Understanding Cyber Attacks That Leverage the Telephony Channel

Transcription

1 SESSION ID: CCT-R04 Understanding Cyber Attacks That Leverage the Telephony Channel Payas Gupta Research Scientist CRISSP-AD, New York University Abu Dhabi

2 In collaboration with Mustaque Ahamad Pindrop Security Professor at Georgia Institute of Technology Global Professor at New York University Abu Dhabi Former Director, Georgia Tech Information Security Center Provides Solutions to protect enterprise call centers and phone users. 2

3 GLOBAL THREAT

4 Rachel Credit Card Calling, USA 4

5 Wangiri Fraud, Japan 5

6 Tech Support Scam, UK 6

7 Fake Officials Fraud, China 7

8 Etisalat scam, UAE 8

9 UNDERSTANDING TELEPHONY ABUSE

10 Current Data Sources Telcos Crowd sourced FTC, CRTC fraudulent complaint datasets 800notes open datasets Proprietary 10

11 ACT Principles Accuracy Completeness Timeliness 11

12 Accuracy PROBLEMS WITH CURRENT DATA SOURCES

13 Details of Calls 13

14 Perception v/s Reality 14

15 No Actual Timestamps 15

16 Spoofing 16

17 Completeness PROBLEMS WITH CURRENT DATA SOURCES

18 Not all fraudulent calls are reported Compared both FTC and 800notes against each other for a certain set of numbers 18

19 Timeliness PROBLEMS WITH CURRENT DATA SOURCES

20 Delay in Reporting Fraudulent Calls 20

21 HOW TO SETUP ONE?

22 Using SIP Trunk IP Tel. ext Call SIP Trunk Call Manager/ PBX Switch IP Tel. ext Telephone Exchange Rules Destination no. Destination IP Incoming call Incoming call Tel. Range to Incoming call Incoming call Call Manager table IP Tel. ext Honeypot 22

23 VOIP GSM Gateway Direct Call Direct Call Call Forwarding USB Dongle with SIM OR Honeypot SIM Cards The VoIP GSM Gateway 23

24 Phoneytokens Phoneytokens are digital piece of information (phone numbers + features in our case) whose value lies in the unauthorized use of these token. Features Age Profile Sequential Geography 24

25 Phoneytokens 800 toll 800 toll free Miss call service Twitter number Personal Public profiles Facebook comments Call to Twitter feed YouTube comments Apps steal contact details Call and collect info Call Dating sites DNC lists Shady sites Free service Honeypot 25

26 Challenges Anonymously pushing phoneytokens Ability to engage callers Automation Legal: Telephone conversation recording laws Dealing with false positives Cost Ethics 26

27 Progressing in Combating Phone Abuse SUCCESS SO FAR

28 MAAWG 5.2M/275K NDSS Best Paper 2015 Feb Feb RSA MAAWG Abu Dhabi June Nov MAAWG 2.5M/273K MAAWG MAAWG MAAWG 1K/25 2M/50K Honeypot Best Practice The National news 2014 Feb Mar Jun Jul Aug Sep Oct Dec Nomorobo Pindrop Security NCFTA China Eurecom 2013 NYUAD, Gatech, Pindrop Security 28

29 ANALYSIS

30 Case Study on Pindrop s Telephone Honeypot 10 million calls in first 14 months on 277K honeypot numbers What we have seen Telephony Denial of Service Automated Callers Telemarketing Debt Collector Spoofing CNAM Fraud Geo-targeted Attacks 30

31 Initial Results Total Calls 10,591, months Total Sources 1,108,358 Total Destinations 277,817

32 Initial Results Total Calls 10,591,422 Total Sources 1,108, months Total Dirty Destinations 277, ,302

33 Destination Numbers Distribution 100K 5.6K K K 31K 1000K

34 Source Numbers Distribution 1000K 31K 1K K K 31K 1000K

35 Daily Call Volume Labour Day Black Friday Christmas New Year Memorial Day Independence Day Labour Day

36 Hourly Call Volume

37 Age of destination numbers

38 Age based Distribution

39 Geographical Call Distribution 39

40 Attack Patterns

41 Telemarketer 41

42 Penn Credit Debt Collector 42

43 Penn Credit Debt Collector 43

44 Allied Interstate Debt Collector 44

45 Allied Interstate Debt Collector

46 Geo-Targets

47 Geo-Targets

48 Summary Can be used to collect better intelligence about telephony attacks Accurate, complete and timely information can be obtained using telephone honeypots Noticeable calling patterns like telemarketer, debt collectors, spoofing etc. can be observed from the datasets. 48

49 Open Challenges and Questions How many numbers do we need for completeness? Understanding how numbers are chosen/qualified? Sources Destination Threat understanding should enable defense 49

50 APPLY

51 Going Forward Option 1 Get sufficient set of phone numbers Set a phoneypot at your end Help you to distribute phoneytokens Share the data with us Perform analysis and share the intelligence with you Option 2 Get some numbers Forward the calls to those numbers to one of our phoneypots Will share the raw data and intelligence with you 51