Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Just got hit with a new attack vector (Robert Dawson)
2. Re: Just got hit with a new attack vector (Gabriel Gunderson)
3. Re: Just got hit with a new attack vector (Matt Yaklin)
4. Re: Just got hit with a new attack vector (Robert Dawson)
----------------------------------------------------------------------
Message: 1
Date: Sun, 18 Nov 2012 04:23:19 +0000
From: Robert Dawson <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [VoiceOps] Just got hit with a new attack vector
Message-ID: <cccdccec.13200%[email protected]>
Content-Type: text/plain; charset="us-ascii"
User mailbox was compromised. The attacker called into the extension and left a
voicemail while spoofing the number they wanted to call, then called back,
logged into the mailbox, retrieved the message, and used the "Callback Caller"
option from the playback menu to originate a call back to the spoofed number.
I disabled the option in the voice portal to mitigate further attacks. Figured
it would be worth sharing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20121118/41a66dd3/attachment-0001.html>
------------------------------
Message: 2
Date: Sat, 17 Nov 2012 21:32:29 -0700
From: Gabriel Gunderson <[email protected]>
To: Robert Dawson <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Just got hit with a new attack vector
Message-ID:
<CAMwZ-tJ0U-qi=LShzUavKb8=osTEX=ounvhm_ntw426cdfb...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Nov 17, 2012 at 9:23 PM, Robert Dawson
<[email protected]> wrote:
> User mailbox was compromised. The attacker called into the extension and
> left a voicemail while spoofing the number they wanted to call, then called
> back, logged into the mailbox, retrieved the message, and used the "Callback
> Caller" option from the playback menu to originate a call back to the
> spoofed number.
So much effort and smarts wasted trying to steal services. It's a
shame really. Thanks for sharing. Interesting approach.
Best,
Gabe
------------------------------
Message: 3
Date: Sat, 17 Nov 2012 23:35:07 -0500 (EST)
From: Matt Yaklin <[email protected]>
To: Robert Dawson <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Just got hit with a new attack vector
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-15"; Format="flowed"
On Sun, 18 Nov 2012, Robert Dawson wrote:
> User mailbox was compromised. The attacker called into the extension and
> left a voicemail while spoofing the number they wanted to call, ?then called
> back, logged into the mailbox, retrieved the message, and used the "Callback
> Caller" option from the playback menu to originate a call back to the
> spoofed number.
>
Pretty clever really.
What software did the attack compromise?
An Aserisk release? Custom rolled or a popular ISO release?
Broadsoft?
Something else?
Thanks,
[email protected]
> I disabled the option in the voice portal to mitigate further attacks.
> Figured it would be worth sharing.
>
>
------------------------------
Message: 4
Date: Sun, 18 Nov 2012 13:58:01 +0000
From: Robert Dawson <[email protected]>
To: Matt Yaklin <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Just got hit with a new attack vector
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"
This was a Broadworks platform, though any system with similar functionality
could be exploited.
Sent from my iPad
On Nov 17, 2012, at 11:35 PM, "Matt Yaklin" <[email protected]> wrote:
>
>
> On Sun, 18 Nov 2012, Robert Dawson wrote:
>
>> User mailbox was compromised. The attacker called into the extension and
>> left a voicemail while spoofing the number they wanted to call, then called
>> back, logged into the mailbox, retrieved the message, and used the "Callback
>> Caller" option from the playback menu to originate a call back to the
>> spoofed number.
>
> Pretty clever really.
>
> What software did the attack compromise?
> An Aserisk release? Custom rolled or a popular ISO release?
> Broadsoft?
> Something else?
>
> Thanks,
>
> [email protected]
>
>> I disabled the option in the voice portal to mitigate further attacks.
>> Figured it would be worth sharing.
------------------------------
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
End of VoiceOps Digest, Vol 41, Issue 20
****************************************
