Saturday, December 1, 2012

Crime and attacks are business that advertise

It seems that cyber crime does pay, or at least you can hire people to do it for you.

In a recent article KrebsonSecurity describes an Online Service Offers Bank Robbers for Hire.
 An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise.
Now this is nothing new in the world of cyber crime, but it is a bit new for physical crime.

Last year it was reported that there was a service offering to break Captchas, those often unreadable, always annoying distorted letters that you're required to type in at many a Web site to prove that you're really a human.

Also there is a service for False Answer Supervision.

Or there was the case of out sourcing to hack phone systems for Al Qaeda - $2 million stolen for the cost of $4,000.

It seems that the criminals are working harder to find ways to make money from committing crimes, they share tools and data in forums that cater to cybercrooks or hackers.

It is time that we start to work harder to share information to beat these guys before they unionize.

Thursday, November 1, 2012

Holiday Hacks are upon us again

Today I found a very nice article on the CSO Security News site called The 12 Cons of Christmas by Joan Goodchild (CSO (US)).

In this article she points out that this is the time of the year when the fraudsters and phishers are out in force.  Or as Joan put it:
While the risk of being hacked, conned or having sensitive information stolen is possible all through the year, most security experts agree that the holiday season brings a spike in fraudulent activity, both online and off.

Hot Holiday items are lures

With the increased use of Facebook and Twitter they can get more information about what you want and can use that to better target you. To make it worse, the scammers have learned not to be so obvious, and "the signs that made scams so obvious before are no longer always present as more sophisticated techniques employed by criminals on Twitter and Facebook make it harder than ever to know what's legit."

Take a look at the article for some good hints on how to detect these scams and protect yourself.  
Full article:

Wednesday, October 3, 2012

Activity at Astricon’12

During Astricon’12  I will be part of the Greenfield Technology team at the show, along with speaking I will be at the Kamailio booth during Astricon’12.

Astricon’12 is taking place in Atlanta, GA, USA, during October 23-25, 2012


Nir and I will be presenting at the event. I will be presenting on Wednesday, October 24, 2012, in the 11:40-12:15 time slot.

Presentation title:

Found in the wild: Telecom Fraud and Security Problems 


Last year's Security Panels at AstriCon brought examples from the audience (like: found and hacked in under 10 min. and $400k in fraud in 2 days). This year there are many new fraud attacks and audit horror stories and recommendations for you.
This session will review the security breaches of the past year as well as highlights of the most common problems found in security audits. The audience is encouraged to provide their own examples and jointly define solutions.

Also, Nir Simionovich will be presenting on Thursday, October 25, 2012, in the 10:00-10:35am time slot.

Presentation title: 

Asterisk Lock Down - Beyond Fail2Ban


Fail2Ban is a wonderful tool, but it is only one of many tools out there to assist in the protection of your Asterisk server. Some of these tools are so simple, that by utilizing very simple techniques, a complete lock down can be enforced. The session will share some methods that were deployed over the course of the years 2010 and 2011 and several locations and had proved to reduce the risk of hacking and fraud tremendously. 

Kamailio Booth

Along with speaking we will be at the Kamailio booth in the open source area. The Kamailio booth number is 20, if you are attending the show; stop by to learn about use cases of Kamailio and what is new in the project.

Friday, August 3, 2012

Infographic: Fraudulent Calls Up 29 Percent in 2012

Threat Post, the Kaspersky Labs Security News Service has a nice article about the status of fraudulent calls in 2012 titled Report: Fraudulent Calls Up 29 Percent in 2012 that starts:
On average, there were almost five fraudulent phone calls every minute earlier this year according to a report released today from security firm Pindrop Security. The Atlanta-based company found phone fraud was up 29 percent January to June this year from the last half of 2011 after it analyzed 1.3 million different instances as part of its 2012 State of Phone Fraud Report.
The accompanying graphic shows how things are already looking in 2012 speaks loudly as to why companies need to be proactive in their approach to telecom fraud.

Thursday, June 28, 2012

Cloning makes its return

I am not sure if this has become a problem in other areas yet, but apparently there is a new twist in cloning the SIM card in a mobile phone.

Ok a little history first, when mobile phones first came out they did not have SIM cards. Identifying information was "hard coded" to the phone letting the network know that it was you on your phone using the network. Then someone worked out that they could scan and clone that information (similar to what is now starting to be common for RFIDs). You see that by broadcasting your "unique" identifier to the network the fraudster can trick the system into thinking they are you. For RFID this means that they can clone your credit card and start charging against your account.

In the late '90s I know that fraudsters rented a room on the lowest floor of a building that was over FDR Drive in NYC. This put them close enough to ping and scan the mobile devices in the cars that passed below them. They then input the information into other phones and were able to arrange dial out, long distance, premium number and saweepstakes fraud against those mobile user's accounts.

Now in theory this has stopped happening in mobile devices as the information is supposed to be harder to get.

Today I came across an article in the Arab Times Phone Clone Latest Scam To Prey On Mobile Users. A man called a reporter on her mobile phone and told her
Congratulations, you have just won KD 100,000 from ------ (name of the telecommunication company). I’m from the (name of the telecommunication company) International Government Department. You can claim your prize from ------ (name of local bank) by calling this number  00447624192661 for instructions on how to claim the KD 100,000 prize from (name of the local bank),” went a man to one of the reporters of the Arab Times early this week. He was calling her on her mobile phone from the number 22280636.
Now to be fair, at this point she knew it was a scam - but being a journalist she wanted to get the full story and called the number and got the same man.
 He was the same man who called up the reporter earlier but this time he introduced himself as Michael Husky of the (name of the telecommunication company) International Govern-ment Department of Kuwait. He then gave an eight-digit number to the reporter and asked her to check if the eight-digit number that he gave matched the first eight-digit number at the back of her mobile phone SIM card. “Switch it off and check it. Please check if it’s the same and please call again to confirm and I will give you the final instructions on how to claim your KD 100,000 prize from _____ (name of local bank)” said the man.  The reporter removed the SIM card from her phone and much to her surprise, the eight-digit number that the man gave her earlier was the exact number at the back of her SIM card.
The reporter removed the SIM card from her phone and much to her surprise, the eight-digit number that the man gave her earlier was the exact number at the back of her SIM card. However, when she switched on her mobile phone, it went offline and she had to go to one of the branches of this telecommunication company to check on what had gone wrong with her phone line. Her phone started working again after a customer service representative helped her out. The reporter then told the customer service representative about the earlier incident about the KD 100,000 cash prize. The customer service representative laughed aloud and told the reporter that it was not the first time that she heard such story as a number of other subscribers had also called up and claimed that they had won a cash prize from the telecommunication company.
The article goes on to say that she called again, got new instructions and was told to expect a text (SMS) message with a new PIN and to sign in using it.

When she checked with the legitimate phone company she was told that if she had gone ahead with it they would have cloned her phone.

There is a well written and detailed explanation about this could be done by the fraudsters and what each part of the scam actually was doing.

But this shows that when you get unexpected "You have won" calls or messages you should be wary as they are almost always too good to be true and can end up costing you a lot.

Monday, April 16, 2012

Remembering the Titanic disaster was made worse by bad communications

As the world remembers the Titanic disaster's 100years ago today I would like to take this blog entry to remind people that the disaster was made worse by bad communications technology, flooded bandwidth, and new protocols.

As Bill Kovarik writes in his article Radio and the Titanic

Problems with the radio played a major role in the Titanic disaster of April 14, 1912, when the British passenger liner sank after hitting an iceberg in the mid-Atlantic.
 These problems delayed and complicated the rescue, contributing to the deaths of 1,514 passengers and crew, and very nearly sealing the fates of those who managed to survive. 
Although its owners boasted that the Titanic was the most modern ship of its day,  the Marconi radio system that had been installed in the weeks before the disaster was already obsolete. 
So the first problem seems that the system in use was not the best available and had some known technical issues. This kind of thing happens when radically new technologies come out and bandwidth problems.

Bandwidth problems you may ask, yes bandwidth.

It seems that "After sending personal messages from the Titanic, the operators were taking down personal messages, along with  news and stock reports for the passengers to read the next morning."  Thus they were unable to receive the warning
About fifteen minutes before the Titanic hit the iceberg,  Cyril F. Evans, a wireless operator on the Californian, which was about 20 miles away, attempted to contact the Titanic to tell them they were surrounded by dangerous icebergs.
As Bill Kovarik explains: (emphasis is mine)
Technically, the problem with the Titanic’s radio telegraph system was that Marconi’s “spark” system soaked up virtually all of the frequency bandwidth and created interference for all other ships within signaling distance. As many engineers were realizing at the time, it was far better to use continuous wave radio transmitters (where signals were carried inside the wave) instead of the Marconi intermittent spark transmissions (where wide-spectrum interruptions in the wave were the signal).
Changing protocols
The other part of the problem was that Captain Stanley Lord, the captain of the Californian stood accused of ignoring Titanic’s distress calls after the huge ship sank on April 15, 1912 while Sir Arthur Rostron, the captain of the Carpathia, rescued more than 700 people from the Atlantic on the night the Titanic went down.

Listen to the RMS Titanic "SOS" on YouTube  

Now if you look at the time that the sinking occurred, there was a change in the work in message content as well as the technology mentioned above. 

As Neal McEwen explains in his article  "'SOS,' 'CQD' and the History of Maritime Distress Calls"
misinformation surrounds the origin and use of maritime distress calls. The general populace believes that "SOS" signifies "Save Our Ship." Casual students of radio history are aware that "CQD" preceded the use of "SOS." 
In 1904, the Marconi company (suggested) the use of "CQD" for a distress signal.  It was established on February 1 of that year by Marconi Company's circular No. 57.  Although generally accepted to mean, "Come Quick Danger," that is not the case. It is a general call, "CQ," followed by "D," meaning distress. A strict interpretation would be "All stations, Distress."  In the U.S. Senate hearings following the Titanic disaster, interrogator Senator William Smith asked Harold Bride, the surviving wireless operator,  "Is CQD in itself composed of the first letter of three words, or merely a code?"  Bride responded, "Merely a code call sir."  Marconi also testified, "It [CQD] is a conventional signal which was introduced originally by my company to express a state of danger or peril of a ship that sends it."
 While 2 years later 
At the second Berlin Radiotelegraphic Conference of 1906, the subject of a distress signal was again addressed. The distress signal chosen was "SOS." 
Although the use of "SOS" was officially ratified in 1908, the use of "CQD" lingered for several more years, especially in British service where it originated. It is well documented in personal accounts of Harold Bride, second Radio Officer, and in the logs of the SS Carpathia, that the Titanic first used "CQD" to call for help. When Captain Smith gave the order to radio for help, first radio officer Jack Phillips sent "CQD" six times followed by the Titanic call letters, "MGY." Later, at Brides suggestion, Phillips interspersed his calls with "SOS.".
In SOS to the Rescue, 1935, author Baarslag notes, "Although adopted intentionally in 1908, it [SOS] had not completely displaced the older "CQD" in the British operators' affections."   Marconi in his U.S. Senate testimony on the Titanic disaster said, "I should state that the international signal [SOS] is really less known that the Marconi Co.'s [CQD] signal."  (It is interesting to observe that Marconi was waiting in New York to return home to England on the Titanic.) 
Thus you have a case where the wrong code was sent out, due to a protocol (in this case human) error. Meaning that the message went out 6 times before the right code was sent out, causing a long delay in getting help.

Now there is a call that it is Time to forgive the man who ‘ignored’ Titanic SOS as "It has ... been proved that any action by Captain Lord would not have led to a different outcome to the tragedy, as Californian would have arrived well after Titanic had sunk."

Given the details I have seen, I think that Captain Lord was used as a scapegoat when there was a need to hand someone out for the loss, even though the Captain Lord had sent ice warnings 
"The Titanic was going full speed ahead, despite being warned about the ice, and the captain was encouraged to do so to make it the fastest crossing of the Atlantic."
It is time to stop blaming  Captain Lord for the sinking, when the Titanic was already hit after not getting the warnings.

Tuesday, April 3, 2012

Term Tuesdays - Employee Fraud

Employee Fraud - when an employee knowingly steals from the company.

Example provided by a former coworker

Here is a story from the 1980's. 
A carrier was paying sales guys up front for sales and one day an installer called me in Houston and was concerned about a new installation. 

The location was an empty field and in the middle of the field was a telephone pole with 25 66 blocks. The installer said he counted 50 lines terminated to this 66 block. So I told him to reject the order back to us and we would handle it.

I contacted the VP of Sales and he contacted the Legal Department. 

There where five  (5) sales guys that where fired, but not sued. Their names were given the the IRS for all the money they stole.

Tuesday, March 27, 2012

Term Tuesday - a version of 'advance-fee' fraud

This example was provided by Mitchell Hellmana former coworker

AT&T offers several free services for people with hearing related disabilities, details are available at, this service is funded by the FCC.
IM Relay is a solution for individuals who are Deaf, hard-of-hearing, or have speech loss. Request a phone number to be dialed and a AT&T Relay operator calls the phone number and translates the text to voice to the other party. There is no charge to use this service, but all users must register first.
Aside from using IM relay on PC or MACs, IM relay is accessible wherever there is AIM. Today, many mobile devices support AOL Instant Messenger applications. Just send the phone number you want to dial to the screen name  "ATTRelay" and you can make calls on the go. Remember, there is no charge to use IM relay, but if you use a mobile device to access IM relay please check with your service provider to see if there may be any applicable data fees. 
Real world example

Wednesday, March 14, 2012

History of Phone Crime - first Denial of Service (DoS) incident

Continuing the retelling of cases of telecom fraud and crime.

To review, topics I have covered were
1876 - First case of telecom related fraud - seems that Bell did not invent the phone, but that the man who did could not afford to patent it.
1889 - First denial of service (DoS) and crime _ see below.
1903-  The first telecom hacking - Marconi's demonstration and "secure" service were interrupted and listened to.

First Denial of Service (DoS) and crime
The story goes that Amon Strowger, a St. Louis undertaker, became upset on finding that the wife of a competitor was a telephone operator at the local (manual) telephone exchange who made his line busy and transferred calls whenever a caller asked to be put through to Strowger, the calls were deliberately put through to his competitor, her husband.(1)(2) 
"Necessity is the mother of invention" so Strowger developed the dial telephone system to get the operator out of the system. (1)

Now if you think about it, this was both a DoS attack, as the wife blocked calls to Mr. Strowger's company and to make it worse she illegally redirected those calls to a competitor.

(1) Bill's 200-Year Condensed History of Telecommunications at
(2) Theory of Electromechanical Switching at

Monday, February 27, 2012

Reviewing the Geek Twins Top Nine Shocking Phone Hacks in the Science-Fiction Universe

In looking for interesting news about Phone Hacks I came across this great list put together last summer about the Top Nine Shocking Phone Hacks in the Science-Fiction Universe by the site The Geek Twins

Now, to be honest, Humbug Telecom can not stop any of these (yet), but I thought I would discuss a few of them anyway as the Geek Twins seem to have gotten the facts wrong in most cases.

Now their list is deliberately limited to "only includes interception of communication not intended for the recipient."

Thursday, February 23, 2012

Humbug shortlisted by Global Association for Contact Center for Best Technology Innovation – Vendor Solution

The Global Association for Contact Center Best Practices & Networking has release the Shortlist for their 2012 Best in Europe, Middle East & Africa
Humbug Telecom Labs was shortlisted under the Best Technology Innovation – Vendor Solution category.

To read about Humbug’s solution for Call Centers please see our White Paper – Benefits of Telecom Analytics & Fraud Detection for Call Centers

Tuesday, February 21, 2012

Term Tuesday - Industry Standards Organizations That are involved in Fighting

There are 2 primary organizations that I would like to mention in terms of Telecom Fraud these are the CFCA and the TM Forum.

Taking the about sections from each:

The idea for the Communications Fraud Control Association began in February 1985 with a group of concerned communications security professionals from several different long distance carriers. Intent upon finding a more effective way to combat the growing problem of communications fraud, representatives from AT&T, ITT, MCI, Network One, Satellite Business Systems and Sprint met to lay the groundwork for the Communications Fraud Control Association (CFCA). These representatives left their first meeting assured that a cooperative effort through an Association of security professionals was a realistic and appropriate response to the identified need.
Through the years, membership categories have expanded to include a world-wide network of: carriers, PBX /PABX owners, ISPs, cable and satellite provides, corporate end-users, operator service providers, fraud system developers, prosecutors, members of law enforcement agencies, communications consultants and companies that provide revenue assurance solutions for wireless, wireline, IP, NGN, etc., systems.
TM Forum 
TM Forum is a global, non-profit industry association focused on simplifying the complexity of running a service provider’s business. As an established industry thought-leader, the Forum serves as a unifying force, enabling more than 800 companies across 195 countries to solve critical business issues through access to a wealth of knowledge, intellectual capital and standards. 
The Forum provides a unique, fair and safe environment for the entire value-chain to collaborate on pressing industry issues, helping companies of all sizes gain a competitive edge and the flexibility and speed they need to underpin future growth.

Sunday, February 19, 2012

Does IT make it too easy for fraudsters?

I was just reading an interesting article by Steven Cotton of the TM Forum entitled Fraudsters Will Be Fraudsters, But How Does Provider Indifference Help? In it he explains about a recent phishing attempt that came to his in-box and how the service provider’s support group did not know if they had a security or fraud department and could not be bothered to care.

Now if you look at most of the recent stories labeled as telecom fraud they are frequently about people being defrauded using the phone rather than fraud hitting the PBX. In these cases it us usually someone tricked by phone or email into going down to Western Union an sending money to someone that they know who is in some sort of “trouble.”  Now the cases and cause of the trouble is varied (bail, hospital charges, fees to get car fixed, etc.) but the common item is that they always want the money sent via Western Union – who has no verification, tracking or roll-back options once the cash is taken.

Now Steve ended his blog entry with this line
I'd suggest that the industry should at least set a basic goal of making the fraudsters at least break a sweat as they perpetrate their nasty business.
I suspect that this is exactly the case, and if there was a way to force Western Union to verify the identity of the person claiming the money, say the way that a person-to-person call works, would cut down more than half of this kind of fraud.

The same is true in PBX related fraud, keeping default passwords, leaving the system ports open, not watching your phone bill, and not proactively protecting your system makes it just as easy to defraud you as those who are praying on phone scam victims.

Tuesday, February 14, 2012

Term Tuesday: Sweepstakes or Premium Fraud explained

In our on going series explaining how Telecom Fraud works and how to protect yourself and your company here is an example of how Sweepstakes or Premium Fraud occurs.

Not all Telecom Fraud requires that the fraudster hack your phone system or take any real risk. In many cases fraudsters try to trick you into making calls or into staying on the line a long time, thus defrauding yourself. These are easier than hacking your system and can be much more profitable.

Some examples of how they get you to call can be:
  • Message to your cell phone
  • Voice message (automatic return the call option)
  • Missed call
  • Email or fax offers
In most of these cases you will be asked to call a number, they then want to keep you on the line as long as possible, and if they can do it they want to encourage you to call over and over again by offering you chances to win. I came across one example recently that explains this clearly:
Thank you for calling dial to win applications, where you can win fabulous prizes every week, the longer you hold the line the bigger is your chance to be the winner, for every minute you hold you collect one lucky hit, the more lucky hits you collect the the bigger your chances, now get ready we will generate you unique code 322123179325. 
Well done, you have collected you first lucky hit for this call, please continue to hold etc...
What they don't tell you is that you are not calling a toll-free number and in fact can be paying more than $5 per minute, and there have been cases of over $20 per minute.

Be wary of these scams.

To read more about this type of fraud see:

Tuesday, January 17, 2012

Term Tuesdays - Types of Solutions for Telecom Fraud Prevention

Over the next few weeks I will be discussing different solution types for preventing Telecom Fraud. These will include but are not limited to:

  • Cloud based
  • Premises based
  • Carrier Based 
More coming next week.

Wednesday, January 11, 2012

Not exactly fraud - How To Prevent An Illicit Data Dump

I realize that this is not directly related to fraud, but with the news of hacking of sites to get passwords etc from RSA to credit cards, I decided to pass this on:

Dark reading has a good basic article on How To Prevent An Illicit Data Dump that is a summary of a research report that they did.
[Excerpted from "How to Prevent an Illicit Data Dump," a new report posted this week on Dark Reading's Insider Threat Tech Center.] The headline occurs almost every day lately -- a large enterprise or government agency loses a huge cache of data through the actions of an employee. Whether it's a malicious theft and posting, a la WikiLeaks, or an unintentional compromise of sensitive business information, the affected organization is put in a position of serious risk
 Now the report and article offer a lot of advice that can come down to setting proper rules and employee misconduct which can lead to data breaches or Telecom Fraud.

Set your rules, enforce them:

  • Set password rules
  • Monitor activity
  • Educate your employees