[VOIPSEC] Is there a anti-phishing "blackhole list" of phone numbers?

Dan York dyork at lodestar2.com
Tue Jun 2 10:42:15 EDT 2009


VOIPSEC readers,

This isn't a VoIP question, per se, but it is a security question.  I  
recently had someone who was setting up an IP-PBX for a small business  
ask me if there was any kind of automated service which he could use  
that would have phone numbers that have been reported as being used in  
phishing scams that he could then block his users from dialing. He was  
interested in helping protect his users from getting deceived by a  
phishing email or web site that included a phone number to call.

It occurred to me that there could be a service like the DNS  
"Blackhole Lists" that have historically been used for blocking e-mail  
spam.  For those not familiar, the basic idea (and yes, I'm  
simplifying, and yes, DNSBLs are controversial to some) is that before  
you accept inbound email from some mail server, you send the IP  
address of the sending server to one of these DNSBL services to see if  
it is on the black list.  If it is on the black list, you may choose  
to reject the email before it arrives at your server. Similarly, you  
can do the same thing for sending out to an address.  More details  
here: http://en.wikipedia.org/wiki/DNSBL

Or perhaps it's more like anti-virus definitions - some organization /  
agency compiles a database of phone numbers that are used in phishing  
scams.  A company could download a local database like a virus  
definition database that would be updated periodically from some  
central site.  If a phone number is in that database, the company's  
phone system would not let it the number be dialed.

I could see all sorts of issues with a service like this... how do you  
verify the authenticity of the report of a number being used in a  
phishing email?  How do you ensure someone doesn't maliciously add  
"good" numbers to the database?  How does a number get OUT of the list  
if it's found to not be a phishing scam? Still, it could be an  
interesting option for companies to use as part of their overall  
defense strategy.

I see services out there like PhishTank -  http://www.phishtank.com/ -  
that have databases of IP addresses associated with phishing scams  
which you could access to block phishing *web sites*.   Similarly the  
Anti-Phishing Working Group - http://www.antiphishing.org/ - also  
seems to be focused on web sites.  Unless I missed it, I don't see  
anything on either of those sites about a list of the phone numbers  
used (when voice is part of the phishing attack).

Anyone seen anything out there like this that maintains a database of  
phone numbers using in phishing scams?  (I couldn't find anything in  
some quick searches.)

Seems like an interesting (although undoubtedly controversial) idea.

Regards,
Dan

--
Dan York  dyork at lodestar2.com
http://www.danyork.com/   skype:danyork
Phone: +1-802-735-1624

Disruptive Telephony - http://www.disruptivetelephony.com
Disruptive Conversations - http://www.disruptiveconversations.com/
Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
Voice of VOIPSA - http://www.voipsa.org/blog
Voxeo weblogs - http://blogs.voxeo.com/
Twitter - http://twitter.com/danyork




More information about the Voipsec mailing list