Hosted PBX Toll Fraud Attacks: Phreaking

Phreaking (or phone hacking, toll fraud, dial-through fraud) is not new. In the not too distant past it was often a domain of adolescents with modems, phone lines and a PCs looking to make a couple of calls on someone else’s tab to their friends out of state or, sometimes, out of the country. Those call volumes often went unnoticed in the overall vast number of calls on company’s phone bill.

Toll Fraud

But phreaking in this day and age has moved from geek to something more sinister and more damaging. Telephone phreaking of Internet era is a big business run by an organized crime. What’s also interesting is that telecommunications carriers reap substantial benefits from these activities by demanding payments for the tidal wave of illegal call traffic phreakers generate at the victim’s expense. Some insiders hint that phreaking is telecommunication’s industry’s biggest dirty secret, generating massive funding for carriers.

Advancing open technology further reduces barriers for thievery. Modern VoIP thieves are organized, skilled and determined knowing that their unsuspecting victims may be less prepared than ever to take them on. Just because a company has a state-of-the-art Hosted PBX service or VoIP system does not mean it is immune to huge losses from criminal phone hacking. VoIP fraud is a very real problem that could wreak devastating expenses on any company.

Over the past year on more than one occasion I had heard from business executives dealing with their hacked voice system relaying phone calls to Cuba, Somalia or some other expensive-to-reach country ramping up charges in excess of $30,000-$40,000 in a matter of 48 hours. The fraudsters would dial local company numbers and access outbound trunks in order to place calls to a foreign country.

This prompted us to begin monitoring our Hosted PBX usage patterns by end users in an effort to help curb losses from such activities and to alert DLS’ clients of unusual call activity. While reducing the time of notification, this, however, is not a proactive strategy because the warning is communicated after fraud activity had already taken place.

The key to preventing such incidents lies in both: service provider and the end user working together and understanding the depth of the threat. This is especially important to end users of unmanaged hosted pbx services who manage configuration and security features of their Hosted PBX service themselves as opposed to having service provider manage those for them. DLS as a service provider for its part must make those security features available and offer end users education and best practices for implementing them. End users who operate business must understand their responsibility to the security of all the systems and/or services they run.

Statistics show that in most cases thus far hackers gained access to systems or services through inadequate and insufficient use of existing security features. Leaving a PBX unsecured is like leaving your PIN numbers or bank account details and access codes pinned to your front door. Therefore we recommend that our end users employ the following guidelines which can reduce company’s risk of phreaking attack:

  1. Ensure that all manufacturer default passwords for all endpoint devices are changed promptly
  2. Secure all end point devices (handsets, computers, PDAs) by restricting physical and remote access to them.
  3. Ensure functioning of lock out algorithms that prevent password phishing and notify administrators.
  4. Ensure timely deactivation and/or password changes of all unused extensions, voicemail accounts.
  5. Secure your network, employ firewall and access lists to guard your Hosted PBX and/or endpoint devices where possible.
  6. Ensure that your Hosted PBX or VoIP system configuration does not allow through dialing or outbound calling from adjunct equipment, ensure proper permissions for outbound transfers.
  7. Set and enforce standard and complex passwords for your VoIP Hosted PBX interfaces, voicemail

In my experience, phreakers tend to not focus on systems with properly implemented security policy. As with many crimes of opportunity some hackers may be lazy and decide to move to an easier target once they encounter safeguards on your hosted PBX. Since their goal is to find any vulnerable system that would allow them to make international calls rather than access your particular calling data, they will have no reason to invest all the effort in attempting to penetrate security of your Hosted PBX.

But until we all begin recognizing seriousness of security threats and invest time into efforts to make our phone services safe and secure, telecommunications bandits and carriers will continue to reap benefits from stolen revenues and businesses as end users will continue be expected to pay for it all.