A Garda Síochána. PABX Fraud Explained

Transcription

1 A Garda Síochána PABX Fraud Explained Q: What is PABX fraud? A: PABX fraud is defined as the unauthorized use of a company's phone system. It is theft of long-distance services by a) an unrelated third party, b) a staff member of a long-distance carrier, local telco or vendor, or c) the user's staff member. Q: What are the most frequently used methods of toll fraud? A: There are seven frequently used methods of committing toll fraud. They are: 1. PBX manipulation, 2. Voice mail penetration, 3. Failure to install/use CDR or SMDR, 4. Maintenance port tampering, 5. Remote access abuse (DISA), Q: Who is most likely to access our equipment unlawfully? A: As is the case with any other unlawful act, criminals in this industry, who are referred to as "hackers," do it mainly for the money. Others do it for fun, professional challenge and/or out of boredom. Still others know how easy it is, know the codes, have the proper equipment and cannot resist the temptation. In most cases, they can recognize the manufacturer/brand by the prompts and determine which password ranges on which to concentrate. With some luck and persistence, they will "hack" into their first system within the hour. Most of the activity is through call/sell operators who operate in urban communities, mainly by immigrants for immigrants who call to countries like the Dominican Republic, China, Pakistan and Egypt at a rate of 10 for a 30- to 45-minute call. The calls usually take place after regular business hours or on weekends where the excessive PABX traffic will go on unnoticed and uninterrupted.

2 Q: How do hackers get the numbers? A: There are different methods of obtaining telephone codes: 1. "Dumpster divers," or the people who go through your trash and look for phone bills, computer printouts or product manuals. 2. "Shoulder surfers," those people who stand particularly close to you at a pay phone (in airports, bus terminals, etc.) while you dial your DISA password, voice mail code or calling card number so they can capture your dialing sequence. 3. Hackers publish their findings in magazines, BBS and even on the Internet. Q: What do they do with these codes once they have obtained them? A: Since the primary motive is money, they look for buyers. On the streets of New York City, for example, where 60 percent of PABX fraud attempts originate, a good number (or, in street slang, a "Montebello") will go for $3,000 to $5,000 depending on the supply/ demand at that time. Q: Why are PABXs a perfect target for these hackers? A: Today's PABXs are feature-rich, and more and more features are developed each day as the various PABX manufacturers attempt to gain a competitive edge. These features are all software, and therefore programmable, which in most cases means they can be accessed remotely. In addition, maintenance and service is provided by interconnects from remote service centers via modem lines. All of this creates a very familiar environment for the hacker to operate in with very little risk of being identified. Q: What are hackers looking for in your PBX? A: The easiest vehicle for them is to gain control of your direct inward service access (DISA) where a remote user can gain access to an outside line from your PBX by punching some "long" authorization codes. Most companies use it for the travelling employee. Second, they would love to "take over" your maintenance port. By controlling that port, which is the heart of your PBX, they can do whatever they want, including changing your routings and passwords and deleting/adding extensions. And, if their intent is vicious, they can actually shut down your PBX and take you out of business. Voice mail is probably the most popular vehicle of PABX fraud these days. Like PABXs, voice mail systems are also very sophisticated and full of features. You can, among other things, sit on the beach in the Caribbean and program your voice mail box in Chicago to place any inbound call on temporary hold, grab another line, call your cellular phone then conference the two lines--all within seconds. Meanwhile, the caller has no idea that you are actually enjoying the sun and sipping Jamaican rum. Hackers want to use exactly that feature to forward calls to a "phantom" mail box that will give just a dial tone. Then, they dial the rest from any public phone in Miami, Dallas or Amsterdam. Another kind of voice mail hacking involves changing the greeting in an "orphan" mail box to a simple greeting, which may consist of 10 seconds of silence followed by, "Yes, operator, I will accept the charges." The hacker can then dial "0" from any

3 pay phone, tell the long-distance operator he or she would like to call London, and charge the call to a "third party" which is "the hacker's" company at extension 777. When the operator calls that number and asks to be transferred to extension 777, his/her 10-second inquiry ("This is the long-distance operator. Mr. Joe Brown is calling London, will you accept the charges?") will be accepted by the well-timed, pre-recorded fraudulent greeting. Q: What can be done to combat fraud? A: The following are some basic steps you might want to consider adopting in the fight against PABX fraud: Education: First, get yourself and your immediate staff acquainted with toll fraud. Periodically remind all employees who have been issued authorization codes (DISA, voice mail, etc.) of the importance of keeping these codes secret and the need to change them frequently. Also, warn all employees about "shoulder surfers" and advise them not to write their codes in public or yell them out in a crowded area. Second, educate yourself with the many features of your PABX, voice mail and/or ACD. Shut down all of those not in use or not in service, and change your PBX passwords as frequently as possible. Ports: Install a "dial back" modem on your maintenance port, and always have your service provider call you before accessing your PABX. Block: Block access to destinations where your company does not do business. If circumstances do not permit this, at least block calls to some or all of the 10 most popular fraud destinations (Google search). Voice Mail: Make sure your voice mail system is a "closed loop" and cannot be manipulated to get an outgoing dial tone. Check your valid mailbox list and delete any box that is no longer in service. Disconnect callers after three unsuccessful attempts at dialing their mailbox code. Instruct employees to change their voice mail passwords and delete "old" messages. Codes: Choose random. lengthy passwords (10 digits or more) and change them frequently to make it harder for hackers to discover them. Keep these codes in a safe place and never write them on the wall next to the PBX. DISA: Consider disconnecting DISA. If this feature is necessary, ensure that only those employees who have a real need for international calls will be allowed to use it. Telco Filtering: More and more companies are demanding, and being provided with, extra value services form their Telco providers. Filtering and Early warning permits the owner of the PABX to limit their cost exposure for this type of crime. PBX Fraud Frequently Asked Questions (information provided by TeleDesign Security Inc.) 1. When I get hacked, who is going to pay for the calls? Your company is responsible for all charges incurred on your system. Recent court decisions and filed tariffs make you, not the carrier, responsible for the security of your CBX/PCX system if you have not taken steps to protect your assets.

4 2. Who are these people and why are they stealing calls? Today, communication theft is perpetrated from remote distances by highly skilled, technologically sophisticated criminals who have little fear of being detected, let alone apprehended or prosecuted. These criminals conduct a growing business selling access to communications systems all over the country. 3. Why don't the carriers write off these charges? Today, fraudulent calls are placed over many different inter-exchange Carriers (IXC), each carrier must pay that portion of the call handled by them. When the call is placed to an international location the domestic carrier must pay the foreign carrier regardless of the fraud. Court cases divestiture and FCC rulings prevent carriers from writing off calls. You the end user control access to your systems. 4. Why is identifying or stopping the fraudulent calls the customer's responsibility? Only the customer can differentiate legitimate calls from fraudulent ones. The long distance carriers do not have access or permission to work on your CBX I PBX, the vehicle that hackers use most to conduct their activities. 5. How will the hacker find my system? 1) Criminals pay for a CBX I PBX maintenance port number and password. 2) Hackers 'scan' using auto-dialers to find systems equipped with modems. 3) Your Company's telephone directory listing or your 800 service advertising make you known to the hacker. 6. How do I justify the expense of corrective action when we have not suffered a loss? Past performance is not an accurate indicator of present threats. The equipment and the motivation to perpetrate this criminal activity did not exist more than a few years ago. Just imagine attempting to explain the United States freeway system to the early inventors of the railroad, or explain to a rural builder of windmills that the windmill would be an alternate energy source. Educate your Executive council about the pitfalls of not protecting your Corporate assets and enlist their support by implementing a Corporate policy on unauthorized access as your first step. 7. What is a PHREAKER? A Phreaker exploits the omission of security controls in your system that occurred during installation or repair. The Phreaker steals from your system with out the need to change any of your parameters. The only tools required to be a very good phreaker are patience and social engineering skills. 8. How does a hacker gain access to my system? Hackers use computerized calling programs, automatic dialers, and sophisticated software to break your systems security and pass codes. Hackers attempt to gain access in the following order:

5 1) Phone Mail I Voice Mail 2) Automated Attendant 3) Remote Access or Direct Inward Service Access (DSIA) 4) Remote Maintenance/ Administration Port. 9. Why is it important to protect my Maintenance/Administration Port? This is the most important port on your CBX I PBX system. Hackers gain access to your system software and control your Voice Mail, DISA and other CBX I PBX features through the maintenance port. 10. How do hacker know which CBX I PBX type and brand of Voice Mail I am using? Hackers identify the type of CBX/PBX by the Login procedure used for each system. They know the pass codes for each vendor CBX I PBX. hackers also recognize the various Voice Mail and Phon systems by the default digitized voice recordings. 11. How does a hacker use my Voice Mail? 1) Through your Voice Mail the hacker is able to use your CBX I PBX "trunk-totrunk connections" feature to access your long distance network. 2) Your Voice Mail might also be used as a "bulletin board" to distribute stolen credit card and other hacker related information. 3) They may change your greeting to "Hello!...pause...Yes, I'll accept the charges to Zaire." 12. I understand why a larger user must be concerned, but I'm a small business in a rural community. Why should hacker activity concern me? Hackers use auto-dialers to search entire area codes to find systems to hack, they do not care who or where their victims are. No one is safe, and smaller companies may be less able to absorb the average loss ranging from $10,000 to $80,000 per incident. 13. What happens when a hacker finds my Maintenance I Administration Port? Hackers use manufacturers default passwords or computer generated, craker programs until they find a usable password. They then enter a system unlawfully and make software changes that allow unauthorized calls. Information on how to use your altered system is then sold to "call sell operators" who sell calls over your system to whomever wishes to place calls. These calls are typically made from public telephones (pay phones) in large metropolitan cities. 14. What is FAX back fraud? The theft consisted of compromising a system set up to deliver FAX information. The system accepted incoming requests for catalogs, product information and investment opportunities. These request were stored with a call back number. During off peak hours the system delivers the requested information via a call back. The company sending out the information pays for the call. International tele-thieves requested information that in reality was transmitted to an international "Party Line", pay per call number. This number answered with Fax tone and threw the incoming message away. The thieve may request 100 copies of the information and attempts to collect

6 $3.95 per minute, plus the cost of the international call, from the unsuspecting victims. 15. What is different about this theft from other forms of fraudulent activity. There are three major differences with this case: 1) The call is processed as data, not voice. 2) An international organization is required to: find the victim, set up the call, collect the money and manage the administration in a foreign location. 3) The theft or scheme has migrated and expanded in form and severity. 16. What do you mean that it has migrated? When first discovered the theft required a victim to have FAX Back Service. The thieves then migrated to "looping through a CBX". Now they are using cheap throw away FAX machines and clip on fraud to attack everyone, even homes and apartment buildings. The thief places an incoming call from Germany to US to a target system. They dial out of that system to the "Pay per call" number in a foreign country. They do not need FAX back service and in control of the origin and termination of the call. This scam has resulted in bills of up to $80,000 being incurred by victims in a week end. Criminals are buying cheap battery powered FAX machines and clipping them on to exposed telephone wires. They call the international number and charge a $400 to $500 dollar call to the victim. 17. What can we do to protect ourselves from these crooks and con artists? As with your personal lives, the better informed you are to the risks the better protected you are. Stay on top of the threats and form "A NEIGHBORHOOD WATCH" team that includes; a current policy on security, a secure system configuration, your Long Distance Carrier and a team approach to security and service with your equipment vendor. Do not let management or your Company be taken by surprise. This is one disaster that is very predictable and equally preventable. Remember that you will be a victim. You control the severity of the attack. In 1995 the Department of Defense conducted Tiger Team Attacks and out of 8,932 attempted break-ins, 393 were discovered and only 86 were stopped. Hackers and Phreakers are much easier to stop from breaking in than they are to evict. Insist on seeing evidence that your Long Distance Carrier and your Local Exchange Carrier will join your team. The carrier must have an adequate plan to identify theft of service, a client education program and a plan to provide you with assistance beyond their control. How can I protect my PABX from this type of fraud? (Source - If DISA is not required ensure that it is disabled. If it is required, the people who supplied, or who are maintaining your system, understand the full functionality of the PABX and they can help in configuring DISA properly.

7 Toll Fraud Audit, this service is provided by your PABX supplier or maintenance company, however, there is a cost involved. If automatic logging of calls is available, enable it. It may help in identifying the extensions number being used to compromise the PABX and it may also identify the source of the external call. Regularly check the log records for repeated short duration calls to the same number. This could be an indication of an attempt to attack your system. PIN's for voic , DISA and engineering access should, if enabled, be activated and changed regularly. If possible engineering access should only be permitted on a 'call back' basis, this will prevent unauthorised access to this privileged account. 18. What should you do in the event of a PABX/PBX Fraud PABX Frauds are a crime and should be reported to the complainant's local Garda Station. You should take a statement from the injured party to outline the following 1. Make and model of the PABX. - Name of Installer, Service and Maintenance Agents and contact details. - Name of Telco providers, both Incoming and Outgoing. - Details of the incident, When, No. of calls (list of repetitive Tel No.), Amount, Any incoming Tel No s. recorded. - List of Tel No s used for incoming calls. - How incident occurred, if known and how this information was established. - Establish any time difference between actual time and the PABX time. - Attach printout of outgoing call details. 2. Record incident on PULSE 3. Advise the complainant that they should have a complete independent audit of their telephone system in an effort to identify the manner of the hack and any evidence which may identify the suspect. 4. Foreign Outgoing Tel No s should be passed, via Interpol, to the appropriate authorities. Where there is a large volume of calls made, to a small number of telephone numbers, it is highly probable that Premium Rate Numbers are being used. It must also be kept in mind that just because a number may indicate a certain jurisdiction, Global Telco providers can terminate the number in another jurisdiction and this is known as short stopping. ComReg (Communications Regulator) are very good at tracing where call are being terminated and by whom. 5. Request Crime & Security for all Incoming Tel No s to the complainant s telephone number (Local, National and International). It is possible that the victim uses a number of telephone lines for incoming calls, all of them will have to be identified. It is highly probable that the calls originated from International numbers. 6. If access has been obtained through the Internet, IP (Internet Protocol) addresses may have been recorded. 7. Payment of the bill is not a Garda matter, the victim must inform their provider of the fraud and may require some proof that a complaint has been made. It is not a matter for the Gardaí to negotiate with the provider. Recent EU directives on Inflated Traffic through Fraud come under the remit of ComReg and if the incident is reported to them they can issue directives to Irish Telco providers. 8. Assistance can be obtained from the Garda Cyber Crime Bureau at