[VOIPSEC] SPIT and vishing

Thijs van Esveld thijs.van.esveld at hva.nl
Thu Jul 17 07:03:23 PDT 2008


Thank you Tobias,

The only proof I found about a VoIP botnet is probably the same poc as the
one you know of. The points you mention as possibilities to send SPIT are
very credible and I will put them in my report. I combined your definition
of vishing with mine and I think it now covers the subject way better, I
will only focus on vishing with the help of VoIP. Im looking for a good way
to incorporate your trademarks into the report as well ;)

Do you people here at VOIPSA think we will be ready for the SPIT problem
when the big wave hits the world very soon? For what I've been reading and
thinking about a worst case scenario, where a current botnet herder manages
to make his botnet (for example Srizbi) send SPIT aswell, it would result in
utter chaos.

Greetings,
Thijs

On Thu, Jul 17, 2008 at 12:12 PM, Tobias Glemser <
tglemser at tele-consulting.com> wrote:
>
> Hello Thijs,
>
> regarding your question "how do/will Botnets send SPIT messages". Since
> there are few botnets out there with SPIT functionality I know (actually
I'm
> only aware of one poc), the following is more an estimation, than
reporting
> hard facts.
>
> Poss 1: SPIT is sent only in the internal network (in most cases no need
to
> autenticate against the SIP Proxy for "local" calls)
> Poss 2: The Malware will read the credentials from a softphone on the
> infected systems and use the given SIP Proxy
> Poss 3: Random accounts will be generated on SIP Providers and distributed
> through the botnets. The bots use those accounts to send SPIT against
other
> users of the SIP Provider. Most of them have SIP URIs like
> sip:123456 at provider.com <sip%3A123456 at provider.com>, so it's not too hard
to find valid accounts within
> the intelligence of a botnet
>
> I don't think there will be open SIP relays which the Bots make usage of.
>
> You had an interesting disussion with your mentor: For me, vishing is any
> attempt to get sensitive data from users by using voice transport systems.
> It doesn't matter if this is done via an IVR, by the attacker using botnet
> hops or the installation of fake call centers anywhere in the world or
> beyond :) It doesn't even matter if VoIP is used or POTS.
> Just take the "word" vishing: It stand for voice phishing, and phishing
> stands for for password fishing. So it's just password fishing not using
> anything but a voice transport system. Maybe one should make a new word
> creation like VoIPhishing (uh, I like that) to make the usage of VoIP in
the
> attack clearer. Or use passive-vishing if the attackers uses an IVR and
> active-vishing, if I human being is involved on the attackers side. Can I
> trademark those?
>
> Cheers,
>  Toby
>
> > -----Ursprüngliche Nachricht-----
> > Von: voipsec-bounces at voipsa.org
> > [mailto:voipsec-bounces at voipsa.org] Im Auftrag von Thijs van Esveld
> > Gesendet: Donnerstag, 17. Juli 2008 09:46
> > An: voipsec at voipsa.org
> > Betreff: [VOIPSEC] SPIT and vishing
> >
> > Let me first introduce myself because this is my first
> > contribution to the
> > voipsa mailing list. My name is Thijs and I'm a 24 year old
> > Informatics
> > student from the Netherlands. I'm currently working on a
> > report about SPIT
> > and vishing.
> >
> > I have a question regarding SPIT that I have not been able to
> > find out yet
> > and I hope you might be able to give me the answer or point
> > me in the right
> > direction. I have been searching for different ways to send
> > SPIT messages
> > and chose to take a better look at Spitter and the
> > possibilities of sending
> > SPIT using a botnet. The working of Spitter is clear to me
> > but regarding a
> > botnet I have not been able to find out through what ways the
> > SPIT is send.
> > Does a botnet make use of "open SIP proxies", like in the
> > beginning of the
> > spam days that spam used a lot of open mail relays? Or will
> > it use it's
> > victim's SIP proxy that the internet provider provides?
> >
> > I also had a nice discussion about the definition of vishing
> > with my mentor
> > yesterday, he asked me if it would only count as vishing if I
> > would set up a
> > VoIP IVR or also when I set up a call center in India that
> > pretends to be
> > the support desk of the target financial institution (they
> > might even call
> > the targets). I couldn't give him a good answer since I've been only
> > thinking about using an IVR in my report so far.
> >
> > To finnish this mail I would like to do a request. For my
> > research I have
> > sent a questionnaire to a few Dutch internet service
> > providers. To ask them
> > if and how they are working on the problems of SPIT and
> > vishing. Are there
> > any people here that are working for ISP's and are also
> > willing to answer
> > these questions? If it's preferred I can also add the
> > questions here in the
> > mailing list instead of contacting people directly.
> >
> > Your help is greatly appreciated.
> >
> > Kind regards,
> > Thijs
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
>



More information about the Voipsec mailing list