Security threats

Dear Partners,
There has been a surge of phishing attacks on VoIP companies employees recently, and we want to share our preventive security recommendations to keep your VoIP business safe. Intrusion attempts follow a pattern of gaining user's access credentials in order to get access to VoIP platforms user works with.

In few words, phishing is a term for attack aimed at gaining access to user's logins and passwords by messages, links or files pretending to not be what they actually are. The most common type of phishing is e-mail/IM-based one, involving malicious executable file attached. File can be sent from both unknown sender or from account of already compromised contact - it is often disguised as rate sheet or interconnection offer.

Warning! Typical malicious file is an executable - script with ".wsf" or ".vbs" extension (or even less exotic ".ps1", ".bat") - opening such file without knowing its contents is extremely dangerous. Don't let its name fool you, these files can't ever contain rate sheet data or office document of some sort. Once run, it registers itself in OS and listens to user actions and sends application data to attacker (finds e-mail access credentials, contacts, browser history, etc.).
With all of that, hacker is able to use acquired data to login into users' accounts in different systems. The main attack vector is VoIP companies employees since intruder has specific intention of adding third-party IP addresses into routing settings to send fraud traffic, so the whole scheme is designed to work this way. After one attack is successful, he is trying to spread the exploit by sending it to other people from user's contacts hoping they'll be careless enough to accept and open the file.

So, scheme is quite simple: you get file from compromised partner via Skype or e-mail, you run it - and attacker has your logins and passwords to various services, including e-mail and VoIP platform access. What's left for him to do is to log in to service interface to do what he wants. What's even more dangerous is that he will have more of your data until you detect the activity and remove all the traces of malware from your OS (or reinstall completely).

Important To Know! Some other phishing methods involve sending real document in one of common Office Suite formats - ".doc", ".docx", ".xls", ".xlsx", etc. containing so-called macro (a piece of code able to interact with OS outside the scope of office application). By default, Office Suite apps keep macros disabled to prevent malicious use of them, so if your Office asks you to enable macro to view the file, it's better to not allow it and contact your system administrator to check the file for possible threat. Unless you really know what this particular document uses macro for, it's generally a good advice to be suspicious about documents containing them.

How to protect yourself and avoid being compromised?

Here are some general recommendations on how to protect both server software and users of it.

1. Server:

1.1. Using HTTPS: plain HTTP allows connection to be intercepted by third party. Switching to HTTPS is easy - you can use self-signed certificate or authorized one (signed by one of trusted CAs). Also, HTTPS generally prevents cookies stealing/poisoning so it's the best and the fastest way of securing your web-interfaces, and we recommend applying it in first place

1.2. IPMI/KVM access must be secured at all costs - please make sure your DC doesn't have it open to outside world and they keep the firmware up-to-date.

1.3. Securing any sort of access credentials - simply don't trust them to anyone except for people who must have them.

1.4. Make sure to check your firewall rules and network infrastructure.

2. Client side is the main source of vulnerability to such attacks as phishing, so:

2.1. Do not use the same passwords for different services, ever. It's the easiest way to compromise whole lot of accounts at once.

2.2. Use two-factor authentication: with phishing attempts, 2FA could be the only chance to avoid hacker's intrusion (since even with having e-mail access and being able to enter auth-code for web-interface, it wouldn't be possible to log in without phone confirmation).

2.3. Have strong security policy: keep OS and software up-to-date, never use IMs for files transferring, always check e-mail attachment and its source before opening it (if you don't expect the file to be sent to you by whoever it is, don't even open its contents), don't accept sudden pop-ups from browser or e-mails without knowing what they do exactly, and generally don't take risks: being paranoid about data and software means being safe.

2.4. Tips for Windows users: install antivirus solution to detect malware/spyware and prevent it from running. Majority of antivirus applications have permanent protection modes for it. Another highly recommended thing to do is to disable Windows Script Host service - it's Windows component required to run executable scripts (such as .wsf, .vbs, etc). You can do it as advised on this Microsoft page. Also, never allow Office Suite to enable macros whenever it asks you about it.
2.5. Spread the word about malicious activity among your partners - the more people are aware of this, the less likely somebody else will get hacked this way.

What to do if your data got compromised:

1. Fix whatever consequences intrusion had on your VoIP platform: block IP addresses, delete compromised accounts.
2. Check your computer for malware, spyware and viruses. Clean all the traces of it from your operating system - or, to be completely sure, reinstall OS. This is the crucial step, and it should be done before changing passwords to avoid attacker fetching them once again.
3. Make sure to change access credentials to your valuable services, starting with e-mail account as a point which many other services depend on. Then, change passwords for all the services where this e-mail address is used.
4. Make an audit of other employees' accounts to ensure nobody else got compromised. Good practice is to change passwords massively every several months.
5. Check server applications for possible intrusion attempts.
6. Analyze and investigate the source of vulnerability and do what's necessary to make sure it's solved for good. Detect possible security bottlenecks and fix them to prevent data leaks.