So what is the motive of the individual/group doing the scanning? It could be a lot of things, but there is a good chance the scanner was looking for SIP servers to use to freely originate calls into the network for a variety of attacks, including voice SPAM, voice phishing, Telephony Denial of Service (TDoS), and possibly toll fraud (inbound calls that hairpin out to premium numbers). I would be particularly concerned about TDoS - if the attacker has found a large collection of SIP servers used to originate calls, they could easily use them to overwhelm an enterprise and/or contact center.
The article does not give any details about the attack, but I bet the attacker exploited the victim's PBX and then generated a ton of inbound calls, which hair pinned out to premium numbers. I discussed this attack method in an April 12th post. Again, DTF/Toll Fraud is still a big issue - attackers set up premium numbers and then generate traffic to the numbers, through this hairpin attack. All enterprises are targets, but again, small businesses are especially attractive, because they don't have the expertise to secure their systems. They are also the least likely to notice the attack, until they get their phone bill...
I wish the victim well. The article says they are fighting the service provider, but that will be difficult. The calls do cost the service provider money - it is the enterprises job to secure their system.
Also, Ofcom, similar to the FCC in the United States, issued a warning that these types of attacks are on the rise:
There has been a ton of press lately about Telephony Denial of Service (TDoS). There are real attacks occuring against 911 centers and financial contact centers. The targets are getting flooded with malicious calls that prevent legitmate users from accessing critical emergency or financial services. I will provide posts about the actual attacks and methods of attack mitigation. Interestingly, I am wrapping up a chapter on the new Hacking Exposed: VoIP and UC on this exact topic.
Here is a video describing a Dial Through Fraud (DTF) attack. DTF is a form of toll fraud, there the attacker dials into a compromised PBX, gains dial tone, and then dials a new destination, usually an international number. They "hairpin" though the PBX. The destination is often a premium number and the attacker is using the compromised PBX as a way of generating traffic and revenue.
This attack is interesting because it shows how inbound call or robocall generation can be used for DTF and toll fraud. First someone compromises an IP PBX so that an external user can dial in, get dial tone, and dial to an international premium number. Once this access is gained, the attacker can use it at any time for DTF themselves or sell it to an attacker who wants to generate the actual fraud.
Most people think of DTF as being the case there the access to the compromised PBX is sold to many individuals who use it to make international calls, say to talk to relatives in their native countries. This still occurs, but by far the more common attack is to automatically generate inbound calls to the compromised PBX, which hairpin into outbound international calls to the premium numbers, thereby generating a lot of traffic and revenue. This really isn't much different than automated call pumping or Telephony Denial of Service (TDoS) attacks. The attacker sets up an automated call generation operation, probably using Asterisk, a call generator, and SIP trunks. They build an audio file that pauses, enters a code to get dial tone, enters the desired international destination number, and then just keep the call up for some period of time. They run the attack and call a number for the compromised PBX that will give them dial tone. They probably spoof their calling number. The calls are kept up as long as practical, but keeping the calls shorter and/or variable length can make the attack a little less likely to be detected. The calls will usually be generated overnight and/or on the weekend to avoid attention.
If you watch the video, this is what happened. The attacker generated the calls at night and the victim had a ton of calls, all to Somalia start up at the exact same time. The calls continued for about 5 hours, at which time the victim noticed the attack. They happened to be an organization that takes calls at night, so they noticed the attack.
As with any DTF or toll fraud attack, paying for the fraud is the responsibility of the enterprise.
There have been a number of additional bulletins warning of Telephony Denial of Service (TDoS) attacks on 911 centers. Below is a summary of the bulletins I am aware of. If anyone knows of any others, please let me know and I will include them here:
I am going to write a series of posts on Telephony Denial of Service (TDoS). I thought I would start with a brief description of how attackers actually generate automated TDoS attacks. I will follow up with other techniques, info about the impact to enterprises, and how they can detect and mitgate the attacks.
The bottom line is that TDoS attacks have become cheap and easy to implement. The barrier to entry is much lower, due to the availability of VoIP, SIP, and UC. The 5 basic steps to execute a TDoS attack are as follows:
First, it is easy to get and set up free and powerful IP PBX software such as Asterisk. Asterisk has all the capabilities you will ever need to generate a TDoS attack. You also need a call generator or way to use Asterisk to generate calls. One such tool is "spitter", which SecureLogix wrote a while back for the Hacking Exposed: VoIP book. We are updating this tool as we speak for a revision to the book. You can get the current version from the SecureLogix SIP Testing Tools website as part of a set of VoIP testing tools.
Second, you need to determine the numbers you want to call. This is trivial. There has been a lot of discussion about attacks against 911 services. What could be easier than this - everyone knows the target number - it is always 911. It is just as easy to target a financial contact center - just go to the website of the target bank or other enterprise and search or browse for their 1-800 numbers. You only need 1 or a few numbers. You can also easily flood administrative parts of an enterprise. You can either discover their DID range or just pick a few numbers, because multiple calls to 1 DID will roll over, still consume trunks, and be answered by voice mail.
Third, you need to pick some audio to play. This could be silence or white noise if you are lazy. If your target is 911, maybe the audio sounds like a legitmate emergency call. If you don't want to use your own voice, google "text to speech" and you will find 100's of services and applications that will convert the text you type into audio that you can use. You can even select the language, dialect, and accent. If you are targeting a financial contact center, maybe you want to tie up an IVR, so you could do a little research on your target and build an audio file that just loops through the menus. Or perhaps it flies through the menus to get to the agent, where you play some sort of audio that keeps the agent on the line as long as possible.
Fourth, it is easy to get VoIP/SIP access into the public voice network. In the old days, you would need an expensive PBX and PRI access into the network in order to generate calls. Now you just need Asterisk and a SIP trunk. If you google "SIP trunks", you will find 100's of companies that provide an inexpensive way of generating calls. Some of these services are as cheap as $0.01 a call. Remember that the target may or may not be using SIP (odds are they are still using TDM), so you still must traverse the public voice network. SIP trunks are easy to set up and you can be generating calls in a very short amount of time. Of course if you are really serious, you can also scan for vulnerable SIP servers and try to generate your traffic for free. Or you can set yourself up as a service provider. Another somewhat effective approach is to use one of the "legitimate" call generation services. Just google "robocalls" and you will find many services, that for a fee, will generate lots of calls for you.
Finally, you need to run the attack. When you run it is important. For 911 it may not matter, but any time where it is likely there will be a lot of emergencies, perhaps during a storm or in the evening could be more effective. For a financial contact center, do it during the day during peak times, between say 10 am and 2 pm. Monitor the attack - you will be able to tell if it is effective if the calls being generated are failing.
SecureLogix just released our 2013 Voice and Unified Communications State of Security Report. Rod Wallace and myself authored the report. The report covers the most significant voice and UC threats. the report describes the threats and why they have recently and continue to become more severe. The report is also unique in that it presents real-world data collected from several hundreds assessments and managed service engagements, using our technology, on enterprise voice and UC networks. We present trending data and santized attack examples for each threat.
Here is a link to the report. Please give it a read and let me know what you think:
The Comunications Fraud Control Association (CFCA) publised a link to a bulletin from the Department of Homeland Security (DHS) NCCIC. The bulletin describes threats and TDoS attacks against 911 emergency services. Apparently the attacker targets an administrative Public Safety Answering Point (PSAP) demanding payment. If the payment is not made, the attacker floods the target PSAP (911) with TDoS calls. The bulletin describes many calls, for an extended period of time, that affect both incoming and outgoing calls. The 911 service is likely targeted due to the high criticality of the service.
This threat and attack can be easily extended to contact centers, other government services, or any critical voice service for an enterprise.
Brian Krebs, a well know security expert, experienced a SWATing attack. For anyone not familiar with this term, the idea is simply that you call 911 and state that there is an emergency that requires a SWAT team to intervene. By calling 911 and spoofing your calling number, you can trick the SWAT team into showing up at your victims location/residence. It is trivial to spoof your calling number. It is also very easy to use free text to speech services to create an audio file that states the emergency, but avoids the attacker having to use their own voice.
This is an extremely dangerous attack. I fear this attack will become more common and it is a matter of time before an attack takes place and someone gets seriously injured.
Here is yet another article about toll fraud. This one makes a particularly scary point - that being that toll fraud can seriously affect, even put SME's out of business is a very short amount of time. Toll fraud can affect any enterprise, but smaller enterprises are often the target - they have enough trunk capacity to generate a lot of calls, often do not secure their systems and leave them in a default configuration, and can be limited in their ability to monitor traffic.
There has been a lot of press about major companies twitter accounts being hacked and used to send out embarassing messages. If one is able to hack into any twitter account, such as a major brand, celebrity, politician, etc., especially one with 100,000's or 1,000,000's of followers, they could easily trick or encourage their followers to participate in a Telephony Denial of Service (TDoS) attack. For example they could take a negative position about a major financial organization and ask their followers to call a 1-800 number over and over. They could also trick followers into calling a number, 1-800 or whatever, to try to get tickets, concert passes, or some other "prize". For an account with 1,000,000 followers, 1% of the followers could generate 10,000 simulaneous calls - enough to seriously disrupt any target.
As I have reported, the FTC has a challenge and $50,000 award for whoever can come up with the best solution to the issue of robocalls. Here is a link to an article that gives a good summary of the challenge so far. Basically that they have gotten a lot of ideas, but no real solutions. It is a very tough problem. Solutions could be built and would be somewhat effective, but the major smart phone vendors have made it increasingly difficult to control calls on their devices, it would be difficult to put any sort of countermeasure on everyones home phone, and the service providers neither can nor want to solve this problem.