Sunday, January 27, 2013

Al Qaeda-linked phone hackers are back

A little over a year ago I was explaining on the VoIP Users Conference weekly call about how Al Qaeda had been hacking AT&T customers for over US$2 million in the session titled  Shssshhhhhh!!!! Al-Qaeda Phreaking!  (a recording of the session is available at:

Now a year later New York Sen. Schumer: Al Qaeda-linked phone hackers costing NY small businesses says that another:
phone hacking ring with ties to Al Qaeda-related groups in the Philippines and Somalia have targeted small businesses in New York, stealing hundreds of thousands of dollars worth of overseas long distance calls.
It is not as large an amount  stolen as last time, but it is scary to think that in-spite of the assassination of their leader Al Qaeda is back to their old tricks of hiring people to hack to fund them.

As Sen. Schumer reports
26 businesses in New York's capital area, which includes Albany, have come forward to say they’ve been victims of a communications scheme. Schumer said hackers were manipulating businesses’ voicemail systems to make thousands of costly long-distance calls overseas, leaving New York businesses on the hook for the substantial bills.
 For example:
One dry cleaning company in the area, he said, was hit with a $150,000 phone bill for nearly 9,000 overseas calls. That business is currently in a legal battle with its telephone provider over the bill .

On his official site he has called on carriers to put in place limits.

A copy of Schumer’s letter to the telecom industry and the Federal Communications Commission appears below:

Dear US Telecom and NTCA,

I am writing today after learning of several instances of a voicemail scam praying on multiple New York small businesses. As I am sure you are aware, this fraud occurs when hackers discover a loophole in the voicemail system and use this to make long-distance calls that can cost thousands of dollars. As this scam can occur over a series of days or even weeks, many of these victims are left with a bill of hundreds of thousands of dollars. During these times, small businesses need all the available help in order for them to continue to prosper and grow.

Both your members and these small businesses have been victims of this crime. These hackers, as they mostly operate from overseas, can be very difficult for law enforcement to catch. Therefore, I am hopeful that we can work together on adequate steps to provide stringent fraud detection services for small business phone lines so that we can eliminate the charges for small businesses and for your members. I believe that the credit card industry could provide inspiration in this effort. They have established robust fraud prevention services to allow businesses and customers to learn almost immediately when a suspicious purchase is made. In addition, they can require authorization prior to a suspicious purchase.

We all have an interest in ending this fraud. Neither your members nor their customers wish to help connect potential criminals or terrorists with their allies overseas. I believe an industry-led effort to detect voicemail fraud and end these unauthorized charges would allow small businesses to continue to innovate without the fear of extremely high charges. I have copied the Federal Communications Commission to ask them to assist your members with their expertise in this matter.

I thank you for your attention to this important matter, and look forward to working with you to assist you in protecting American small businesses from unfair and deceptive practices.

U.S. Senator Charles E. Schumer

CC: Federal Communications Commission
 Although Senetor Schumer is correct that this is a problem that the carriers need to address, that does not mean that businesses can not, or should not, be proactive with monitoring, blocking, and call restrictions on their phone switch.

As our security audits have shown many PBXs leave open holes that can be exploited.
  • Do all phones need long distance or international calling?
  • Have unused/unneeded voicemail boxes been left open?
  • Do you have time of day/day of week restrictions on your phones (why can calls be made at 2 am on a Saturday if you are only open Monday to Friday 9-5)?
  • Do you still have easy to use or default passwords on your voicemail, PBX, or phones?
 Have your phone staff or vendor check to make sure that these basic problems have been addressed or contact me and we can discuss a security audit.

Protect yourself because the phone companies will almost always expect you to pay at least part of the phone fraud done using your phone lines.

Wednesday, January 23, 2013

Interesting Article on the Challenges and Prevention in a VoIP Environment

 As I have been writing here, VoIP service has become more common and thus more of an attractive target for fraud attacks.

Jim Murphy, President of Phone Power has a nicely written article on TMCNet titled Toll Fraud Challenges and Prevention in a VoIP Environment

He discusses the fact that there are always new targets to attack and that many PBXs use default or easy to crack passwords (1234).

But to me the most worrying thing he mentions is how much this can cost a company:
The risks of toll fraud within a VoIP network are severe. Some hackers are able to hijack systems and push through charges that can total $2,000 an hour or more.
Now we have seen companies hit in a few days with $25,000 - $50,000 in fraud, or even 1 case for $400,000 over 2 days, so this number of $2,000 per hour sounds quite plausible to me.

This is why I moved to Greenfield Technologies and am specializing in doing Security Audits for Asterisk based VoIP PBXs.

After performing auditing on more than 35  PBXs

We have found that the most common Policy issues are:
Incomplete, non-existent, unenforced Password policies:

Many had identical default SIP passwords for all phones that were never changed
Many had identical default voice-mail passwords for all extensions that were never changed

Server / PBX Passwords

Multiple PBXs using the same password
Root access and web client interface using the same password (if any)

No update policy

Server OS
PBX software
Phone firmware

No mailbox polices

Who get voice-mail
When to close them
No policy to monitor phone usage / activity