release? Broadsoft? Something else?
Thanks,
matt at g4.net
I disabled the option in the voice portal to mitigate further attacks. Figured it would be worth sharing.
participants (3)
-
gabe@gundy.org -
myaklin@g4.net -
RDawson@alliedtelecom.net