[VOIPSEC] Phishers Snare Victims With VoIP

Hadriel Kaplan HKaplan at acmepacket.com
Fri Apr 28 10:52:35 CDT 2006 

Hi Shawn,
Comments inline...

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Shawn Merdinger
> Sent: Thursday, April 27, 2006 7:03 PM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Phishers Snare Victims With VoIP
> 
> Hi,
> 
> >From: "Gupta, Sachin" <s-gupta2 at ti.com>
> >It doesn't look like that VoIP has anything to do with these kind of
> >issues. Scammers could have used a PSTN numer as well, instead of VoIP.
> 
> True, a PSTN number could have been used.  However, I think we'll see
> VoIP capabilities, features and weaknesses combined with savvy
> scammers' creativity, employed more blatantly soon.

I agree; there'll probably be an adoption threshold after which it will
become more tempting to use voip.


> For example:
> 1.  Spoofing caller-id numbers.  Still an issue in VoIP.  The current
> scammers could use this in as a added illusion of security
> confirmation by implementing a call-back mechanism.  This could be
> automated, so that the customer initially calls the spoofed email
> number, and a recording says because of these scams a "secure
> call-back feature" has now been implemented.  The victim is directed
> to hang-up and then compare the incoming (spoofed) caller-id to the
> *legitimate* number of victim's bank statement, bank website, etc.

I'm not sure what you mean by "spoofed email number" in the first part.
It's not spoofed - at least not the real/full URI, or else it becomes much
more difficult for them to spoof.  Unless you just mean that the text
description of the URI in the email says "mybank.com" but the real URI
reference behind it is one not belonging to the bank. (assuming
html-formatted email)  That definitely happens in email.  I just got such a
spoofed Ebay one yesterday.


> 2.  VoIP forwarding capability adds an interesting twist.  Sure you
> can bounce PSTN-based calls around, but can you do them with several
> services in different countries at such low-cost?  This capability
> makes log coordination, call-tracking and technical efforts difficult,
> not to mention the legal and jurisdiction challenges in this area.

Yup, which is why some service providers don't allow their consumer phones
to forward without involving them, and won't remove themselves from the
signaling path for calls made through them.


> 3.  Some VoIP services have features that could be employed in these
> scams easily.  One example is that SkypeOut's caller-ID shows up as
> 0000123456 -- there are other issues, including specifying ones own
> caller-id during the SIP service registration process.

Service providers usually only allow endpoints that own the ID (AoR) to
register it, although the strength of the most popular mechanism used to do
that (MD5 digest challenge) is often questioned.  Most service providers
only let you make a call using the ID/AoRs you successfully registered, but
over cleartext UDP a man-in-the-middle can spoof easily if encrypt+auth
isn't used.  Although there is debate about how easy/hard it is to become a
MITM outside of an enterprise environment. 

-hadriel

More information about the Voipsec mailing list