Wednesday, December 28, 2011

First Telecom Hacking

  • Claims that communication technology is 100% secure
  • Hacking a network with cheap common tools to show that those security claims are faulty
  • Patent claims challenged as too broad
  • Existing companies upset with new technologies breaking their business model

Sounds like the ongoing fights between Apple and Samsung or Oracle vs. Google.

“A century ago, one of the world’s first hackers used Morse code insults to disrupt a public demo of Marconi's wireless telegraph”

As explained in the New Scientist article Dot-dash-diss: The gentleman hacker's 1903 lulz  by Paul Marks, a 39-year-old British music hall magician named Nevil Maskelyne was able to thwart Guglielmo Marconi’s demonstration to the Royal Institution.

It seems that Marconi had made promises of a secure wireless network connection only to have it hacked as they set up the demonstration, and then again while he was selling ship-to-shore services. In both cases Maskelyne was able to do it with inexpensive readily available tools.

The article is a good read, and tells how even as wireless communication was starting out the seeds of telecom fraud and patent fights were being sown.


And hear I thought that the first fraud being Alexander Bell was surprising.

Tuesday, December 27, 2011

Term Tuesdays - Call Sell PBX Fraud

Online or offline call wholesalers hack into PBXs in order to sell calls to their customers without incurring any of the charges themselves; the more expensive the destination the better; the more calls the wholesaler can route out of a Call Center simultaneously the better. 


Destinations may be satellite phones that cost $8/minute to call, or countries that cost upwards of $2/minute to call. Obviously, the more lines the fraudster uses to perpetrate the attack, the more profound the financial loss.

Wednesday, December 21, 2011

Term Tuesdays - Off Hour Calls


Off Hour Call
Calls originating from an organization’s PBX may be the result of Internal Employee Fraud, unauthorized visitors, or remote hackers accessing the system. Most significant telecom fraud attacks are perpetrated when the enterprise is unmanned over weekends, bank holidays, religious holidays, etc.

Your telecom provider can not identify these as they do not know your business. You need to be able to monitor and prevent calls at times when your business is closed.

We have seen cases of $25,000 - $400,000 in Telecom Fraud happening over a holiday weekend.

Thursday, December 15, 2011

ComReg warns firms to be on guard against PBX fraud

Telecoms watchdog ComReg has warned there has been a rise in the number of PBX fraud incidents where firms’ telephone systems have been hacked into and large bills generated over their lines.


Tuesday, December 13, 2011

Term Tuesdays - Internal Misconduct


Telecom fraudsters are not always outside the confines of the organization. 

Internal Employee Fraud is a significant contributor to fraud affecting enterprises. In the CFCA 2011 Telecom Fraud Survey they found that Internal/Employee Theft totaled $1.44 billion out of the over $40 billion dollars of Telecom Fraud each year.

Employees may use company phones to make premium number, personal, and long distance calls. In the worst-case scenario, employees may actively enable toll fraud.

Without detailed per call reporting it can be hard to identify who is making these calls or to implement policies to prevent these calls. 

Monday, December 12, 2011

Lighter side- Phishing

This is as straightforward an example of Phishing that I have ever seen

Any questions?

Tuesday, December 6, 2011

Term Tuesdays - PBX Hacking

In light of the news last week about the hacking of AT&T user's PBXs to fund Al Qaeda I bring you PBX Hacking.


PBX Hacking
Hacking the PBX to gain unauthorized access, exploiting voicemail security, or trying default or common passwords are a few of many techniques. Fraudsters may also directly contact employees, and using “social engineering” will be able to ascertain useful information that can be used to gain access to systems.

Hacking the PBX to gain access privileges, much like hacking a computer network. This attack type may include denial of service (DoS) attacks, brute force attacks, etc.

Hacking the PBX to gain access to internal computer systems via the link intended for connecting the PBX to the CRM system. This can allow the hacker to access customer data (including credit card information), insert viruses into your system, or otherwise disrupt business by bypassing the firewall.

In the Al Qaeda case they were calling Premium Numbers to charge calls to the enterprise PBXs that were then split with the hacker's and paid to Al Qaeda.

Guest blogging on Peer-to-Peer blog: 2011's Biggest Frauds and Phreaks


I have another Guest Blog published on Channel Partners Magazine’s Peer-to-Peer blog

2011's Biggest Frauds and Phreaks 

It reviews the many news stories about Telecom Fraud that occurred during the year.

Thursday, December 1, 2011

Shssshhhhhh!!!! Al-Qaeda Phreaking!


Humbug Telecom Lab’s Eric Klein will be making a guest appearance on VoIP Users Conference weekly discussion:

Topic:  As shown by the recent arrest in the case of terrorist who were hacking AT&T business customers to fund Al-Qaeda; Telecom Fraud has come a long way from Captain Crunch and Steve Jobs phreaking Ma Bell for fun and glory. It is now big business aimed at stealing from you via your PBX. Let’s discuss actual cases and some things you can do to make sure your PBX is not funding terror.

Friday at December 2nd at 12 Noon Eastern Time (9AM Pacific)

Wednesday, November 30, 2011

Using the Phone for Shoplifting


I know that this is not exactly telecom fraud, but seeing how that has moved from kids doing pranks to funding global terrorism it is time to look at how phones are being used in ways that were never envisioned.

We have seen how the phoneme of flash mobs have been used for good and bad in the past year. Flash mobs helped topple governments in the Arab Spring. How they were used in the UK riots. In each case the motivation behind the flash mob was different – frustration at years of oppression to looting from frustration at the slow economy.

Now retailers have to worry if they are the next targets. In an article Joan Goodchild offers 4 steps retailers can take to combat flash robs.
Flash robs, technically known as multiple-offender crimes, occur when a group of people coordinate to overcrowd a retail outlet and steal items by overwhelming staff with their numbers and speed.
Earlier this month, a crowd of youths in Maryland, some estimate as many as 50, made headlines when they flash robbed a 7-Eleven in Silver Springs, the third time such an incident has happened in that area this year.

While these types of group attacks are not new the combination of smartphones with Twitter and Facebook make these kind of attacks easier to coordinate and implement.

I will not repeat the suggestions that Joan gives in her article, but I will say that they make sense to me: Product Placement, Cameras, enough Staff, and training are the key.

Tuesday, November 29, 2011

Term Tuesdays - Premium Rate Fraud


Premium Rate Fraud
By tricking a person to call a telephone number that charges more than expected, a fraudster is able to get some sort of revenue from each call.

These attacks come in various forms, but they all have 2 parts:
1.      They have acquired a Premium Rate number that enables them to “revenue share” with the terminating operator.
2.      They trick people into calling the number or use a hacked PBX to dial it themselves.

Part one is easy, they can get numbers from most phone companies who offer them to legitimate businesses. These can include pay per call customer support services, sex lines, satellite lines, etc. In the USA these are usually associated with 1-900 numbers. But with the explosion of mobile virtual network operators (MVNO) it is easy for what looks like a regular number to actually charge more for the termination of the phone call than is expected (more on this when I cover arbitrage fraud).


Fraud – From Fun Phreak to Terrorism

Cross posted to Humbug Telecom Labs Blog

In today’s news there are headlines showing the darkest side of Telecom Fraud:

Although the titles are different, the source and the story is all the same. The Philippine National Police – Criminal Investigation and Detection Group (CIDG) put out a press release explaining how a “joint operatives from the CIDG and the United States Federal Bureau of Investigation (FBI) have busted a group of Filipino hackers whose operation is allegedly being financed by a Saudi-based terrorist group”.

This operation was in response to a complaint filed by AT&T about the hacking of AT&T customer’s PBX’s.

Monday, November 28, 2011

Bit9: The Dirty Dozen of security-vulnerable smartphones


Android has brought a variety of phones, with different hardware and software features to the market. This has enabled more people to get the phone that they want. Bit9 says that unfortunately this has led to “an estimated 56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android.”


It seems that when phones are released they can be running versions of Android that can be up to 18 months out of date, and thus lacking all the latest security updates.


"All operating systems have vulnerabilities," Harry Svedlove, Bit9's chief technology officer, points out, but it's how quickly and effectively software gets fixed that matters. Bit9's analysis of the most vulnerable smartphones is based on criteria that includes looking at smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.


The Bit9 "Dirty Dozen" not-so-smart smartphone list includes:

1. Samsung Galaxy Mini

2. 2 HTC Desire

3. Sony Ericsson Xperia X10


Thursday, November 24, 2011

Limiting Bank Cards to Reduce Telecom Fraud

Presented without comment:

Global Times | November 24, 2011 00:35
By Global Times
Local [Shanghai] police and the city's financial supervision departments are mulling over the decision to propose limiting the number of bank cards customers are permitted to get from each commercial bank to reduce telecom fraud. 

More than 9,000 telecom fraud cases were reported in the first 10 months of the year, said police.

Tuesday, November 22, 2011

Term Tuesdays - Telecom Fraud Explained: Known Fraudulent Numbers


Term Tuesdays - Telecom Fraud Explained

Today’s term is actually a type of Telecom Fraud, in this case it is when your PBX makes calls to Known Fraudulent Numbers or Destinations.

Calls to Known Fraudulent Numbers or Destinations
Telecom fraud is a well-known problem, and like the “Nigerian Bank Scam,” there are blacklists of phone numbers, area codes etc. that can be blocked or monitored if the right tools are at hand. To protect yourself you need to use various types of blacklists to prevent inappropriate calls being made. 

Humbug supports several types of Blacklists:
  • Community Blacklist - Protect your PBX from over 70,000 industry-confirmed blacklisted numbers
  • Number Blacklist - Setup your own list of blacklisted numbers
  • Country Blacklist - Receive alerts when traffic to/from specific countries you select are detected


Like PC based antivirus or malware protectors Telecom Fraud prevention needs to be regularly updated as new sources, destinations, and types are tried by the fraudsters.


It is a moving target and thus you need to be vigilant and use a solution that is constantly updated with these new attacks.

Friday, November 18, 2011

Time to start protecting yourselves

Time to start protecting yourselves:
Android devices see staggering surge in viruses - Juniper Networks
Article at: http://www.totaltele.com/view.aspx?ID=469338&mail=645&C=0

Tuesday, November 15, 2011

Term Tuesdays - PBX Dial-Through


Today's Fraud term is PBX Dial-Through
Dial-through fraud relies on a feature that exists on every PBX. This feature allows employees to call into the switchboard or their voicemail and make outgoing calls after inputting a password or pin. Now this is a very convenient feature and the reasons that it exists are legitimate: 
  1. Enable traveling or out of office employees to make work related calls without having to pay for the calls themselves.
  2. Enable people to return calls without having to write down or remember the number left in the message.
Although this feature may be turned off upon installation, hackers will try to break in and create their own mailbox, which will allow them to dial in and then make any calls they wish. (Next week we will discuss how they can get into the system  to do this.)

To protect your company you need to ask these questions - 
  • Do we need this at all?
  • If so does everyone (and all mailboxes) need it? Can you think of a reason why the server room, break room,conference rooms, or Lobby need a mailbox, let alone one with this feature?
  • For those who need it, can calling cards or dial back be used instead?
If the answer is that you do need it, then limit it to:
  • Selected people, and make sure that they use strong passwords (no 1111, 1234, or their extension). 
  • Specific times of day - do they need to make work calls on weekend nights?
  • Specific call types - do they need to make local calls, long distance calls, international calls, calls to Cuba?
Use a proactive monitoring tool like Humbug to monitor and prevent abuse.

Also, make sure that people are aware that the return the call feature on their cellular phone can be set to call premium numbers that can cost more than $2 per min.

In the end it is your PBX, and the phone company will expect you to pay for the calls so protect yourself.

Monday, November 14, 2011

McAfee Warns Consumers of the Twelve Scams of Christmas

Just in time for the holiday season Gary Davis at McAfee has put up a blog post that Warns Consumers of the Twelve Scams of Christmas.


Now most of these are not Telecom Related there are a few I would like to point out 3 of them as being Telecom Fraud related:

1. Mobile Malware:
Malware is not new, it has been around in the PC world for a long time, but now that there are enough smartphones around to make it worthwhile financially to attack them.

That said, be aware that Gary mentions that a new cell phone specific attack has started:
New malware has recently been found that targets QR codes, a digital barcode that consumers might scan with their smartphone to find good deals on Black Friday and Cyber Monday, or just to learn about products they want to buy.

2. Malicious Mobile Applications:
I have written about this before when Symantec broke the story about the phony Netflix Android apps.  Just to show this is not a problem for Android alone, recently there was a story about someone who created InstaStock, a Stock Ticker app, for the iPhone that was designed to  
A researcher with the security firm Accuvant, Miller had rigged the app to connect to a server in his St. Louis home and to receive commands to perform a number of devious tasks, including reading an iPhone's files, making a phone vibrate and remotely downloading the pictures and contacts stored on the device of a person running the app.
           
7. Holiday Phishing Scams
Again Phishing is not new, and I have written about it in the past, but Gary has pointed out 3 specific ones related to the holidays you should watch out for:
A common holiday phishing scam is a phony notice from UPS, saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer.
Banking phishing scams continue to be popular and the holiday season means consumers will be spending more money—and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day.
Smishing –SMS phishing—(in the US it is Text Phishing) remains a concern. Scammers send their fake messages via a text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it re-activated—and collects the user’s personal information including Social Security number, address, and account details.

Again none of these are new, and there have been email variants of them all. All 2 have the intention of tricking you out of information that can be used to access your bank account, but the SMS one has an additional cost in that it asks you to call a phone number which in and of itself can cost you significant money.

The phone number that they have you call can be a premium or other high cost number that can charge you at least $1 per minute. So pay attention to the number to make sure it is not one you want to avoid (examples are 809, 900, etc.).

I recommend you read his article if only for the refresher of all the hazards out there at the holiday season and how to protect yourself from the ones I have not mentioned.

Friday, November 11, 2011

Who Protects Call Centers from Telecom Fraud: Humbug Does

Humbug Telecom Labs announces the release of their Call Center Solution White Paper-

Ramat HaSharon, Israel – November 11, 2011 - Humbug Telecom Labs, provider of carrier-class fraud prevention, detection and telecom analytics for any size business; today announced the release of a new white paper, Benefits of Telecom Analytics & Fraud Detection for Call Centers. 

Press release:
http://www.humbuglabs.org/index.php/index_c/news_call_centers_nov11

Tuesday, November 8, 2011

Term Tuesdays -Service & Application Level Fraud


Guest post by Boaz Bechar, VP Business Development at Humbug Labs

ITSPs are constantly innovating the telephony marketplace, releasing new services and applications on various platforms, and it can be challenging to continue and maintain, administer and implement new revenue assurance techniques. From online and mobile applications to calling-cards and dial- in services, ITSPs have many gates to watch, and to add to the complexity of the matter, each service may have its own set of security rules. For example, a web-based calling application may want to limit the amount of simultaneous calls an account may place, while this limit might need to be increased for a multi-line office using SIP connectivity. 

Marketing efforts often require complex and dynamic pricing schemes and bundled packages to be offered to users, having direct implications on the accounting and billing systems.  Revenue-assurance should play a central role in creating and shaping the available offers, which if left unmanaged, can create fraud and abuse vulnerabilities. For example, calls to low-cost termination points such as the US and Canada are often offered as free destinations, and as such require additional sets of rules in order to avoid exploitation. Limitations on the total duration and call quantities an account can place per destination, time period, as well as setting duration limits on a per-call basis, are all basic steps which can help avoid abuse. Additionally, the implications of subscription fraud can fuel exploitation of calling-plans, through multiple subscriptions of a user maximizing usage to uncharged destinations. Avoiding this is in most cases straightforward, by placing time-based limitations on originating/ terminating phone numbers, or depending on the scale of the ITSP, limitations on the first 6-7 digits of the number in order to secure against banks of number-ranges being used.

Although internet based, ITSPs also provide a wide spectrum of traditional telephony services, including IVRs, dial-in services such as DISA/calling cards, and voicemail capabilities. Each application, capability and feature can potentially become a source for fraud, and should be included in all revenue- assurance considerations. For example, given that a hacker can find or break a users voicemail password (typically 4 digits, i.e. 1111), they can call-in to a voicemail system to remotely check the users messages. While not a revenue assurance problem at first, this can quickly turn into a costly attack if the voicemail system has the capability to “call back the user who left this message”. Essentially this causes the attacker to make use of the voicemail system to place calls to a premium number under their control, gaining them revenue for each minute they hold the line.

Traditionally ITSPs take a network- security approach to preventing telecom fraud (i.e. IP blacklists, firewalls, etc), when in fact this should be considered the last line of defense. Once breached, the internal network of the ITSP is compromised, and the aftermath can be catastrophic, leading to hundreds of thousands of dollars in financial exposure over the course of mere hours.  Without the luxury of traffic monitoring by a dedicated network-operation- center (NOC), weekends and holidays can become a particular soft-spot for hacking and fraud attempts.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment 

Monday, November 7, 2011

Telecom Fraud from Smartphone malware apps

About 2 weeks ago I wrote about a phony NetFlicks app for the Android, today the BBC has an article titled Smartphone scams: Owners warned over malware apps which talks about how these apps are made and how they can be used to commit phone fraud.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.
Once on the phone, the app can secretly generate cash for criminals through premium rate text messages. 
Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.
Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.A typical scam involves an app designed to send texts to premium rate services without the user knowing. 


As with all telecom fraud the solution is a combination of setting the right controls and proactive monitoring.

To prevent a large, unexpected phone bill you should:

  • Confirm that the app you are installing is certified and is from the company that it claims to be from.
  • Install a malware protection app just like you have anti-virus on your laptop - and make sure it updates regularly. I wrote about some of these in the Netflix post.  
  • Pay attention to performance. If your  battery seem to be running out too fast, if apps (and games)are running slowly, if calls or web sites take longer to connect you could have a malware app running on your system. If you do not have any protection install one and run a full system check.
  • Occasionally look at your call and SMS (Text) logs to see if you have items that you did not make.
  • Actually review your phone bill, you usually only have a month to challenge mistakes or fraud so this is your last line of defense.

New article about Humbug Telecom in iTWire

New article Keeping PBX fraudsters at bay By Sam Varghese
http://www.itwire.com/business-it-news/security/50928-keeping-pbx-fraudsters-at-bay explains a little about how the Humbug Telecom Labs service works, and gives a little preview of things to come.

Tuesday, November 1, 2011

Astricon updates


Rather than another Fraud Terms Tuesday today I bring you 2 links from Astricon.

In the first, Tom Keating from TMC Net caught me and Nir running the first part of the Security Round Table. Here is his blog entry about it AstriCon VoIP Security - $400,000 toll fraud - YIKES! and here is the video he took at the start of the session.

Later that day we were interviewed by Chris DiMarco, also from TMC Net. Here is the link to his article  Saying Humbug to Telephony Fraud.

Friday, October 21, 2011

SEC asks companies to disclose cyber attacks - is Telecom Fraud next


According to an article in today Reuters the SECasks companies to disclose cyber attacks set new guidelines on Thursday about cyber events that could lead to monetary losses.
U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. 
Senator John Rockefeller has asked the SEC to set guidelines related to losses due to security breaches.
"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement.
"It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," Rockefeller said in a statement.
Now as the SEC asks companies to disclose financial affecting cyber attacks, here is a question to ponder is telecom fraud next? It is almost entirely financial, and has the possibility of exposing intellectual property and customer information while by-passing normal cyber security procedures.

Consider for a minute, with more than $80 billion worth of telecom fraud happening each year, how long will it be before companies are required to disclose this to stockholders or the SEC?

What is the fiscal responsibility of a company’s management to protect and or disclose this risk to stockholders?

What are you doing to protect your company?

Proactive monitoring and active security are a must to protect companies from this kind of loss.

For suggestions on how you can protect your company please see my guest blog Telecom Fraud Is Alive & Kickin’ or visit the Humbug Labs site to sign up for analytics and Fraud Detection.




Tuesday, October 18, 2011

Term Tuesdays - Subscription Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

Consumer-facing ITSPs are battling to optimize their user-acquisition costs versus lifetime value – and are constantly trying out new techniques for signing up users. Registration form fields are reduced, making it as simple as possible for newcomers to join the service, while leaving the ITSP with many questions on who the user is – which may be a challenge when tackling subscription fraud.

In many cases, a free call or free calling credit is offered before/after account creation, allowing the user to familiarize with the system. The revenue-assurance decision tree from here can only get longer and wider, for example: If providing the user with a free call after signing up, what stops them from creating multiple accounts and making multiple free calls?

The low-hanging fruit would clearly be to place limits on the IP address and phone number the user is dialing from/ to, however this can get problematic if disposable phone numbers are brought into the equation, and even more-so with hackers who have full number- ranges in their war chest. There is no easy way to tackle this problem – but taking steps to greatly limit the financial exposure can be taken, such as limiting the total calls on a per-destination level, routing all free calls through cost-limited trunks, as well as carefully scrutinizing daily cost, duration and call volume user leader-boards, to make sure they are consistent with your rule-set.  Additionally, maintaining blacklists of numbers and registration domains (i.e. blocking sites such as 10minutemail.com from registering) increases the barriers for fake-subscriptions while not effecting valued users.

Paying users, while the bread and butter of the ITSP, can also be a great concern in terms of subscription fraud. While pay-as-you go based programs do have a certain limit on the financial exposure per user, margins can easily diminish due to costs associated with credit card charge-back fees from accounts using stolen credit cards or hacked online payment accounts (paypal, etc).  Scrutinizing paying users becomes even more critical with postpaid accounts, which may bypass initial checks as a seeming legitimate business, but then the account is used for fraud with no intent to pay (NITP).

To minimize exposure to fraud from paying users, it's important that an 'activation process' take place, where payment details are matched against the users registration data. Other vital indicators become relevant on a case-by-case basis, including review of the users credentials, looking for similar registered accounts, similar billing details previously used on the system, etc.

 While ITSPs don't currently have the sophistication level of traditional carrier subscription fraud prevention techniques, they do have the ability to leverage new sets of data unique to their environment, in order to create new activation funnels. One proven technique is matching the password- hash used during registration, against a blacklist of known unwanted passwords as well as against previously flagged accounts. Creating more opportunities for unique data sets and matching against historical information is one method that can easily be deployed in an ITSP environment.

Relying on rule-based results completely can be ineffective and its important to have mechanisms in place which allow anomalies to be spotted. For example, a South-American ITSP serving Brazil may find it an anomaly to receive a transaction from an account with a billing address in Congo. Different techniques work well in different operational scales and requirements, and it's up to the ITSP to find the balance between financial risk and rules required to activate an account prior to manual checks.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment

Monday, October 17, 2011

Term Tuesdays - Telecom Fraud Explained

Each Tuesday I will be attempting to explain a different Telecom Fraud related term or concept. 


Where possible, I will include real world examples. For some cases I may not be allowed to release the specific information about the customer and then will provide the cases in general terms.

Topics will include
  • Calls to Known Fraudulent Numbers or Destinations
  • Hacking
  • Internal Misconduct
  • Malware
  • Off Hour Call
  • PBX Dial-Through
  • Phishing
  • Proactive Monitoring
  • Service & Application Level Fraud
  • Subscription Fraud

As this is intended to be educational I will try to include links to original articles or sources where the information originated, where they exist. Many of these will be related to white papers I, or my coworkers publish on the Humbug Telecom Labs site.

Where they are applicable to a specific market segment or product type, I will identify them.

When ever possible I will give tips or suggestions on how to prevent this type of fraud.

Thursday, October 13, 2011

New Phishing Technique - Mobile Apps

Symantec has a nice blog post about a new type of phishing scam that has emerged in the mobile world.

Apparently the fragmentation of the Android operating system has enabled a window of opportunity for people who wish Phish mobile users. As the Symantec blog explains:
The official app, which was initially released in the early part of the year, was only recently published to the Android Market with support for multiple devices. A gap in availability, combined with the large interest of users attempting to get the popular service running on their Android device, created the perfect cover for Android.Fakeneflic to exploit.

In the images below you can see the subtle differences between the real and fake versions.




Once a user has clicked on the “Sign in” button, they are presented with a screen indicating incompatibility with the current hardware and a recommendation to install another version of the app in order to resolve the issue. There is no attempt to automatically download the recommended solution. Upon hitting the “Cancel” button, the app attempts to uninstall itself. Any attempt to prevent the uninstall process results in the user being returned to the previous screen with the incompatibility message.
In spite of the list of permissions that is requested, it is unclear what  Android.Fakeneflic will collect from your phone or what it can do. But if past experience with PC based malware is any indication then it could be used to capture your passwords or credit card information, and could even be used to hijack your voice or data connection to enable them to use them for fraudulent calls from your phone. Calls for which you would be required to pay.

To protect yourself make sure you have a proper mobile security management product installed. There are several out there: Symantec,  Mcafee, Lookout , and Webroot all offer good products. In fact PC Magazine recently named Webroot Editor's Choice.

Do your research and protect yourself::



Thursday, October 6, 2011

Steve Jobs explains his involvement in Telecom Fraud

Cross posting from Humbug Blog


We  are all saddened by the death of Steve Jobs (1955 - 2011)
He didn't just create products, he created a new way of life.  But looking back we find that this great innovator started by phreaking AT&T with his own home built blue box.

In this video, Steve explains how he and Steve Wozniak built Blue Boxes to make illegal free long distance calls, and how there would be no Apple today if they hadn't been such hooligans.

Steve Jobs Interview about the Blue Box Story

Why isn't everyone hacked every day? VoIP security is not the same as on PC

Michael Kassner has a good interview on TechRepublic today called Why isn't everyone hacked every day? In this article he interviews Microsoft Principal Researcher, Cormac Herley, along with Dinei Florencio, also a Microsoft Researcher about their paper “Where Do All the Attacks Go?"


Now, both the article and the paper are quite informative, but the conclusions they give are valid for personal and corporate computer networks but do not translate to VoIP Security.


So let me explain why. First the premise of the paper is what we thought we know about security is not correct.
“Internet security has a puzzling fact at its core. If security is only as strong as the weakest link; then all who choose weak passwords, reuse credentials across accounts, fail to heed security warnings or neglect patches and updates, should be hacked — regularly and repeatedly.Clearly this fails to happen.”

Wednesday, October 5, 2011

VoIP not so safe says Ian Kilpatrick

Ian Kilpatrick has written a nice piece highlighting the problems with how people deal with VoIP Security as they extend services.  In his article VoIP not so safe he says that

Many companies have now adopted VoIP, and many more are considering adopting it. But they don't necessarily realise that, by moving to VoIP, they have also moved into converged (phone/data) systems and a potentially dangerous security environment.
As companies deal with both the advent of VoIP services and employees connecting their mobile devices to the company network service the risks to the company increase exponentially.


I have  a new whitepaper that offers some insights to the Benefits of Telecom Analytics and Fraud Detection for Enterprises that shows some of the risks companies face and ways to deal with them.