I recently heard from Mark Collier, CTO at SecureLogix and one of the industry's security gurus. He pointed me to a recent FBI press release on a growing VOIP-driven security threat: Denial-of-service attacks that are launched as a way of masking separate identity theft or other types of fraud attacks. According to the FBI, scammers flood a victim's phone number with phony calls while they're also accessing that person's account at a financial institution or other company. That way, if the illegal access trips some kind of verification call out to the victim, that verification call can't get through because the line is blocked by what is essentially VOIP spam.

In expanding on the FBI's warning, Mark pointed out that the attacks themselves--both the telephony DoS and the subsequent identity theft--don't rely on VOIP in and of itself. In other words, you could, in theory, flood a call center with calls generated out of a TDM system. It's just that VOIP lets you do it a lot cheaper. Remember, spam is cost-effective because it's so cheap to email millions of people; if even a handful of people fall for the spammer's pitch, he's ahead of the game. VOIP simply applies that principle to the voice medium.

Mark explained that, in the FBI's example, it's cheap to flood the victim to block the verification calls while the information is being stolen by the hacker component of this bi-level scam. "With cheap open source PBX software and SIP trunking, you can set up the software to generate calls in a day," he said.

This contrasts with the PSTN's more closed model, which offered "security through obscurity"--i.e., the gear was expensive, almost exotic, requiring an esoteric skill set to run.

Scammers are also using cheap VOIP calling to do brute-force DTMF attacks against IVRs, Mark said: Basically, the scammer can keep trying to access the account by guessing PINs and passwords until it gets through.

The other chilling thing about this, according to Mark Collier, is that the VOIP component only needs to be on the calling end of the scam--even companies that remain 100% TDM are vulnerable to the call flooding that can be generated by a person with access to VOIP systems.

So what do you do about this? The FBI has suggestions in its press release, which are mostly security best practices like changing passwords frequently and notifying the service provider and authorities if you think a phone call you've received is part of a DoS attack.

Mark Collier adds that an enterprise can try to be proactive about monitoring call volumes for DoS, so that deviations in usual calling patterns that might indicate an attack are spotted quickly. That way, if a DoS attack happens to stumble upon the DIDs of the large enterprise, the enterprise will know it right away.

by Eric Krapf.