Here is a link to a good article in a national publication, the New York Times, on the growing issue of toll fraud. Toll fraud has been around for many years, but continues to get worse for a number of reasons. Attackers set up premium (think 1-900) numbers and are incented to drive traffic to these numbers. They look for ways to generate the traffic and leave a victim with the bill. Small businesses are an attractive target. They often deploy new VoIP systems, but do not spend the time to secure them, and address issues such as default open ports and passwords. The attackers scan for these systems and when found, use them to launch 100's, 1000's, or 10,000's of calls to their premium numbers. Or they hire attackers to do this for them and share the revenue.
The issue doesn't have a lot to do with VoIP, it can occur with legacy TDM PBXs and trunking, but is often associated with VoIP, because it is often the new low-end VoIP systems that are being attacked. Also, the attackers often use low-cost VoIP and SIP services to generate inbound calls to the compromised PBXs, which "hairpin" out to the premium numbers.
Since these calls cost the service provider money to deliver, they can't usually credit the victim.
There are a number of solutions to this issue, including the SecureLogix (www.securelogix.com) voice security/firewall application. Using a cloud-based delivery option makes this solution very attractive for small businesses, who don't have the expertise or budget to deploy and manage a premises based solution.
Here is a link on Youtube of a recent video we did on Telephony Denial of Service (TDoS). It covers the concept and then the various types of attacks that we are seeing, including manual TDoS, social networking TDoS, and then different types of automated TDoS. We also briefly cover the Payday Loan Scam/Attack, which is affecting many hospitals and public safety sites:
The Federal Trade Commission (FTC) is continuing their fight against those annoying robocalls, by sponsoring their Zapping Rachel challenge at the most recent DEFCON 22 conference. The focus of the challenge was phone honey pots (phonypots), which are used to answer calls from robocallers and try to understand their behavior. The challange awarded over $10,000 in prizes to the winners in categories of creator, attacker, and detective.
You can get more information from the FTC website at:
We all know that these calls are a big issue for consumers on their land lines. The robocallers, whether they are selling a product, harassing their victim, trying a scam, or attempting to get information (vishing), have traditionally targeted landlines because they have lists of numbers and because the targets can be especially vulnerable (elderly consumers).
However, we are all getting some of these calls on our cell phones. This is in violation of the Telephone Consumer Protection Act (TCPA). This document, while old, is a must read. Now it is also illegal to make robocalls to normal land lines, but I predict that robocalls to cell/smart phones will get more attention and make it likely that the victims will complain. As covered in the video, attorneys have started to notice and I predict will work to make their share off of this issue, which is only getting worse and more common. Now attorneys will only be able to go after "legitimate" robocallers. They will have equal challenges as law enforcement going after illicit robocallers or those outside the country, but there are a lot of attorneys, and between them, law enforcement, the FTC/FCC, we may see a growing civil and law enforcement response to the robocalling issue.
This will also be a boon for companies building smart phone applications to block these calls.
While this is going on, the robocallers are also increasing their call volume into businesses and enterprises. Land lines are slowly going away and the target base is getting saturated. It may be too risky to hammer away at consumers precious cell/smart phones (heaven forbid a call comes in in the middle of composing an Instagram or Snapchat message), so the logical next target will be businesses and enterprises.
The FBI just released another private industry notification to warn enterprises about contined Telephony Denial of Service (TDoS) attacks. The FBI warns that the attacks tend to target hospitals and Public Safety Access Points (PSAPs), the administrative part of a 911 center. Here is a PDF - I don't have a link:
The FBI predicts that TDoS will become the go-to attack against any enterprise who is heavily depending upon their voice systems. This includes any enterprise, but in particular, those with public facing contact centers, in the financial, health care, government, retail, and safety sectors.
The notifications states that since 2013, there have been 1000 REPORTED attacks - there have certainly been more that were not detected.
The notification also provides recommendations for mitgiation of the issue. SecureLogix has cloud and premise based solutions that address this issue. Most enterprises experiencing these attacks can point their voice systems to our cloud based solutions and begin solving the issue almost immediately.
Back in 2011, a firm was hit with toll fraud and racked up a $35,000 bill. The firm refused to pay and fought the issue in court. The court found in favor of the firm and ruled that the service provider did not provide adequate security.
This is the first time I recall seeing such a ruling in the press. Enterprises and service providers deal with responsibility for toll fraud all the time, with the many different results (service provider takes responsibility for the first issue, both parties cover portions of the cost, and the enterprise covers the cost).
For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Wardialing and modems are still a reality despite the wide adoption of VoIP. Also, the available of VoIP at the war dialing tool side, has made this process more effective. Plus, the tools mentioned can be used for a lot of things other than war dialing, including nasty things like looking for second dial tone, IVR behaviors, etc. that can be used for other attacks.
I covered how to use tools like WarVOX for these attacks in my Hacking Exposed: UC and VoIP book:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
Check out the following article. It states that over 200,000 voice phishing/vishing calls into Korea, from other countries, were blocked in January and February. Some additional statistics are given as well that break the calls down by type, bank, etc. Most of them are imitating Korean banks. Unfortunately, there isn't any information about how these calls are blocked, I presumably by Korean service providers.
It seems like US-based service providers could do the same thing - block international calls claiming to be US-based finanical institutions. This isn't trivial though, you need technology at the right location in your network and managing blacklists of numbers takes a ton of work (I know, we do it too).