Wednesday, November 30, 2011

Using the Phone for Shoplifting

I know that this is not exactly telecom fraud, but seeing how that has moved from kids doing pranks to funding global terrorism it is time to look at how phones are being used in ways that were never envisioned.

We have seen how the phoneme of flash mobs have been used for good and bad in the past year. Flash mobs helped topple governments in the Arab Spring. How they were used in the UK riots. In each case the motivation behind the flash mob was different – frustration at years of oppression to looting from frustration at the slow economy.

Now retailers have to worry if they are the next targets. In an article Joan Goodchild offers 4 steps retailers can take to combat flash robs.
Flash robs, technically known as multiple-offender crimes, occur when a group of people coordinate to overcrowd a retail outlet and steal items by overwhelming staff with their numbers and speed.
Earlier this month, a crowd of youths in Maryland, some estimate as many as 50, made headlines when they flash robbed a 7-Eleven in Silver Springs, the third time such an incident has happened in that area this year.

While these types of group attacks are not new the combination of smartphones with Twitter and Facebook make these kind of attacks easier to coordinate and implement.

I will not repeat the suggestions that Joan gives in her article, but I will say that they make sense to me: Product Placement, Cameras, enough Staff, and training are the key.

Tuesday, November 29, 2011

Term Tuesdays - Premium Rate Fraud

Premium Rate Fraud
By tricking a person to call a telephone number that charges more than expected, a fraudster is able to get some sort of revenue from each call.

These attacks come in various forms, but they all have 2 parts:
1.      They have acquired a Premium Rate number that enables them to “revenue share” with the terminating operator.
2.      They trick people into calling the number or use a hacked PBX to dial it themselves.

Part one is easy, they can get numbers from most phone companies who offer them to legitimate businesses. These can include pay per call customer support services, sex lines, satellite lines, etc. In the USA these are usually associated with 1-900 numbers. But with the explosion of mobile virtual network operators (MVNO) it is easy for what looks like a regular number to actually charge more for the termination of the phone call than is expected (more on this when I cover arbitrage fraud).

Fraud – From Fun Phreak to Terrorism

Cross posted to Humbug Telecom Labs Blog

In today’s news there are headlines showing the darkest side of Telecom Fraud:

Although the titles are different, the source and the story is all the same. The Philippine National Police – Criminal Investigation and Detection Group (CIDG) put out a press release explaining how a “joint operatives from the CIDG and the United States Federal Bureau of Investigation (FBI) have busted a group of Filipino hackers whose operation is allegedly being financed by a Saudi-based terrorist group”.

This operation was in response to a complaint filed by AT&T about the hacking of AT&T customer’s PBX’s.

Monday, November 28, 2011

Bit9: The Dirty Dozen of security-vulnerable smartphones

Android has brought a variety of phones, with different hardware and software features to the market. This has enabled more people to get the phone that they want. Bit9 says that unfortunately this has led to “an estimated 56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android.”

It seems that when phones are released they can be running versions of Android that can be up to 18 months out of date, and thus lacking all the latest security updates.

"All operating systems have vulnerabilities," Harry Svedlove, Bit9's chief technology officer, points out, but it's how quickly and effectively software gets fixed that matters. Bit9's analysis of the most vulnerable smartphones is based on criteria that includes looking at smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.

The Bit9 "Dirty Dozen" not-so-smart smartphone list includes:

1. Samsung Galaxy Mini

2. 2 HTC Desire

3. Sony Ericsson Xperia X10

Thursday, November 24, 2011

Limiting Bank Cards to Reduce Telecom Fraud

Presented without comment:

Global Times | November 24, 2011 00:35
By Global Times
Local [Shanghai] police and the city's financial supervision departments are mulling over the decision to propose limiting the number of bank cards customers are permitted to get from each commercial bank to reduce telecom fraud. 

More than 9,000 telecom fraud cases were reported in the first 10 months of the year, said police.

Tuesday, November 22, 2011

Term Tuesdays - Telecom Fraud Explained: Known Fraudulent Numbers

Term Tuesdays - Telecom Fraud Explained

Today’s term is actually a type of Telecom Fraud, in this case it is when your PBX makes calls to Known Fraudulent Numbers or Destinations.

Calls to Known Fraudulent Numbers or Destinations
Telecom fraud is a well-known problem, and like the “Nigerian Bank Scam,” there are blacklists of phone numbers, area codes etc. that can be blocked or monitored if the right tools are at hand. To protect yourself you need to use various types of blacklists to prevent inappropriate calls being made. 

Humbug supports several types of Blacklists:
  • Community Blacklist - Protect your PBX from over 70,000 industry-confirmed blacklisted numbers
  • Number Blacklist - Setup your own list of blacklisted numbers
  • Country Blacklist - Receive alerts when traffic to/from specific countries you select are detected

Like PC based antivirus or malware protectors Telecom Fraud prevention needs to be regularly updated as new sources, destinations, and types are tried by the fraudsters.

It is a moving target and thus you need to be vigilant and use a solution that is constantly updated with these new attacks.

Friday, November 18, 2011

Time to start protecting yourselves

Time to start protecting yourselves:
Android devices see staggering surge in viruses - Juniper Networks
Article at:

Tuesday, November 15, 2011

Term Tuesdays - PBX Dial-Through

Today's Fraud term is PBX Dial-Through
Dial-through fraud relies on a feature that exists on every PBX. This feature allows employees to call into the switchboard or their voicemail and make outgoing calls after inputting a password or pin. Now this is a very convenient feature and the reasons that it exists are legitimate: 
  1. Enable traveling or out of office employees to make work related calls without having to pay for the calls themselves.
  2. Enable people to return calls without having to write down or remember the number left in the message.
Although this feature may be turned off upon installation, hackers will try to break in and create their own mailbox, which will allow them to dial in and then make any calls they wish. (Next week we will discuss how they can get into the system  to do this.)

To protect your company you need to ask these questions - 
  • Do we need this at all?
  • If so does everyone (and all mailboxes) need it? Can you think of a reason why the server room, break room,conference rooms, or Lobby need a mailbox, let alone one with this feature?
  • For those who need it, can calling cards or dial back be used instead?
If the answer is that you do need it, then limit it to:
  • Selected people, and make sure that they use strong passwords (no 1111, 1234, or their extension). 
  • Specific times of day - do they need to make work calls on weekend nights?
  • Specific call types - do they need to make local calls, long distance calls, international calls, calls to Cuba?
Use a proactive monitoring tool like Humbug to monitor and prevent abuse.

Also, make sure that people are aware that the return the call feature on their cellular phone can be set to call premium numbers that can cost more than $2 per min.

In the end it is your PBX, and the phone company will expect you to pay for the calls so protect yourself.

Monday, November 14, 2011

McAfee Warns Consumers of the Twelve Scams of Christmas

Just in time for the holiday season Gary Davis at McAfee has put up a blog post that Warns Consumers of the Twelve Scams of Christmas.

Now most of these are not Telecom Related there are a few I would like to point out 3 of them as being Telecom Fraud related:

1. Mobile Malware:
Malware is not new, it has been around in the PC world for a long time, but now that there are enough smartphones around to make it worthwhile financially to attack them.

That said, be aware that Gary mentions that a new cell phone specific attack has started:
New malware has recently been found that targets QR codes, a digital barcode that consumers might scan with their smartphone to find good deals on Black Friday and Cyber Monday, or just to learn about products they want to buy.

2. Malicious Mobile Applications:
I have written about this before when Symantec broke the story about the phony Netflix Android apps.  Just to show this is not a problem for Android alone, recently there was a story about someone who created InstaStock, a Stock Ticker app, for the iPhone that was designed to  
A researcher with the security firm Accuvant, Miller had rigged the app to connect to a server in his St. Louis home and to receive commands to perform a number of devious tasks, including reading an iPhone's files, making a phone vibrate and remotely downloading the pictures and contacts stored on the device of a person running the app.
7. Holiday Phishing Scams
Again Phishing is not new, and I have written about it in the past, but Gary has pointed out 3 specific ones related to the holidays you should watch out for:
A common holiday phishing scam is a phony notice from UPS, saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer.
Banking phishing scams continue to be popular and the holiday season means consumers will be spending more money—and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day.
Smishing –SMS phishing—(in the US it is Text Phishing) remains a concern. Scammers send their fake messages via a text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it re-activated—and collects the user’s personal information including Social Security number, address, and account details.

Again none of these are new, and there have been email variants of them all. All 2 have the intention of tricking you out of information that can be used to access your bank account, but the SMS one has an additional cost in that it asks you to call a phone number which in and of itself can cost you significant money.

The phone number that they have you call can be a premium or other high cost number that can charge you at least $1 per minute. So pay attention to the number to make sure it is not one you want to avoid (examples are 809, 900, etc.).

I recommend you read his article if only for the refresher of all the hazards out there at the holiday season and how to protect yourself from the ones I have not mentioned.

Friday, November 11, 2011

Who Protects Call Centers from Telecom Fraud: Humbug Does

Humbug Telecom Labs announces the release of their Call Center Solution White Paper-

Ramat HaSharon, Israel – November 11, 2011 - Humbug Telecom Labs, provider of carrier-class fraud prevention, detection and telecom analytics for any size business; today announced the release of a new white paper, Benefits of Telecom Analytics & Fraud Detection for Call Centers. 

Press release:

Tuesday, November 8, 2011

Term Tuesdays -Service & Application Level Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

ITSPs are constantly innovating the telephony marketplace, releasing new services and applications on various platforms, and it can be challenging to continue and maintain, administer and implement new revenue assurance techniques. From online and mobile applications to calling-cards and dial- in services, ITSPs have many gates to watch, and to add to the complexity of the matter, each service may have its own set of security rules. For example, a web-based calling application may want to limit the amount of simultaneous calls an account may place, while this limit might need to be increased for a multi-line office using SIP connectivity. 

Marketing efforts often require complex and dynamic pricing schemes and bundled packages to be offered to users, having direct implications on the accounting and billing systems.  Revenue-assurance should play a central role in creating and shaping the available offers, which if left unmanaged, can create fraud and abuse vulnerabilities. For example, calls to low-cost termination points such as the US and Canada are often offered as free destinations, and as such require additional sets of rules in order to avoid exploitation. Limitations on the total duration and call quantities an account can place per destination, time period, as well as setting duration limits on a per-call basis, are all basic steps which can help avoid abuse. Additionally, the implications of subscription fraud can fuel exploitation of calling-plans, through multiple subscriptions of a user maximizing usage to uncharged destinations. Avoiding this is in most cases straightforward, by placing time-based limitations on originating/ terminating phone numbers, or depending on the scale of the ITSP, limitations on the first 6-7 digits of the number in order to secure against banks of number-ranges being used.

Although internet based, ITSPs also provide a wide spectrum of traditional telephony services, including IVRs, dial-in services such as DISA/calling cards, and voicemail capabilities. Each application, capability and feature can potentially become a source for fraud, and should be included in all revenue- assurance considerations. For example, given that a hacker can find or break a users voicemail password (typically 4 digits, i.e. 1111), they can call-in to a voicemail system to remotely check the users messages. While not a revenue assurance problem at first, this can quickly turn into a costly attack if the voicemail system has the capability to “call back the user who left this message”. Essentially this causes the attacker to make use of the voicemail system to place calls to a premium number under their control, gaining them revenue for each minute they hold the line.

Traditionally ITSPs take a network- security approach to preventing telecom fraud (i.e. IP blacklists, firewalls, etc), when in fact this should be considered the last line of defense. Once breached, the internal network of the ITSP is compromised, and the aftermath can be catastrophic, leading to hundreds of thousands of dollars in financial exposure over the course of mere hours.  Without the luxury of traffic monitoring by a dedicated network-operation- center (NOC), weekends and holidays can become a particular soft-spot for hacking and fraud attempts.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment 

Monday, November 7, 2011

Telecom Fraud from Smartphone malware apps

About 2 weeks ago I wrote about a phony NetFlicks app for the Android, today the BBC has an article titled Smartphone scams: Owners warned over malware apps which talks about how these apps are made and how they can be used to commit phone fraud.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.
Once on the phone, the app can secretly generate cash for criminals through premium rate text messages. 
Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.
Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.A typical scam involves an app designed to send texts to premium rate services without the user knowing. 

As with all telecom fraud the solution is a combination of setting the right controls and proactive monitoring.

To prevent a large, unexpected phone bill you should:

  • Confirm that the app you are installing is certified and is from the company that it claims to be from.
  • Install a malware protection app just like you have anti-virus on your laptop - and make sure it updates regularly. I wrote about some of these in the Netflix post.  
  • Pay attention to performance. If your  battery seem to be running out too fast, if apps (and games)are running slowly, if calls or web sites take longer to connect you could have a malware app running on your system. If you do not have any protection install one and run a full system check.
  • Occasionally look at your call and SMS (Text) logs to see if you have items that you did not make.
  • Actually review your phone bill, you usually only have a month to challenge mistakes or fraud so this is your last line of defense.

New article about Humbug Telecom in iTWire

New article Keeping PBX fraudsters at bay By Sam Varghese explains a little about how the Humbug Telecom Labs service works, and gives a little preview of things to come.

Tuesday, November 1, 2011

Astricon updates

Rather than another Fraud Terms Tuesday today I bring you 2 links from Astricon.

In the first, Tom Keating from TMC Net caught me and Nir running the first part of the Security Round Table. Here is his blog entry about it AstriCon VoIP Security - $400,000 toll fraud - YIKES! and here is the video he took at the start of the session.

Later that day we were interviewed by Chris DiMarco, also from TMC Net. Here is the link to his article  Saying Humbug to Telephony Fraud.