[VOIPSEC] SPIT and vishing

Tobias Glemser tglemser at tele-consulting.com
Thu Jul 17 03:12:49 PDT 2008


Hello Thijs,

regarding your question "how do/will Botnets send SPIT messages". Since
there are few botnets out there with SPIT functionality I know (actually I'm
only aware of one poc), the following is more an estimation, than reporting
hard facts.

Poss 1: SPIT is sent only in the internal network (in most cases no need to
autenticate against the SIP Proxy for "local" calls)
Poss 2: The Malware will read the credentials from a softphone on the
infected systems and use the given SIP Proxy
Poss 3: Random accounts will be generated on SIP Providers and distributed
through the botnets. The bots use those accounts to send SPIT against other
users of the SIP Provider. Most of them have SIP URIs like
sip:123456 at provider.com, so it's not too hard to find valid accounts within
the intelligence of a botnet

I don't think there will be open SIP relays which the Bots make usage of.

You had an interesting disussion with your mentor: For me, vishing is any
attempt to get sensitive data from users by using voice transport systems.
It doesn't matter if this is done via an IVR, by the attacker using botnet
hops or the installation of fake call centers anywhere in the world or
beyond :) It doesn't even matter if VoIP is used or POTS.
Just take the "word" vishing: It stand for voice phishing, and phishing
stands for for password fishing. So it's just password fishing not using
anything but a voice transport system. Maybe one should make a new word
creation like VoIPhishing (uh, I like that) to make the usage of VoIP in the
attack clearer. Or use passive-vishing if the attackers uses an IVR and
active-vishing, if I human being is involved on the attackers side. Can I
trademark those?

Cheers, 
 Toby

> -----Ursprüngliche Nachricht-----
> Von: voipsec-bounces at voipsa.org 
> [mailto:voipsec-bounces at voipsa.org] Im Auftrag von Thijs van Esveld
> Gesendet: Donnerstag, 17. Juli 2008 09:46
> An: voipsec at voipsa.org
> Betreff: [VOIPSEC] SPIT and vishing
> 
> Let me first introduce myself because this is my first 
> contribution to the
> voipsa mailing list. My name is Thijs and I'm a 24 year old 
> Informatics
> student from the Netherlands. I'm currently working on a 
> report about SPIT
> and vishing.
> 
> I have a question regarding SPIT that I have not been able to 
> find out yet
> and I hope you might be able to give me the answer or point 
> me in the right
> direction. I have been searching for different ways to send 
> SPIT messages
> and chose to take a better look at Spitter and the 
> possibilities of sending
> SPIT using a botnet. The working of Spitter is clear to me 
> but regarding a
> botnet I have not been able to find out through what ways the 
> SPIT is send.
> Does a botnet make use of "open SIP proxies", like in the 
> beginning of the
> spam days that spam used a lot of open mail relays? Or will 
> it use it's
> victim's SIP proxy that the internet provider provides?
> 
> I also had a nice discussion about the definition of vishing 
> with my mentor
> yesterday, he asked me if it would only count as vishing if I 
> would set up a
> VoIP IVR or also when I set up a call center in India that 
> pretends to be
> the support desk of the target financial institution (they 
> might even call
> the targets). I couldn't give him a good answer since I've been only
> thinking about using an IVR in my report so far.
> 
> To finnish this mail I would like to do a request. For my 
> research I have
> sent a questionnaire to a few Dutch internet service 
> providers. To ask them
> if and how they are working on the problems of SPIT and 
> vishing. Are there
> any people here that are working for ISP's and are also 
> willing to answer
> these questions? If it's preferred I can also add the 
> questions here in the
> mailing list instead of contacting people directly.
> 
> Your help is greatly appreciated.
> 
> Kind regards,
> Thijs
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 





More information about the Voipsec mailing list