[VOIPSEC] Is there a anti-phishing "blackhole list" of phone numbers?

J. Oquendo sil at infiltrated.net
Tue Jun 2 10:13:19 CDT 2009 

Dan York wrote:
> VOIPSEC readers,
>
> This isn't a VoIP question, per se, but it is a security question.  I
> recently had someone who was setting up an IP-PBX for a small business
> ask me if there was any kind of automated service which he could use
> that would have phone numbers that have been reported as being used in
> phishing scams that he could then block his users from dialing. He was
> interested in helping protect his users from getting deceived by a
> phishing email or web site that included a phone number to call.
>
> It occurred to me that there could be a service like the DNS
> "Blackhole Lists" that have historically been used for blocking e-mail
> spam.  For those not familiar, the basic idea (and yes, I'm
> simplifying, and yes, DNSBLs are controversial to some) is that before
> you accept inbound email from some mail server, you send the IP
> address of the sending server to one of these DNSBL services to see if
> it is on the black list.  If it is on the black list, you may choose
> to reject the email before it arrives at your server. Similarly, you
> can do the same thing for sending out to an address.  More details
> here: http://en.wikipedia.org/wiki/DNSBL
>
> Or perhaps it's more like anti-virus definitions - some organization /
> agency compiles a database of phone numbers that are used in phishing
> scams.  A company could download a local database like a virus
> definition database that would be updated periodically from some
> central site.  If a phone number is in that database, the company's
> phone system would not let it the number be dialed.
>
> I could see all sorts of issues with a service like this... how do you
> verify the authenticity of the report of a number being used in a
> phishing email?  How do you ensure someone doesn't maliciously add
> "good" numbers to the database?  How does a number get OUT of the list
> if it's found to not be a phishing scam? Still, it could be an
> interesting option for companies to use as part of their overall
> defense strategy.
>
> I see services out there like PhishTank -  http://www.phishtank.com/ -
> that have databases of IP addresses associated with phishing scams
> which you could access to block phishing *web sites*.   Similarly the
> Anti-Phishing Working Group - http://www.antiphishing.org/ - also
> seems to be focused on web sites.  Unless I missed it, I don't see
> anything on either of those sites about a list of the phone numbers
> used (when voice is part of the phishing attack).
>
> Anyone seen anything out there like this that maintains a database of
> phone numbers using in phishing scams?  (I couldn't find anything in
> some quick searches.)
>
> Seems like an interesting (although undoubtedly controversial) idea.
>
> Regards,
> Dan
>
> -- 
> Dan York  dyork at lodestar2.com
> http://www.danyork.com/   skype:danyork
> Phone: +1-802-735-1624
>
> Disruptive Telephony - http://www.disruptivetelephony.com
> Disruptive Conversations - http://www.disruptiveconversations.com/
> Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
> Voice of VOIPSA - http://www.voipsa.org/blog
> Voxeo weblogs - http://blogs.voxeo.com/
> Twitter - http://twitter.com/danyork

Dan, I cobbled together a VoIP honeypot using Asterisk which acts sort
of like a tape recorder. What it does is, it places a brute forcer in
their own little context (dialplan) but rather than allowing them to
dial out, it mimics a dialtone (in case a brute force operator actually
check it) then instead of placing a call, it records what the brute
forcer is trying to spam out.

I created it with intention of analyzing what they were spamming out and
it turns out to be the usual: "This is INSERT_YOUR_BANK_HERE. Your
account compromised has been Press the star key to speak with a security
blah blah blah" (horrible engrish, robotic recording - I have samples
for those wanting to hear them). They seemed to be very targeted being
they picked out a bank in promixity to the numbers they were dialing
(area code+exchange). I believe I stated this before on this same list -
unsure.

Anyhow, of the recordings I've amassed (couple of thousand now), none
seem to include a call-back number. Kind of irrelevant to what you
initially posted but along the same lines. I intended on doing something
for those using open source based PBX's which would allow them to
blacklist known attackers. Would be a nice idea but technically, the
attacking hosts are usually compromised machines themselves so it would
be difficult to maintain (clean, check, contact admins).

In the case of phone numbers, many-a-telco-joe-jobbing would occur.
Think about it... "Hi, my name is ermm... John (yea that's the ticket).
Please blacklist 1800VONAGE1, my phone rang from 1800VONAGE1 a kabillion
times. I've never heard of any competitor named Vonage, but they seem
dangerous".

Considering many still don't lock down their PBX's, there is no stopping
someone who brute forced an account from outright re-directing
legitimate phone numbers to shady devices (ATA's, softphones,
hardphones, etc).

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list