Tuesday, November 29, 2011

Fraud – From Fun Phreak to Terrorism

Cross posted to Humbug Telecom Labs Blog

In today’s news there are headlines showing the darkest side of Telecom Fraud:

Although the titles are different, the source and the story is all the same. The Philippine National Police – Criminal Investigation and Detection Group (CIDG) put out a press release explaining how a “joint operatives from the CIDG and the United States Federal Bureau of Investigation (FBI) have busted a group of Filipino hackers whose operation is allegedly being financed by a Saudi-based terrorist group”.

This operation was in response to a complaint filed by AT&T about the hacking of AT&T customer’s PBX’s.

ATCCD chief, Police Senior Superintendent Gilbert Sosa said the “hackers in Manila were being used by the Zamir’s terrorists group to hack the trunk-line (PBX) of different telecommunication companies including the AT&T. Revenues derived from the hacking activities of the Filipino-based hackers were diverted to the account of the terrorists, who paid the Filipino hackers on a commission basis via local banks.”

Sosa said that FBI agents who have been investigating incessant hacking of telecommunication companies in the US and in the country since 1999 have uncovered paper trail of various bank transactions linking the local hackers to the Saudi-based cell whose activities include financing terrorist activities.

AT&T has made it clear that they were not hit directly, Jan Rasmussen, a spokeswoman for AT&T, said it wrote off some fraudulent charges that appeared on customer bills. She declined to elaborate or comment on the $2m figure.

The Guardian article adds:
Though the FBI declined to give official details of how the group took the money, one person familiar with the situation said that the hackers broke into the phone systems of some AT&T customers and made calls to international premium-rate services whose payments would be diverted.

Such scams are relatively common, often involving bogus premium-service phone lines set up across Eastern Europe, Africa and Asia. Fraudsters make calls to the numbers from hacked business phone systems or mobile phones, then collect their cash and move on before the activity is identified. Telecommunications carriers often end up footing the bill for the charges.

Now this is a long way from Captain Crunch and the original phone phreaks, and it is way beyond what Steve Jobs and Steve Wozniak used blue boxes to steal long distance calls. In those cases it was both the thrill of the geek being able to break the system.

But in hind sight, the progression from teens and college students playing for the thrill of it, to organized crime using calling cards or breaking into PBXs for premium number or pass through fraud, to terrorist doing the same is an easy progression to follow.

The lessons are easy to see – no one can protect you if you do not take proactive action. Just like you are not protected from computer infections if you do not install anti-virus, if you do not protect your PBX you can be exposed to millions of dollars in fraud – and you can be helping terrorist. AT&T could not protect its customers even once it identified the fraud.