[VOIPSEC] Is there a anti-phishing "blackhole list" of phone numbers?

Ruben Olsen ruben at azuralis.no
Tue Jun 2 11:55:24 EDT 2009


Hi Dan & list members.

Funny that you bring this up right now - I am in the process of  
writing a new article for the VOIPSA blog regarding minimizing long  
distance toll fraud.

This is not directly related to telephone phishing scams - but the  
underlying idea / technique could be used for this also (I will not  
outline the whole article in this mail - you guys will have to wait to  
weekend to read my article).

Also not phishing related, but in Norway we have a few private  
initiatives to keep a list of phone numbers used for marketing calls.  
The most known is  http://www.telefonterror.no/. Currently the  
database contain numbers for 5499 entities doing sales over the phone  
or "market research" or pure scams. The actual numbers are maintained  
by people adding numbers to the database. There is also a few foreign  
numbers in the database.

The work flow is as follows:

1) Someone adds a phone number with a company name (if found) and a  
comment on why this number should be black listed.
Example of a comment on a phone number: "The Network Catalog own this  
number, and they do not care to check the national registry of people  
who do not want to be called".

2) The number is then cataloged into a given category: Sales,  
Marketing research, Hoax/scam, Customer support, non-profit  
organization, etc.

3) The number can now be voted upon and discussed.

The whole setup of telefonterror.no makes the process of adding,  
discussing and asking for removal of phone numbers very transparent.

Because of #3, the owner of the phone number can also participate into  
the discussion on if the number is used for the right purposes.

I do not know if such workflow would work with phishing related  
numbers - or if the legal side of said service would survive a fight  
in the court room.  At least in this country such website is  
completely legal to operate even if some of the companies listed on  
the web site have tried a lot of (shitty) tactics to be removed.

\Ruben
---
Med vennlig hilsen / Best regards,
Ove Ruben R Olsen, MSc IT               Cell phone +47 91 57 87 48
Chief Technical Officer, Azuralis AS    Desk phone +47 55 62 18 08

On 2. juni. 2009, at 16.42, Dan York wrote:

> VOIPSEC readers,
>
> This isn't a VoIP question, per se, but it is a security question.   
> I recently had someone who was setting up an IP-PBX for a small  
> business ask me if there was any kind of automated service which he  
> could use that would have phone numbers that have been reported as  
> being used in phishing scams that he could then block his users from  
> dialing. He was interested in helping protect his users from getting  
> deceived by a phishing email or web site that included a phone  
> number to call.
>
> It occurred to me that there could be a service like the DNS  
> "Blackhole Lists" that have historically been used for blocking e- 
> mail spam.  For those not familiar, the basic idea (and yes, I'm  
> simplifying, and yes, DNSBLs are controversial to some) is that  
> before you accept inbound email from some mail server, you send the  
> IP address of the sending server to one of these DNSBL services to  
> see if it is on the black list.  If it is on the black list, you may  
> choose to reject the email before it arrives at your server.  
> Similarly, you can do the same thing for sending out to an address.   
> More details here: http://en.wikipedia.org/wiki/DNSBL
>
> Or perhaps it's more like anti-virus definitions - some  
> organization / agency compiles a database of phone numbers that are  
> used in phishing scams.  A company could download a local database  
> like a virus definition database that would be updated periodically  
> from some central site.  If a phone number is in that database, the  
> company's phone system would not let it the number be dialed.
>
> I could see all sorts of issues with a service like this... how do  
> you verify the authenticity of the report of a number being used in  
> a phishing email?  How do you ensure someone doesn't maliciously add  
> "good" numbers to the database?  How does a number get OUT of the  
> list if it's found to not be a phishing scam? Still, it could be an  
> interesting option for companies to use as part of their overall  
> defense strategy.
>
> I see services out there like PhishTank -  http://www.phishtank.com/  
> - that have databases of IP addresses associated with phishing scams  
> which you could access to block phishing *web sites*.   Similarly  
> the Anti-Phishing Working Group - http://www.antiphishing.org/ -  
> also seems to be focused on web sites.  Unless I missed it, I don't  
> see anything on either of those sites about a list of the phone  
> numbers used (when voice is part of the phishing attack).
>
> Anyone seen anything out there like this that maintains a database  
> of phone numbers using in phishing scams?  (I couldn't find anything  
> in some quick searches.)
>
> Seems like an interesting (although undoubtedly controversial) idea.
>
> Regards,
> Dan
>
> --
> Dan York  dyork at lodestar2.com
> http://www.danyork.com/   skype:danyork
> Phone: +1-802-735-1624
>
> Disruptive Telephony - http://www.disruptivetelephony.com
> Disruptive Conversations - http://www.disruptiveconversations.com/
> Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
> Voice of VOIPSA - http://www.voipsa.org/blog
> Voxeo weblogs - http://blogs.voxeo.com/
> Twitter - http://twitter.com/danyork
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




More information about the Voipsec mailing list