Article on Telecom/Toll Fraud in 2011

Here is an article summarizing telecom/toll fraud in 2011:

http://www.channelpartnersonline.com/blogs/peertopeer/2011/12/2011-s-biggest-frauds-and-phreaks.aspx

 

TDoS/Harassing Call/Phone Bombing Attack on MI6

Here is an article and several Youtube videos describing an attack on the UK MI6 organization (their equivalent of the CIA). The article uses the term "phone bombing", where the attacker uses automation to flood the target with calls, thereby preventing legitimate callers from getting in. This is just another term for Telephony Denial of Service (TDoS).

The video's narrate the attacker calling in themself and taunting the MI6. If this weren't such as serious type of attack, it would be humorous.

The PSTN is not what it used to be, closed and somewhat safe. It has so much VoIP/SIP in it, that it is starting to look  like the Internet in terms of threat level. We will see more and more harassing calls, TDoS/phone bombing, voice SPAM, voice phishing (vishing), etc.

http://www.msnbc.msn.com/id/47032601/ns/technology_and_science-security/#.T4hJ4VGDTcM

http://www.youtube.com/watch?v=wtoOo-e5mNY&feature=channel&list=UL

http://www.youtube.com/watch?v=SAFf-9ohNJo

http://www.youtube.com/watch?v=PEBQoxHh1uU&feature=channel&list=UL

 

Social Engineering Used to Steal From Billionaire Paul Allens Acount

Here is an article  about how an attacker changed the address on one of billionaire Paul Allens accounts, to trick the bank into sending the attacker a debit card. It doesn't say how the account was changed. It may have been changed via social engineering into the banks contact center, or possibly via malware on a PC.

Once the address had been changed, the attacker then called in, said they lost their debit card, and had a new one sent to the modified address. The attacker was obviously able to complete this through social engineering/fraud. I don't know if they had more info about Paul Allen or the bank simply sends a new card without requiring any other sort of identification/authentication.

What is scary is that if someone can manipulate such as high profile individual's account, then can certainly do it for a typical consumer.

Here is the article and info:

http://news.yahoo.com/fbi-pa-man-stole-microsoft-co-founders-identity-101131507.html

Contact Center Social Engineering/Fraud Article

Here is an interesting article on contact center fraud. There are many different types of fraud that can affect a contact center - classic social engineering (facilitated by spoofing caller ID), information harvesting, etc. The article covers some of that - confirming that it is easy to imitate a legitimate user, since it is easy to get basic personal information that is used for authentication.

The article also describes the issue where a consumers phone number is changed (via malware on their device) and then the bank uses that to call back for verification, but it turns out to be the attackers number.

http://www.bankinfosecurity.com/articles.php?art_id=4593&rf=2012-03-16-eb&elq=e1769a0bae1547359d6ec38f2958342e&elqCampaignId=1587

 

Caller ID Spoofing Used for Voice Phising (Vishing) Attacks

Here is an article describing how caller ID spoofing is being used for voice phising (they call it vishing) attacks. The basic idea is the hacker sets up an automatic dialing operation (robo dialing) and calls 1000's of consumers, using a bank's caller ID. The caller ID to use isn't hard to figure out, an bank's contact center 1-800 number should do just fine. This is easily tested - make a call with this number to any phone you control and verify that it comes up correctly.

A sophisticated hacker may have a list of numbers they know use the bank they are spoofing. If this information isn't available (it probably isn't), the hacker can just call random numbers, sooner or later they will find a consumer who uses the bank whose caller ID they are spoofing and also one that will be fooled.

There are no details in the article, but I assume since it appears that the calls are automatically generated, that the hacker plays a message that attempts to trick the consumer into calling back a number they have set up, which a human answers, who in turn attempts to get personal information from the consumer. This could also be automated, but that is a little harder - you would have to build a mini-IVR, with legitimate sounding bank prompts and so on.

http://www.darkreading.com/smb-security/167901073/security/vulnerabilities/232700095/fake-caller-id-attacks-on-the-rise.html 

 

Another Toll Fraud Attack

Here is a link to yet another example of toll fraud. No details about the attack were given. They mentioned a TDM system, rather than VoIP. Toll fraud can of course occur with both types of systems, although as I have said before, VoIP creates additional vectors of attack.

http://www.scmagazine.com.au/News/294797,1000-scam-calls-hit-wa-business.aspx

Also, while I was poking around SC magazines website, I found the following article from last year:

http://www.scmagazine.com.au/News/257265,auscert-cisco-ip-phones-prone-to-hackers.aspx

 

Telephony Denial of Service (TDoS) Attack on BBC

Here is an example of a Telephony Denial of Service (TDoS) attack on the BBC. The attack involved data DoS, as well as TDoS through what is stated as automatically generated calls. The attack calls may have been automatically generated, performed by many individuals organized through social networking, or a combination.

http://www.bbc.co.uk/news/technology-17365416

 

Hacker/Thief Steals $2,100,000 Through Fax Fraud

Wow. Check this out. A hacker (it is pretty generous to call them that), found some signatures on the Internet and used them to force wire transfer requests with FAXs. The article doesn't mention anything "fancy" like spoofing caller ID, just forged FAXs. I am amazed these went through.

http://www.finextra.com/news/fullstory.aspx?newsitemid=23476

Not really VoIP Security per se, but an attack through voice and faxes.

Caller ID Has Pretty Much Become Worthless

Most of us have known for a long time that caller ID has pretty much become worthless and unreliable as a means of identifying and authenticating a caller. There was a lot of press last year about how caller ID was maniplated as an easy means to access individuals voice mails. Free Voice over IP (VoIP) PBXs such as Asterisk, services such as Spoofcard, applications on your smart phone, etc. make it very each to change caller ID.

One bit of news that hit home with me, was when I saw a warning in Consumer Reports about how easy it is to spoof caller ID. When we start to see warnings in non-technical consumer publications like this, we know we have a big problem :) I provided the page that has the warning. The blurb is in the lower right:

Download Consumer rpts Spoofing MArch 2012

Finally, for more information on the issue of caller ID spoofing (and solutions), check out the TrustID blog.

FCC Moves to Protect Consumers from Automatically Generated Calls

I don't know about you, but I have been receiving a lot more SPAM on my cell phone. It seems to be getting worse all the time. Most of these are marketing calls, while some just seem to be harvesting information, possibly looking for my name, carrier, etc. Of course I don't answer them all - but this is the case for the few I do. They are from all over the country, using what appears to be bogus caller ID.

I imagine I get a ton of these on my home phone, but I have disconnected all of them, so I don't notice the calls :)

The FCC just moved to require banks, financial organizations, insurance, etc. to receive approval from consumers before they automatically dial them (with what they call robo-dialers). We will see how effective this is. As with email, moves like this only stop some of the legitimate dialers - they won't stop the hackers.

http://www.bloomberg.com/news/print/2012-02-15/fcc-votes-to-help-consumers-hang-up-on-automated-marketing-calls.html

 

Another Article on Toll Fraud - VoIP Security Issue with Gateways

Here is yet another article describing a toll fraud attack. The amount was $30,000. The attack was enabled through a non-secure media gateway, where VoIP call were made on the LAN, inside the network, and converted to toll calls on TDM trunks (most likely PRIs). This isn't really a vulnerability of the gateways, rather a case of not changing default configuration.

http://www.computerworld.com/s/article/9224108/Security_Manager_s_Journal_Hackers_Call_Home_on_Our_Dime  

 

Research Shows IP-Based Video Systems are Insecure

Here are a couple of articles about some research from HD Moore into IP-based video systems. In a nutshell, the research shows that many video systems are set up in a non-secure (default) way, likely and expected, since the idea is that these systems should be easy to use and accessible. The video systems admin/web interfaces are often accessible from the Internet and allow cameras to be used to monitor activities in the critical locations (board rooms) where the video systems are used. Additional research discusses accessing the systems via H.323 (use of SIP is possible too). I will try to comment more on this later.

https://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html

https://community.rapid7.com/community/solutions/metasploit/blog/2012/01/23/video-conferencing-and-self-selecting-targets

Note that we have also seen video systems exploited, for the purpose of making outbound calls on legacy PRI trunks. I will cover that in another post.

Hacker Gets Time for Payphone Fraud Scheme

See the following article. The hacker programmed payphones he owned to robo-dial (automatically dial) 1-800 numbers, which generated revenue.

http://www.loansafe.org/man-from-maryland-sentenced-for-4-million-payphone-fraud-scheme

 

 

 

Presentation by Dan York on VoIP/UC Security

Dan York did a recent presentation on VoIP/UC security. I provided a link to the slides. I don't have the audio, I will post it if I find it. The title of the presentation is "Does anyone really give a ___ about VoIP security?".

Right now, I don't think most people really care too much about VoIP security. My take though (and I have said it efore), its not about VoIP/UC-specific security. It is and always has been about voice/communications security - attackers go after voice systems for the same reasons they have for a long time - namely, fraud/theft of service, DoS, harassment, social engineering, and more and more, for SPAM and phishing. Same old threats, it is just that VoIP/UC makes it easier and cheaper to execute these attacks.

http://www.7ducattacks.com/2011/12/slides-does-anyone-really-give-a-_____-about-voip-security.html

Social Media Used for Harassing Caller/TDoS

We have seen a number of cases where social medial/networking sites, such as facebook and twitter, were used to organized calling campaigns against corporations, the government, politicians, etc. Here is the latest example I have seen, titled "Occupy the Phones", where the organizer sets up facebook events to organize dialing campaigns. While these campaigns/attacks are very sophisticated, they can definitely tie up an organizations phone lines.

http://www.facebook.com/pages/Occupy-the-Phones/258843427490295