Recently, phishing attacks have been launched using VoIP instead of e-mail — and voice phishing, or vishing, was born. The idea is simple. The attacker uses a VoIP version of a war dialer (a piece of software that dials a large number of phone numbers in sequence, like the one used in the film “WarGames”) in an attempt to connect to a person. If someone answers, a recorded greeting says that a credit card needs to be validated by the bank. The person is asked to enter the credit card number and security code to validate the card. Since many people are used to phone-based mechanisms for validating credit cards, they enter the numbers and — voilà! — the attacker has harvested their credit card number.
Vishing is very similar to VoIP spam, sometimes called SPIT, for “spam over Internet telephony.” So far we have seen very little of it. Is it something to be worried about? Absolutely.
The economics of e-mail is one of the primary reasons for the widespread usage of spam. The cost of sending a piece of e-mail is so incredibly small that even if just a tiny fraction of recipients buy an advertised product, it’s still worth doing. VoIP has the potential to drive the cost of voice calling down sufficiently low that the economics start to look like they do for e-mail. In addition, it is much easier to build applications like war dialers for VoIP than it is for the regular telephone network. No hardware is required, just a PC with IP access. This makes it a viable service for botnets to provide, which can further reduce the cost of making a VoIP spam call.
The damage that VoIP spam can do is far worse than email. Imagine a world where your phone rings every two minutes, and the caller is a recording offering you some kind of unwanted product. Getting an e-mail every two minutes is bad, but a phone call is far, far more intrusive and time-consuming to deal with.
Unfortunately, it’s not as easy to stop VoIP spam as it is email spam. The vast majority of anti-spam technology is done by content analysis. The tools examine the message itself, looking for certain keywords in order to classify the mail as spam or not. Unfortunately, with VoIP, the content is very difficult to analyze automatically (it’s streaming voice), and the content arrives only after the call has been answered. Content analysis isn’t the only technique used to screen e-mail for spam, though. There are black and white lists, reputation systems, and payments at risk, among other measures. These techniques are as equally applicable to VoIP as they are to e-mail.
White lists are particularly interesting. The basic premise is that you maintain a list of senders (or callers in the case of VoIP) that you trust. Calls from those people get through immediately. You can manually add people to your white list (a buddy list is a great source!), or they can be added automatically through some other technique that tries to validate the sender. White lists, unfortunately, rely heavily on a way to securely determine the sender of a message. With e-mail, it is extremely easy to forge the identity of the sender. For white lists to work with VoIP, systems must be put into place that allow for highly reliable caller identities to be carried between providers. The IETF has completed specification of a mechanism that carries out strong cryptographic identity verification. This mechanism, sometimes called SIP Identity, will be crucial for the success of VoIP anti-spam techniques. The IETF is also producing an informational document that summarizes the problem of VoIP spam and the solution space.
So, next time your phone rings — be wary. It might be an attempt to sell you medication for erectile disfunction through VoIP. Shall we call this — Via-shing?
Jonathan Rosenberg is co-author of the original SIP specification (RFC 3261). He is currently a Cisco Fellow and Director of VoIP Service Provider Architecture for the Broadband Subscriber Applications Business Unit in the Voice technology Group at
Cisco Systems (News - Alert)
.
|
SUBSCRIPTIONS
TMCnet LOGIN
WEBINARS
