As always, Scott Adams gets it right

And this is why we can not kill spam, phishing, and fraud

For every 99 people with a clue there is one that falls for it.

What do the crooks get from PBX hacking?

I have been asked many times what the crooks get out of hacking or attacking a phone switch.

William Jackson offers a good explanation in this blog post

Phone DOS: What's in it for the crooks
http://gcn.com/blogs/cybereye/2013/04/phone-dos-whats-in-it-for-crooks.aspx

(Image from the blog).

Nice article on effects of Toll Fraud

Thanks to Mark Collier's VoIP Security Blog I point you to this article that  Toll fraud can put SMEs out of business in minutes.

Unfortunately the premise and conclusions are correct. If you think of the example from the 2011 Astricon where a company was hit for $400,000 in fraud over 2 days then it is easy to see how this kind of hit could cost a small business everything in almost no time.

Real time monitory and proper security checks are needed to help prevent this kind of fraud. I will keep posting details on how you can protect your company, or you can contact me directly for more information about real-time monitoring or VoIP Security Audits.

Pulp Phishing

Found a neat new web tool to create retro looking Pulp Fiction covers.

So here is one to remind everyone that telecom fraud is not just taking your money, but is being used to fund terror.

Past posts about Al Qaeda Phishing attacks

• Fraud – From Fun Phreak to Terrorism (Posted: Sunday, January 27, 2013)
• Shssshhhhhh!!!! Al-Qaeda Phreaking!  (Posted: Thursday, December 1, 2011)
• Al Qaeda-linked phone hackers are back (Posted: Sunday, January 27, 2013)

 
Pulp cover made with: http://thrilling-tales.webomator.com/derange-o-lab/pulp-o-mizer/pulp-o-mizer.html
 

Al Qaeda-linked phone hackers are back

A little over a year ago I was explaining on the VoIP Users Conference weekly call about how Al Qaeda had been hacking AT&T customers for over US$2 million in the session titled  Shssshhhhhh!!!! Al-Qaeda Phreaking!  (a recording of the session is available at:  http://www.voipusersconference.org/?powerpress_embed=3669-podcast.

Now a year later New York Sen. Schumer: Al Qaeda-linked phone hackers costing NY small businesses says that another:

phone hacking ring with ties to Al Qaeda-related groups in the Philippines and Somalia have targeted small businesses in New York, stealing hundreds of thousands of dollars worth of overseas long distance calls.

It is not as large an amount  stolen as last time, but it is scary to think that in-spite of the assassination of their leader Al Qaeda is back to their old tricks of hiring people to hack to fund them.

As Sen. Schumer reports

26 businesses in New York's capital area, which includes Albany, have come forward to say they’ve been victims of a communications scheme. Schumer said hackers were manipulating businesses’ voicemail systems to make thousands of costly long-distance calls overseas, leaving New York businesses on the hook for the substantial bills.

 For example:

One dry cleaning company in the area, he said, was hit with a $150,000 phone bill for nearly 9,000 overseas calls. That business is currently in a legal battle with its telephone provider over the bill .

On his official site he has called on carriers to put in place limits.

A copy of Schumer’s letter to the telecom industry and the Federal Communications Commission appears below:

Dear US Telecom and NTCA,

I am writing today after learning of several instances of a voicemail scam praying on multiple New York small businesses. As I am sure you are aware, this fraud occurs when hackers discover a loophole in the voicemail system and use this to make long-distance calls that can cost thousands of dollars. As this scam can occur over a series of days or even weeks, many of these victims are left with a bill of hundreds of thousands of dollars. During these times, small businesses need all the available help in order for them to continue to prosper and grow.

Both your members and these small businesses have been victims of this crime. These hackers, as they mostly operate from overseas, can be very difficult for law enforcement to catch. Therefore, I am hopeful that we can work together on adequate steps to provide stringent fraud detection services for small business phone lines so that we can eliminate the charges for small businesses and for your members. I believe that the credit card industry could provide inspiration in this effort. They have established robust fraud prevention services to allow businesses and customers to learn almost immediately when a suspicious purchase is made. In addition, they can require authorization prior to a suspicious purchase.

We all have an interest in ending this fraud. Neither your members nor their customers wish to help connect potential criminals or terrorists with their allies overseas. I believe an industry-led effort to detect voicemail fraud and end these unauthorized charges would allow small businesses to continue to innovate without the fear of extremely high charges. I have copied the Federal Communications Commission to ask them to assist your members with their expertise in this matter.

I thank you for your attention to this important matter, and look forward to working with you to assist you in protecting American small businesses from unfair and deceptive practices.

Sincerely,
U.S. Senator Charles E. Schumer

CC: Federal Communications Commission

 Although Senetor Schumer is correct that this is a problem that the carriers need to address, that does not mean that businesses can not, or should not, be proactive with monitoring, blocking, and call restrictions on their phone switch.

As our security audits have shown many PBXs leave open holes that can be exploited.

• Do all phones need long distance or international calling?
• Have unused/unneeded voicemail boxes been left open?
• Do you have time of day/day of week restrictions on your phones (why can calls be made at 2 am on a Saturday if you are only open Monday to Friday 9-5)?
• Do you still have easy to use or default passwords on your voicemail, PBX, or phones?

 Have your phone staff or vendor check to make sure that these basic problems have been addressed or contact me and we can discuss a security audit.

Protect yourself because the phone companies will almost always expect you to pay at least part of the phone fraud done using your phone lines.

Term Tuesday - a version of 'advance-fee' fraud

This example was provided by Mitchell Hellman, a former coworker

Background
AT&T offers several free services for people with hearing related disabilities, details are available at http://relayservices.att.com/, this service is funded by the FCC.

IM Relay is a solution for individuals who are Deaf, hard-of-hearing, or have speech loss. Request a phone number to be dialed and a AT&T Relay operator calls the phone number and translates the text to voice to the other party. There is no charge to use this service, but all users must register first.

Aside from using IM relay on PC or MACs, IM relay is accessible wherever there is AIM. Today, many mobile devices support AOL Instant Messenger applications. Just send the phone number you want to dial to the screen name  "ATTRelay" and you can make calls on the go. Remember, there is no charge to use IM relay, but if you use a mobile device to access IM relay please check with your service provider to see if there may be any applicable data fees. 

Real world example

I own and operate the oldest gelato shop in New Mexico. Apparently, some people think that this makes me easy prey, but (so far) all attempts to victimize me have failed.

An article in the NY Times, "AT&T Accused of Improperly Billing for Service for Deaf," about a fraud tactic that has been tried on me numerous times without success. I've been getting calls from fraudsters on the average of one every couple of weeks. They are attempting a version of 'advance-fee' fraud: they masquerade as someone interested in buying a large quantity of product (since some directories, etc. consider me to be a restaurant, the fraud often involves ordering common items such as club sandwiches or box lunches), they obtain a price from the victim, then send a check or credit card number to use as payment. The payment is for a larger amount than the quoted price; they tell the victim to send the overage back to them, often by Western Union (which is virtually impossible to trace). The victim deposits the check or enters the credit card info, sends back the overage-- and the fraudster disappears; the payment turns out to be bogus, and the victim is on the hook to the bank to pay them the money that went to the fraudster.

What this has to do with the relay service mentioned in the article is:

1. Since the victim never speaks to the fraudster, the victim can't hear the fraudster's accent...which might make him/her suspicious. 
2. The fraudster gains the victim's sympathy, because the victim believes that the party he/she is dealing with is deaf. 
3. The slow pace of the communication often means that the victim doesn't want to take a lot of time asking questions about the fraudster's bonafides. 

 Keep in mind that, because of the Communications Act of 1938, the operators who are relaying the conversation can not discuss any of this with the party on the receiving end of one of these calls... even when they are certain that the call is bogus.

The way I have been dealing with these calls lately is to tell the operator to relay the following:

"This is . Because of the high incidence of fraudulent relay calls that we have received, before we can continue, your call will be traced back to its source. Please stand by..."

They hang up pretty quickly after that. Of course no such trace is taking place, but they don't know that, and can't take the chance. Looks like they're not the only ones telling a little white lie, huh. :)

History of Phone Crime - first Denial of Service (DoS) incident

Continuing the retelling of cases of telecom fraud and crime.

To review, topics I have covered were
1876 - First case of telecom related fraud - seems that Bell did not invent the phone, but that the man who did could not afford to patent it.
1889 - First denial of service (DoS) and crime _ see below.
1903-  The first telecom hacking - Marconi's demonstration and "secure" service were interrupted and listened to.

First Denial of Service (DoS) and crime

The story goes that Amon Strowger, a St. Louis undertaker, became upset on finding that the wife of a competitor was a telephone operator at the local (manual) telephone exchange who made his line busy and transferred calls whenever a caller asked to be put through to Strowger, the calls were deliberately put through to his competitor, her husband.(1)(2) 

"Necessity is the mother of invention" so Strowger developed the dial telephone system to get the operator out of the system. (1)

Now if you think about it, this was both a DoS attack, as the wife blocked calls to Mr. Strowger's company and to make it worse she illegally redirected those calls to a competitor.


Sources:
(1) Bill's 200-Year Condensed History of Telecommunications at http://www.cclab.com/billhist.htm
(2) Theory of Electromechanical Switching at http://www.seg.co.uk/telecomm/automat1.htm

Not exactly fraud - How To Prevent An Illicit Data Dump

I realize that this is not directly related to fraud, but with the news of hacking of sites to get passwords etc from RSA to credit cards, I decided to pass this on:

Dark reading has a good basic article on How To Prevent An Illicit Data Dump that is a summary of a research report that they did.

[Excerpted from "How to Prevent an Illicit Data Dump," a new report posted this week on Dark Reading's Insider Threat Tech Center.] The headline occurs almost every day lately -- a large enterprise or government agency loses a huge cache of data through the actions of an employee. Whether it's a malicious theft and posting, a la WikiLeaks, or an unintentional compromise of sensitive business information, the affected organization is put in a position of serious risk

 Now the report and article offer a lot of advice that can come down to setting proper rules and employee misconduct which can lead to data breaches or Telecom Fraud.

Set your rules, enforce them:

• Set password rules
• Monitor activity
• Educate your employees

Term Tuesdays - Off Hour Calls

Off Hour Call

Calls originating from an organization’s PBX may be the result of Internal Employee Fraud, unauthorized visitors, or remote hackers accessing the system. Most significant telecom fraud attacks are perpetrated when the enterprise is unmanned over weekends, bank holidays, religious holidays, etc.

Your telecom provider can not identify these as they do not know your business. You need to be able to monitor and prevent calls at times when your business is closed.

We have seen cases of $25,000 - $400,000 in Telecom Fraud happening over a holiday weekend.

Shssshhhhhh!!!! Al-Qaeda Phreaking!

Humbug Telecom Lab’s Eric Klein will be making a guest appearance on VoIP Users Conference weekly discussion:

Topic:  As shown by the recent arrest in the case of terrorist who were hacking AT&T business customers to fund Al-Qaeda; Telecom Fraud has come a long way from Captain Crunch and Steve Jobs phreaking Ma Bell for fun and glory. It is now big business aimed at stealing from you via your PBX. Let’s discuss actual cases and some things you can do to make sure your PBX is not funding terror.

Friday at December 2^nd at 12 Noon Eastern Time (9AM Pacific)

To connect see instructions on http://www.voipusersconference.org/how-to-participate/date-and-time/

Term Tuesdays - Telecom Fraud Explained: Known Fraudulent Numbers

Term Tuesdays - Telecom Fraud Explained

Today’s term is actually a type of Telecom Fraud, in this case it is when your PBX makes calls to Known Fraudulent Numbers or Destinations.

Calls to Known Fraudulent Numbers or Destinations

Telecom fraud is a well-known problem, and like the “Nigerian Bank Scam,” there are blacklists of phone numbers, area codes etc. that can be blocked or monitored if the right tools are at hand. To protect yourself you need to use various types of blacklists to prevent inappropriate calls being made. 

Humbug supports several types of Blacklists:

• Community Blacklist - Protect your PBX from over 70,000 industry-confirmed blacklisted numbers
• Number Blacklist - Setup your own list of blacklisted numbers
• Country Blacklist - Receive alerts when traffic to/from specific countries you select are detected

Like PC based antivirus or malware protectors Telecom Fraud prevention needs to be regularly updated as new sources, destinations, and types are tried by the fraudsters.

It is a moving target and thus you need to be vigilant and use a solution that is constantly updated with these new attacks.

Telecom Fraud from Smartphone malware apps

About 2 weeks ago I wrote about a phony NetFlicks app for the Android, today the BBC has an article titled Smartphone scams: Owners warned over malware apps which talks about how these apps are made and how they can be used to commit phone fraud.

Criminals are typically creating Trojan copies of reputable apps and tricking users into installing them.
Once on the phone, the app can secretly generate cash for criminals through premium rate text messages. 

Get Safe Online, a joint initiative between the government, police and industry, said it was concerned that users of smartphones, such as Android devices, were not taking steps to protect their devices.
Get Safe Online said fraudsters are designing apps which generate cash secretly in the background without the owner realising until their monthly bill.A typical scam involves an app designed to send texts to premium rate services without the user knowing. 

As with all telecom fraud the solution is a combination of setting the right controls and proactive monitoring.

To prevent a large, unexpected phone bill you should:

• Confirm that the app you are installing is certified and is from the company that it claims to be from.
• Install a malware protection app just like you have anti-virus on your laptop - and make sure it updates regularly. I wrote about some of these in the Netflix post.  
• Pay attention to performance. If your  battery seem to be running out too fast, if apps (and games)are running slowly, if calls or web sites take longer to connect you could have a malware app running on your system. If you do not have any protection install one and run a full system check.
• Occasionally look at your call and SMS (Text) logs to see if you have items that you did not make.
• Actually review your phone bill, you usually only have a month to challenge mistakes or fraud so this is your last line of defense.

Astricon updates

Rather than another Fraud Terms Tuesday today I bring you 2 links from Astricon.

In the first, Tom Keating from TMC Net caught me and Nir running the first part of the Security Round Table. Here is his blog entry about it AstriCon VoIP Security - $400,000 toll fraud - YIKES! and here is the video he took at the start of the session.

Later that day we were interviewed by Chris DiMarco, also from TMC Net. Here is the link to his article  Saying Humbug to Telephony Fraud.

SEC asks companies to disclose cyber attacks - is Telecom Fraud next

According to an article in today Reuters the SECasks companies to disclose cyber attacks set new guidelines on Thursday about cyber events that could lead to monetary losses.

U.S. securities regulators formally asked public companies for the first time to disclose cyber attacks against them, following a rash of high-profile Internet crimes. 

Senator John Rockefeller has asked the SEC to set guidelines related to losses due to security breaches.

"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement.

"It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," Rockefeller said in a statement.

Now as the SEC asks companies to disclose financial affecting cyber attacks, here is a question to ponder is telecom fraud next? It is almost entirely financial, and has the possibility of exposing intellectual property and customer information while by-passing normal cyber security procedures.

Consider for a minute, with more than $80 billion worth of telecom fraud happening each year, how long will it be before companies are required to disclose this to stockholders or the SEC?

What is the fiscal responsibility of a company’s management to protect and or disclose this risk to stockholders?

What are you doing to protect your company?

Proactive monitoring and active security are a must to protect companies from this kind of loss.

For suggestions on how you can protect your company please see my guest blog Telecom Fraud Is Alive & Kickin’ or visit the Humbug Labs site to sign up for analytics and Fraud Detection.

Term Tuesdays - Subscription Fraud

Guest post by Boaz Bechar, VP Business Development at Humbug Labs

Consumer-facing ITSPs are battling to optimize their user-acquisition costs versus lifetime value – and are constantly trying out new techniques for signing up users. Registration form fields are reduced, making it as simple as possible for newcomers to join the service, while leaving the ITSP with many questions on who the user is – which may be a challenge when tackling subscription fraud.

In many cases, a free call or free calling credit is offered before/after account creation, allowing the user to familiarize with the system. The revenue-assurance decision tree from here can only get longer and wider, for example: If providing the user with a free call after signing up, what stops them from creating multiple accounts and making multiple free calls?

The low-hanging fruit would clearly be to place limits on the IP address and phone number the user is dialing from/ to, however this can get problematic if disposable phone numbers are brought into the equation, and even more-so with hackers who have full number- ranges in their war chest. There is no easy way to tackle this problem – but taking steps to greatly limit the financial exposure can be taken, such as limiting the total calls on a per-destination level, routing all free calls through cost-limited trunks, as well as carefully scrutinizing daily cost, duration and call volume user leader-boards, to make sure they are consistent with your rule-set.  Additionally, maintaining blacklists of numbers and registration domains (i.e. blocking sites such as 10minutemail.com from registering) increases the barriers for fake-subscriptions while not effecting valued users.

Paying users, while the bread and butter of the ITSP, can also be a great concern in terms of subscription fraud. While pay-as-you go based programs do have a certain limit on the financial exposure per user, margins can easily diminish due to costs associated with credit card charge-back fees from accounts using stolen credit cards or hacked online payment accounts (paypal, etc).  Scrutinizing paying users becomes even more critical with postpaid accounts, which may bypass initial checks as a seeming legitimate business, but then the account is used for fraud with no intent to pay (NITP).

To minimize exposure to fraud from paying users, it's important that an 'activation process' take place, where payment details are matched against the users registration data. Other vital indicators become relevant on a case-by-case basis, including review of the users credentials, looking for similar registered accounts, similar billing details previously used on the system, etc.

 While ITSPs don't currently have the sophistication level of traditional carrier subscription fraud prevention techniques, they do have the ability to leverage new sets of data unique to their environment, in order to create new activation funnels. One proven technique is matching the password- hash used during registration, against a blacklist of known unwanted passwords as well as against previously flagged accounts. Creating more opportunities for unique data sets and matching against historical information is one method that can easily be deployed in an ITSP environment.

Relying on rule-based results completely can be ineffective and its important to have mechanisms in place which allow anomalies to be spotted. For example, a South-American ITSP serving Brazil may find it an anomaly to receive a transaction from an account with a billing address in Congo. Different techniques work well in different operational scales and requirements, and it's up to the ITSP to find the balance between financial risk and rules required to activate an account prior to manual checks.

You can learn more by reading Boaz’s White Paper - Fraud Management in an ITSP Environment

Term Tuesdays - Telecom Fraud Explained

Each Tuesday I will be attempting to explain a different Telecom Fraud related term or concept. 


Where possible, I will include real world examples. For some cases I may not be allowed to release the specific information about the customer and then will provide the cases in general terms.

Topics will include

• Calls to Known Fraudulent Numbers or Destinations
• Hacking
• Internal Misconduct
• Malware
• Off Hour Call
• PBX Dial-Through
• Phishing
• Proactive Monitoring
• Service & Application Level Fraud
• Subscription Fraud

As this is intended to be educational I will try to include links to original articles or sources where the information originated, where they exist. Many of these will be related to white papers I, or my coworkers publish on the Humbug Telecom Labs site.

Where they are applicable to a specific market segment or product type, I will identify them.

When ever possible I will give tips or suggestions on how to prevent this type of fraud.

Guest blogging at Channel Partners Magazine’s Peer-to-Peer blog

You can read my guest blog Channel Partners Magazine’s Peer-to-Peer blog

Telecom Fraud Is Alive & Kickin’

Steve Jobs explains his involvement in Telecom Fraud

Cross posting from Humbug Blog


We  are all saddened by the death of Steve Jobs (1955 - 2011)
He didn't just create products, he created a new way of life.  But looking back we find that this great innovator started by phreaking AT&T with his own home built blue box.

In this video, Steve explains how he and Steve Wozniak built Blue Boxes to make illegal free long distance calls, and how there would be no Apple today if they hadn't been such hooligans.

Steve Jobs Interview about the Blue Box Story