Sunday, January 27, 2013

Al Qaeda-linked phone hackers are back

A little over a year ago I was explaining on the VoIP Users Conference weekly call about how Al Qaeda had been hacking AT&T customers for over US$2 million in the session titled  Shssshhhhhh!!!! Al-Qaeda Phreaking!  (a recording of the session is available at:

Now a year later New York Sen. Schumer: Al Qaeda-linked phone hackers costing NY small businesses says that another:
phone hacking ring with ties to Al Qaeda-related groups in the Philippines and Somalia have targeted small businesses in New York, stealing hundreds of thousands of dollars worth of overseas long distance calls.
It is not as large an amount  stolen as last time, but it is scary to think that in-spite of the assassination of their leader Al Qaeda is back to their old tricks of hiring people to hack to fund them.

As Sen. Schumer reports
26 businesses in New York's capital area, which includes Albany, have come forward to say they’ve been victims of a communications scheme. Schumer said hackers were manipulating businesses’ voicemail systems to make thousands of costly long-distance calls overseas, leaving New York businesses on the hook for the substantial bills.
 For example:
One dry cleaning company in the area, he said, was hit with a $150,000 phone bill for nearly 9,000 overseas calls. That business is currently in a legal battle with its telephone provider over the bill .

On his official site he has called on carriers to put in place limits.

A copy of Schumer’s letter to the telecom industry and the Federal Communications Commission appears below:

Dear US Telecom and NTCA,

I am writing today after learning of several instances of a voicemail scam praying on multiple New York small businesses. As I am sure you are aware, this fraud occurs when hackers discover a loophole in the voicemail system and use this to make long-distance calls that can cost thousands of dollars. As this scam can occur over a series of days or even weeks, many of these victims are left with a bill of hundreds of thousands of dollars. During these times, small businesses need all the available help in order for them to continue to prosper and grow.

Both your members and these small businesses have been victims of this crime. These hackers, as they mostly operate from overseas, can be very difficult for law enforcement to catch. Therefore, I am hopeful that we can work together on adequate steps to provide stringent fraud detection services for small business phone lines so that we can eliminate the charges for small businesses and for your members. I believe that the credit card industry could provide inspiration in this effort. They have established robust fraud prevention services to allow businesses and customers to learn almost immediately when a suspicious purchase is made. In addition, they can require authorization prior to a suspicious purchase.

We all have an interest in ending this fraud. Neither your members nor their customers wish to help connect potential criminals or terrorists with their allies overseas. I believe an industry-led effort to detect voicemail fraud and end these unauthorized charges would allow small businesses to continue to innovate without the fear of extremely high charges. I have copied the Federal Communications Commission to ask them to assist your members with their expertise in this matter.

I thank you for your attention to this important matter, and look forward to working with you to assist you in protecting American small businesses from unfair and deceptive practices.

U.S. Senator Charles E. Schumer

CC: Federal Communications Commission
 Although Senetor Schumer is correct that this is a problem that the carriers need to address, that does not mean that businesses can not, or should not, be proactive with monitoring, blocking, and call restrictions on their phone switch.

As our security audits have shown many PBXs leave open holes that can be exploited.
  • Do all phones need long distance or international calling?
  • Have unused/unneeded voicemail boxes been left open?
  • Do you have time of day/day of week restrictions on your phones (why can calls be made at 2 am on a Saturday if you are only open Monday to Friday 9-5)?
  • Do you still have easy to use or default passwords on your voicemail, PBX, or phones?
 Have your phone staff or vendor check to make sure that these basic problems have been addressed or contact me and we can discuss a security audit.

Protect yourself because the phone companies will almost always expect you to pay at least part of the phone fraud done using your phone lines.