Telephony fraud – Part I
It’s very hard to say when telephony fraud occurred for the first time, however, judging from the sheer magnitude of the phenomenon we can say one thing – there is a high chance it had started 2 days after Bell invented the telephone. When examining the various type of telephony fraud attacks, one thing is evident: Telephony fraud has one purpose only, to steal money – telephony fraud is equivalent to theft. Unlike computer hacking, which in most cases related to information retrieval or purely annoying DDoS – telephony fraudsters are seeking to steal money. We shall examine a few of the most common telephony fraud scams – starting with the most common one, the voicemail fraud.
Voicemail fraud is very common, simply because it is very simple to exploit. The most generic attack takes a short list of assumptions, in order to facilitate the attack:
- Most Voicemail system allow passwords of up to 4 or 5 digits
- Most people don’t bother changing their voicemail password
- The most common passwords for voicemail are repetitive keys
- Most voicemail platforms allow for their users to perform an outbound call directly from the voicemail system, returning a call to the message originator
Question be asked: “How can we utilize the above information to fraudulently make phone calls, and make money out of it?” – well, it is simpler than you would imagine. The attack requires a few simple tools:
- A “Premium Service Access Number”, preferably in a foreign country
- A telephony system to accept calls originated to the above mentioned access number
- A VoIP termination provider, capable of terminating calls with a custom caller ID identification
- A hacked voicemail account – this is fairly easy
Hacking a voicemail account is fairly simple, specifically if you have an Asterisk server and you are proficient with writing Asterisk scripts (we won’t go into that). For the sake of argument, let’s say we have access to a hacked voicemail account.
Stage 1 – Leave a voicemail message in the hacked box
Initially, utilizing our termination provider, we call our hacked voicemail box and leave a message. The caller ID that is associated with the message is the “Premium Access Number”. Try to leave a message that is at least 30 seconds long – we will explain why this is required later.
Stage 2 – After leaving the message, call the voicemail system again
Now, what you need to do is really simple. Call the same number and get to the voicemail system (or better, simply call the carrier voicemail system access number). Authenticate yourself as the voicemail owner, using your hacked credentials.
Stage 3 – Listen to your message and verify the caller ID
As you listen to your voicemail message, wait for the “Press something to call the person who left the message”. Now, make sure that the caller ID that was intercepted is the correct one thus, return a call to the caller would simply call your “Premium Service Access Number”. Now, all that remains is to hit the proper key to make the voicemail system call your “Premium Number”, have your telephony system answer the call and start playing a long time playback, let’s say 3 minutes.
Let us imagine that your “Premium Number” charges 5$ per each minute a user spends on the system. This means – 3 minutes translate immediately to 15$! – which will be paid by your hacked mailbox owner. All that you need to do right now is hack a few other accounts, make sure you have enough lines for your “Premium Number” – and walla, instant cash!
Just a few numbers
You are probably wondering: “Common, how much money can be stolen this way? this is highly impractical!” – well, since January 2010, over 250,000$ were stolen from various PBX systems in Israel this way, mostly originating calls to destination such as Austria, Sau-Tome and some obscure African countries.
In our next post, we’ll discuss the issue of SIP brute forcing and more…