Denial of Service (DoS) has reigned as the most headline-grabbing network attack over the past three years. However, the truth is that attacks come in all different flavors ranging from Distributed DoS (DDoS) to low-volume application-layer attacks that target user credentials, financial information, trade secrets, or abuse of services to commit fraud. At the application layer we most often think of HTTP, however, there are almost an immeasurable number of Layer 7 applications available for exploit.
While at a security conference early this year, I got into a discussion with a few fellow security practitioners about common telephony fraud schemes. What we discovered together during our conversation was that most of what I knew about fraud schemes was not common knowledge and hadn’t filtered out to the rest of the security industry. Sure, many security engineers know that telephone systems can be compromised, but beyond making a few free phone calls, many don’t know the damage that can be done. What I shared with them was how a fraudster could make money fast using their phone system!
According to the Communications Fraud Control Association’s 2013 Global Fraud Loss Survey, telecom fraud accounted for $46.3B in losses for the fiscal year 2013, up 15% from 2011. Some analysts even suspect that losses are much greater than that because they go unreported by corporations or service providers. Fraud losses have actually grown large enough that for the first time in November of 2013 the FBI added two noted telephony fraudsters, Noor Aziz Uddin and Farhan Ul Arshad, to their Cyber’s Most Wanted list.
Many companies have taken to connecting their phone systems to the Internet to enable remote access by employees. Service providers also offer VoIP services for their subscribers, potentially at a lower rate than incumbent providers. If not properly protected, both of these systems can be compromised and used to generate fraudulent calls that can cost tens of thousands of dollars per minute. To maximize profit and make investigation by law enforcement difficult, most of the calls made terminate in foreign countries with a high per-minute bill rate. These are commonly referred to as high-cost destinations.
What most people don’t realize is that through a combination of international telecommunications settlement agreements and national laws, service providers are required to pay the interconnect carrier that carried the call, regardless of whether or not it was fraudulent. That means that either the compromised company or service provider WILL be required to pay. Fraudsters can generally get paid on a weekly basis, yet most subscribers are billed on a monthly basis. This usually allows for a delay that is advantageous to the fraudster. By the time a consumer sees their bill the fraudster has already gotten paid and moved on to use a different resource.
Compromise methods may vary from using a low-cost manual labor pool to perform voicemail pin guessing, to commonly available scanning and cracking tools available on security penetration testing distributions like Kali. The pentesting tools used to compromise and exploit a phone system are not very sophisticated (nor do they need to be) and can be learned in a matter of hours or even minutes. Some target the VoIP protocols themselves, and others the administrative interfaces. During some SIP honeypot research I conducted (which I spoke about at DEF CON Skytalks this year), I discovered that 99% or more of tools used have identifiable signatures and are not modified from their original form. The goal of the compromise is to take over a voicemail user account or VoIP credentials to enable multiple fraud types. Once access is gained to a phone system, a smart fraudster will wait until a night or weekend to generate their calls so they have a greater chance of going unnoticed.
A few of the top ways a fraudster can quickly make money using a compromised phone system include:
International Revenue Sharing Fraud (IRSF) – Calls are generated to a Premium Rate Service (PRS) number hosted by a provider in another country. The provider may include IVR services that will answer the incoming call so billing can take place. For each call or minute generated, the terminating provider charges the upstream carrier and shares some of the profit with the fraudster (thus the term revenue sharing). While PRS providers can be legitimate, there are a number that are knowingly engaged in fraud.
Wholesale Fraud / Toll Bypass – The business of connecting calls between foreign destinations can be highly competitive. Exchange and wholesale providers that carry calls from one service provider to another between countries compete on very small margins. These providers offer their services in online marketplaces, and attempt to profit by being the lowest cost provider to specific markets. A fraudster can use this by offering a lower cost route than the competition. However, the route they provide is actually a corporate phone system that has been compromised. Similar to IRSF, the fraudster shares in a profit of cents per minute, but other service providers are actually generating the calls. The fraudster has no overhead since they are using someone else’s network.
Wangiri or SMS SPAM – In Wangiri (ring once) and SMS SPAM the fraudster either calls a phone and lets it ring once, or texts an enticing message to a subscriber using caller-id spoofing. The subscriber either returns the missed call or calls the number from the text message. For readers in North America, remember that Caribbean destinations are included in the ten digit North American numbering plan maintained by NANPA, the North American Numbering Plan Administration. Customers who return or make these calls don’t realize that a ten digit number isn’t necessarily in-country and can actually be terminated in the Caribbean at destinations such as Barbados, Grenada or Montserrat. The call is actually to a premium rate destination. While these two schemes can be conducted from anywhere, having a compromised PBX to generate the calls provides the fraudster with a level of protection and reduces their cost.
How can one minimize the potential risk of compromise, or limit the exposure after a system has been compromised? There are a few best practices:
Follow vendor hardening guidelines, especially those with regard to password controls, and protection of administrative interfaces. Don’t put an administrative interface on the Internet.
Limit or eliminate features that aren’t needed such as call forwarding, voicemail callback, and dialing out from voicemail.
Block or limit international dialing to specific countries where business is conducted with call routing plans and/or a pin for international calls.
Use a security appliance such as Radware’s DefensePro that understands the SIP protocol to block invalid messages, known attack tools, and attempts to crack SIP credentials.
Watch for suspicious logs and calling patterns, like voicemail boxes being locked out, a spike in inbound or outbound calls, or a spike in calls to an auto-attendant number.
Talk to your service provider about what fraud prevention services they offer. Many have services they don’t market well, or that may seem expensive. Compared to the potential fraud loss, prevention services are worth it.
Patrick is a Solutions Architect in Business Development and Carrier Sales for Radware. Before joining Radware in February of 2014, he was in charge of product security assurance and pentesting for Oracle | Acme Packet. Patrick is a subject matter expert in security for real-time voice and video, and has spoken on security and fraud schemes at multiple conference events such as DEF CON Skytalks, CarolinaCon, Oracle Openworld, WebRTC Conference & Expo, FIINA, CFCA and IAUG. Most of his twenty years of experience have been within telecom manufacturers focusing on security, large scale architecture design, third party integration and operations. Patrick also has experience in IT roles within outsourcing, document management, banking and defense industries.