Voice over Internet Protocol (VoIP) is a method for making phone calls over the Internet or using private networks. Traditional phone calls must travel over a series of switches and circuits owned by the telephone companies, which control the process and the charges. By using VoIP, both businesses and individuals can enjoy a substantial cost savings, especially while making long-distance calls.

McAfee Labs first observed an increase in VoIP vulnerabilities during the end of 2006 and that trend has continued through today. We can credit part of this increase to better tools for finding VoIP problems, yet this upward trend should be largely attributed to the growing number of VoIP installations.

The malicious behavior that we have seen in other media already plagues Internet voice calls. In this report, we examine vulnerability trends as well as protocol- and application-layer attacks. We offer both a general and technical overview to the threats against VoIP and how to protect and remediate against them.

Download the report, available in nine languages, in its entirety here. My compliments to colleague Kevin Watkins on this excellent piece of research!

Today, almost all administrators know they need to secure their networks to prevent leaking useful information and to avoid attacks. They can take steps as basic as disabling null sessions and enabling the firewall on Windows XP to prevent unauthorized access. However, there remain areas of security that are neglected.

Last week, I read some documents on Cisco’s IP phone model 7960 and found that the phone’s web interface gives up a lot of sensitive network information. Then I wondered whether I could find a Cisco IP phone publicly accessible by Google, so I ran a search to look for publically accessible web interfaces. Guess what, there were almost 10 publicly accessible Cisco IP phones listed. I followed these links to where I could get the firmware versions, and then I searched in vulnerability databases and found that at least one IP phone’s firmware was unpatched and contained some vulnerabilities. Also, the information on Google leaked some sensitive information–such as IP addresses of the TFTP server/router/DNS server/DHCP server/Cisco Call Manager, as well as some application links, internal device configuration, and debugging information. If there are any exploitable vulnerabilities in one of these linked servers, attackers could use this information to stage further attacks.

Highly sensitive information needn’t and shouldn’t be easily exposed on the web. At the least, the firewall on the network edge should be configured to filter unwanted access to Port 80 of these VoIP devices. The less information you disclose, the more secure you are.

In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

With Skype gaining popularity in the VoIP-IM space, it has become an attractive target for malware authors. Very recently we had blogged about the W32/Pykse.worm which used Skype for spreading.

Today we came across a new trojan – PWS-Pykse which attempts to steal Skype usernames and passwords. This trojan purports itself as a “Skype-Defender” plug-in for Skype. It displays a fake login window to trick the user into entering the login credentials:

The PWS-Pykse trojan does not spread by itself. It relies on social engineering techniques to trick the victim into executing it and is usually posted onto dodgy sites or forums. Upon execution, this trojan kills any running instance of Skype and displays a fake login window of Skype. It then captures the username and password entered by the victim, and posts it via http to the trojan author’s website.

An alert Skype user would notice that it looks very different from the normal Skype login window – especially since none of the hyperlinks or options displayed are functional! McAfee users are protected against this threat with the 5143 dat onwards.