For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
The M3AAWG Special Interest Group (SIG) on voice fraud and security issues has published their agenda. This SIG will be held February 20-21. I will be on the panel discussing current solutions, with a focus on Telephony Denial of Service (TDoS). I hope to see some of you there:
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is holding a special interest group in their annual conference in San Francisco, February 17-21, to focus on issues unique to voice. This includes Telephony Denial of Service (TDoS), robocalls, voice SPAM, voice phishing, etc. I will attend and be on the solutions panel. Here is a link to an article discussing the special interest group.
Here is a bulletin from the FBI warning about toll free, 1-800 call pumping attacks. The basic idea (I cover this extensively in my Hacking Exposed: UC and VoIP book) is that the attacker, usually an unscrupulous service provider, generates many (perhaps millions) of calls into 1-800 numbers. They profit because they receive a piece of the 1-800 revenue, which is paid by the owner of the 1-800 number. See the bulletin below:
There are two types of attacks, one will "spray" many numbers with very short calls, in order to get a piece of the connect time revenue. Another will generate long calls, usually to a smaller number of 1-800 numbers and IVRs, in order to get a piece of the connect and per-minute charges. The latter form may require some analyis of the target 1-800 IVR, and use of tailor audio which dwells in the IVR through use of menu-looping DTMF tones or other audio.
Either type can generate a TDoS condition, if the attacker generates too many calls or if the calls target a part of an IVR or enterprise with limited bandwidth. This is especially true for calls which dwell in the IVR, because they consume more resources.
See the link below - Dancho Danchev who has blogged extensively about Telephony Denial of Service (TDoS), lists this issue as the #2 cybercrime trend for 2013. I agree and we are likely to see it grow in 2014.
In my Hacking Exposed: UC and VoIP book, I described a process for using Asterisk and a call generator along with SIP-based access to the voice network to launch TDoS attacks. This process is pretty easy to do, but not yet at the "script kiddie" level. It is certainly effective, but takes a little know-how.
The tool that Dancho describes is apparently much more turnkey. It is ready to go and appears to have preconfigured means to send calls into the network (Skype, vulnerable SIP servers, etc.), so it could pretty much be used by anyone. The tool also comes preconfigured with cellular access so it is more anonymous (although you can also easily get public wifi access on just about any street corner). The tool is also multi-threaded, which I assume means it can generate more concurrent calls through multiple origination points.
Many of the recent TDoS attacks are targeting a very small or even a single critical phone number, such as a hospital emergency room or ICU. Many of these attacks use cheap manual labor to generate the calls. The tool described above could easily be used for this same purpose, enabling many simultaneous attacks against many targets. If it can generate 100 concurrent calls, it could be used to attack up to 100 targets at a time. That is a much better model than hiring 100 people to be on the phone.
The Los Angeles (LA) Times ran a story on Telephony Denial of Service (TDoS) attacks. This is one of the first examples of this issue being covered in the mainstream media, outside the IT-specific media. SecureLogix contributed information for this article and it was our firewall that was used to mitigate the attacks. If anyone would like more information, drop me a note:
There has been a lot of press about recent Telephony Denial of Service (TDoS) attacks and the payday loan scam. The FBI issued a warning back in January and since then, there has been a ton of press and articles on the attack (see links in previous posts):
Here is some info on the scam that I have assembled from customers seeing the attack, prospective customers we have had discussions with, and service providers having to deal with the attack. The attackers call a number and state that the callee or other individual owes money on a "pay day" loan. If they don't pay, their number will be overwhelmed with calls - a TDoS attack
The attack seems to have originated with the attackers gaining access to a list of individuals and numbers who have had pay day loans. This makes some sense - these individuals may owe and could be likely to fall for the scam and pay. The attack is affecting Intensive Care Units (ICUs), other emergency facilities at hospitals, Public Service Answering Point (PSAP) adminsitrative lines, and other critical services. It isn't clear to me if these targets just happen to have numbers on the list or much more likely, the attacker has expanded their attack and targets to victims equally likely to pay.
I have heard that so far, as much as $4,000,000 has been paid as part of this scam!!! One individual has been the victim of multiple attacks and paid $60,000 to date!!! I would not have predicted that this many individuals and enterprises would pay, but apparently they have. This number may be quite a bit higher - certainly not all victims will have reported the issue.
This shows a way for attackers to make money off of TDoS. One usually thinks of DoS, DDoS, and TDoS as occurring simply for disruption or as a cover for other attacks. In this case, someone is directly making money off of it, so we will certainly see more.
The attacker requests that the victim load funds onto pre-paid VISA debit cards. The attacker then uses funds on the cards at their leisure.
Those who report being attacked have complained about a persistent flood of calls, that overwhelm their numbers or even their entire voice system. Some victims have obviously went ahead and paid the extortion, but that is the worst thing you can do. There is no assurance that the attack will stop and there is a good chance it will just continue or get worse, because the attacker now knows that they have a gullible victim. You will be much wiser to look for a means to mitigate the attack, such as voice firewall/IPS solutions from SecureLogix, which work for SIP and TDM networks. You can also try to ride the attack out.