During the COVID-19 pandemic, criminals spoofed WHO by creating fake Gmail accounts and luring business leaders using the latest COVID-19 announcements and hacking their personal information. The links in the WHO-lookalike websites used fake login pages that prompted potential victims to give up their Google credentials and other personal information. On any given day, Google’s Threat Analysis Group (TAG) says it is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries.
Things are not very different when it comes to VoIP spoofing. Service providers, individuals, and businesses lose billions of dollars annually to fraudulent activity initiated through caller ID spoofing. Like brute force attacks or man-in-the-middle attacks, VoIP spoofing is yet another attack that continues to impact SIP security.
VoIP spoofing: How criminals attack
To intercept the VoIP traffic, criminals send spoofed ARP (Address Resolution Protocol) messages to associate their MAC addresses with the IP addresses of the victims’ PBX. When criminals succeed in fooling the network, the traffic meant for the PBX’s IP address is relayed to the criminals’ computers.
There have been several instances where businesses and individuals have fallen victims to caller ID spoofing. In the case of Jim Whitehead, a 56-year old accountant with a specialty engineering firm, attackers spoofed the caller ID of the firm’s bank and fooled Jim’s company network firewall into processing the call as an authenticated call. Believing the spoofed caller ID, Jim parted with crucial data about the firm’s bank account, which helped the hackers siphon off money from the account.
In other cases, spoofing calls make the receiver think that they owe someone money for back taxes, which can only be settled after sharing some sensitive financial information. In most cases, a VoIP spoofing incident intends to trick people into giving their data about their credentials, account/card details, etc.
SIP Security: How SBCs protect against VoIP spoofing attacks
Session Border Controllers (SBCs) detect network anomalies by analyzing traffic for abnormal behavior, attacks, and intrusions and applying the configured network policies. SBCs validate sessions and reduce incidences of spoofing by decoding SIP signaling messages and media stream data. They can thwart spoofing attacks because they can identify all abnormal calls by
– monitoring the state of call sessions and
– ensuring adherence to policies.
SBCs have full awareness of the network SIP stack and RTP streams used to carry voice and video traffic in VoIP-based communication systems. They inspect packets as they are transmitted across a network to prevent IP address spoofing attacks by identifying packets containing conflicting source address information.
While SBCs with standard configurations are good enough to protect against amateur hackers, you need more to protect against more determined, professional hackers. By dynamically managing your SBC with customizations specific to your network topology, you can detect the establishment of abnormal signaling session attempts or intrusion attempts.
However, securing SBCs in alignment with your enterprise network topology is challenging. Enterprises typically occupy five to seven networks containing multiple components within each network. Securing them requires careful consideration and configuration of multiple policy and control checks. Here’s where the challenges arise:
● Securing SBCs and your communication security system in a manner that ensures scalability
● Maintaining control of a dynamic enterprise network where different systems need multiple specific checks
● Training and equipping your Voice Ops personnel with the skills and tools that help them monitor and ensure VoIP/SBC security.
If you have any questions on managing your SBCs, or implementing SBC security best practices to deal with SIP security challenges, please contact us at sales@assertion.cloud