SecurityWonk was featured on Martin McKeay’s Network Security Podcast. Listen to it here.

An interesting use of the traditionally trusted medium of the phone: leave “accidental” messages on answering machines and voicemail hyping a stock:

The messages were made to seem mistakenly left on answering machines, often made by a caller identifying herself as “Debbie” who wanted to pass along to a girlfriend a “hot” stock tip from a “hot stock exchange guy” she was dating, according to the authorities.

This attack allegedly happened in 2004, so I doubt VoIP was involved, but it would be an excellent attack medium for something like this. The trend here is the cheaper a communications medium becomes, the more it gets exploited, and the less people can trust it.

3 charged in voicemail stock scheme [An Jose Mercury News / AP]

There’s a nice little demo over at Gadget Trail on how to eavesdrop on a VoIP session. They use a Voyage account as an example. The basics:

• Get on the same subnet as the victim.
• Fire up CAIN, and poison the ARP cache.
• Use CAIN to record the call.

Nothing earth-shattering, but it helps demonstrate how easy it is using free Windows tools.

Hacking Voyage: How To Eavesdrop On Calls [Gadget Trail]

Not that this kind of thing couldn’t happen on on the traditional land-line network, but this is a terribly interesting VoIP attack:

To evade detection, Mr. Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeering its unprotected servers to re-route phone traffic through them. These steps made it appear as if this company was sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook.

Coincidentally, Net2Phone is located in Newark.

Hacker Said to Resell Internet Phone Service [NY Times]

The new trend in phishing: instead of sending customers to a phony website, have them call a phony phone number. This is easier than ever using open source PBX software (like Asterisk) and VoIP. Combine these technologies with SPAM, and you have an almost free way to harvest information for identity theft.

…because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O’Donnell, senior research scientist at Cloudmark.

I take this with a little grain of salt since it comes from and anti-phishing vendor. In fact, Microsoft wrote a warning article about this back in June.

This does have the potential to become an alarming trend though. Everytime I interact with a company that asks for information to identify me, I think, “Now that you know who I am, how do I know who you are?”

Microsoft’s recommendations are good, but the real answer is some form of two-way authentication.

Network World: Phishing leverages VoIP in New Scam Model