[VOIPSEC] Is there a anti-phishing "blackhole list" of phone numbers?
ruben at azuralis.no
Tue Jun 2 11:55:24 EDT 2009
Hi Dan & list members.
Funny that you bring this up right now - I am in the process of
writing a new article for the VOIPSA blog regarding minimizing long
distance toll fraud.
This is not directly related to telephone phishing scams - but the
underlying idea / technique could be used for this also (I will not
outline the whole article in this mail - you guys will have to wait to
weekend to read my article).
Also not phishing related, but in Norway we have a few private
initiatives to keep a list of phone numbers used for marketing calls.
The most known is http://www.telefonterror.no/. Currently the
database contain numbers for 5499 entities doing sales over the phone
or "market research" or pure scams. The actual numbers are maintained
by people adding numbers to the database. There is also a few foreign
numbers in the database.
The work flow is as follows:
1) Someone adds a phone number with a company name (if found) and a
comment on why this number should be black listed.
Example of a comment on a phone number: "The Network Catalog own this
number, and they do not care to check the national registry of people
who do not want to be called".
2) The number is then cataloged into a given category: Sales,
Marketing research, Hoax/scam, Customer support, non-profit
3) The number can now be voted upon and discussed.
The whole setup of telefonterror.no makes the process of adding,
discussing and asking for removal of phone numbers very transparent.
Because of #3, the owner of the phone number can also participate into
the discussion on if the number is used for the right purposes.
I do not know if such workflow would work with phishing related
numbers - or if the legal side of said service would survive a fight
in the court room. At least in this country such website is
completely legal to operate even if some of the companies listed on
the web site have tried a lot of (shitty) tactics to be removed.
Med vennlig hilsen / Best regards,
Ove Ruben R Olsen, MSc IT Cell phone +47 91 57 87 48
Chief Technical Officer, Azuralis AS Desk phone +47 55 62 18 08
On 2. juni. 2009, at 16.42, Dan York wrote:
> VOIPSEC readers,
> This isn't a VoIP question, per se, but it is a security question.
> I recently had someone who was setting up an IP-PBX for a small
> business ask me if there was any kind of automated service which he
> could use that would have phone numbers that have been reported as
> being used in phishing scams that he could then block his users from
> dialing. He was interested in helping protect his users from getting
> deceived by a phishing email or web site that included a phone
> number to call.
> It occurred to me that there could be a service like the DNS
> "Blackhole Lists" that have historically been used for blocking e-
> mail spam. For those not familiar, the basic idea (and yes, I'm
> simplifying, and yes, DNSBLs are controversial to some) is that
> before you accept inbound email from some mail server, you send the
> IP address of the sending server to one of these DNSBL services to
> see if it is on the black list. If it is on the black list, you may
> choose to reject the email before it arrives at your server.
> Similarly, you can do the same thing for sending out to an address.
> More details here: http://en.wikipedia.org/wiki/DNSBL
> Or perhaps it's more like anti-virus definitions - some
> organization / agency compiles a database of phone numbers that are
> used in phishing scams. A company could download a local database
> like a virus definition database that would be updated periodically
> from some central site. If a phone number is in that database, the
> company's phone system would not let it the number be dialed.
> I could see all sorts of issues with a service like this... how do
> you verify the authenticity of the report of a number being used in
> a phishing email? How do you ensure someone doesn't maliciously add
> "good" numbers to the database? How does a number get OUT of the
> list if it's found to not be a phishing scam? Still, it could be an
> interesting option for companies to use as part of their overall
> defense strategy.
> I see services out there like PhishTank - http://www.phishtank.com/
> - that have databases of IP addresses associated with phishing scams
> which you could access to block phishing *web sites*. Similarly
> the Anti-Phishing Working Group - http://www.antiphishing.org/ -
> also seems to be focused on web sites. Unless I missed it, I don't
> see anything on either of those sites about a list of the phone
> numbers used (when voice is part of the phishing attack).
> Anyone seen anything out there like this that maintains a database
> of phone numbers using in phishing scams? (I couldn't find anything
> in some quick searches.)
> Seems like an interesting (although undoubtedly controversial) idea.
> Dan York dyork at lodestar2.com
> http://www.danyork.com/ skype:danyork
> Phone: +1-802-735-1624
> Disruptive Telephony - http://www.disruptivetelephony.com
> Disruptive Conversations - http://www.disruptiveconversations.com/
> Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
> Voice of VOIPSA - http://www.voipsa.org/blog
> Voxeo weblogs - http://blogs.voxeo.com/
> Twitter - http://twitter.com/danyork
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec