[ISN] Toll Fraud - The Crime of the 90's

From: mea culpa (jerichoat_private)
Date: Sat Nov 21 1998 - 12:29:37 PST

  • Next message: mea culpa: "[ISN] Europe Launches a Crackdown in Cyberspace"

    Forwarded From: plexor <plexorat_private>
    Toll Fraud - The Crime of the 90's 
    Toll fraud costs our companies billions of dollars every year. From the
    perpetrators' view, toll fraud is enormously profitable and low risk.
    Unless you are careless, the chance of being caught is negligible. If you
    are somehow apprehended, chances are you will not be successfully
    prosecuted. If you are convicted, chances are the time you serve will be
    minimal. There are hackers who are in prison, in some cases for "crimes" 
    that are trivial. They don't belong there. However, law enforcement
    organizations are frustrated by professionals who are rarely caught and
    Two types of toll fraud, cellular and calling card fraud, get all of the
    publicity. But these types of fraud are less than half of the total
    dollars lost. Cellular fraud and calling card fraud get attention because
    they happen to individuals. PBX fraud occurs at companies who don't
    publicly acknowledge the incidents. 
    Cellular and calling card losses are borne by the carriers. They take the
    fraudulent calls off the bill. But the law says that the owner of the PBX
    pays for all calls made from their system, legitimate or otherwise! 
    The local and long distance carriers seem to be shy about the subject of
    fraud costs.  Although their stance is improving, most of the costs of
    fraud are borne by the consumer. 
    Telecom & Network Security Review reports that the cost of toll fraud was
    $3.325 billion dollars in 1995 and is expected to increase by $395 million
    in 1996. With so much money at stake, it is easy to see why hacking for
    profit has become a serious business. We are not merely up against young
    people, although formidable, who are out to prove their prowess on a PC.
    We are confronted by professionals who are highly skilled and well armed
    with the latest technology and tools. These thieves are not out to make a
    few calls on your bill. There is a complete underground distribution
    network for phone numbers and authorization codes with established
    wholesale prices. One phone company representative told me that there have
    been outlaw cellular phone sites operated solely for fraudulent calls. 
    The largest losses can occur when your company's PBX (Private Branch
    Exchange) is compromised. Telecom & Network Security Review reports that
    this type of fraud will cost companies $1.5 billion in 1996. The actual
    costs extend well beyond the direct carrier charges. 
    A PBX is a sophisticated computer that is primarily used to route calls to
    your internal phones and to outgoing lines. Once the numbers and/or
    authorization codes are known to the perpetrators, they are sold to
    "call-sell" operators. The operators then mass distribute the numbers
    which are then used by people at the retail end. 
    There is so much money to be made that call-sell operators are
    increasingly putting hackers on their payrolls. Frauds of this nature
    often occur over a long weekend when the system administrator at your
    company is not monitoring usage. Large frauds can occur over longer
    periods of time. Southern Illinois University was hit in 1995 for $1.1
    Phone numbers and authorization codes are also very valuable to drug
    dealers and other criminals. They are well aware that the numbers and
    times they call can be used in investigations and don't want these numbers
    on their bills or in phone company records that can be linked to them.
    With access to your PBX, they call your system, call out to another system
    and then to their final destination. Using this technique, called
    "looping," they effectively mask the true locations they have called. 
    There are a number of ways your PBX can be compromised. One common method
    is to crack the authorization codes for the remote access feature,
    sometimes known as DISA (Direct Inward System Access). This feature allows
    a caller to dial into the system, enter an authorization code and get an
    outbound line. This is a convenient way for executives to avoid carrying
    for calling card. It is a nice perk. Unfortunately the codes are usually
    not well managed and are not difficult to crack. Do not use this feature!
    Use calling cards instead. It may be more expensive, but, by law your
    liability to fraud on your calling card is limited. If the fraud involves
    CPE (Customer Premise Equipment)  including your PBX and voice messaging
    systems, you are liable for all long distance charges. Obviously,
    reviewing your phone bills will discover the fraud, but by then it is too
    Another method of entry to your PBX is the remote maintenance port. All
    current PBXs have a dial-in port that allows a remote user, including the
    PBX vendor, to access the system for maintenance. The maintenance ports
    have standard user IDs. The standard IDs are well known to the hacker
    community. Passwords are variable and should be properly constructed and
    maintained. The default passwords are also well known and must be reset
    when the system is installed. Many systems are compromised using the
    default passwords. 
    PBXs can be set up to disconnect after a predetermined number of invalid
    access attempts. However, exceeding this limit may not shut down the port.
    You can be hacked all day by re-dialing. Alarms can be set, but must be
    monitored 24 hours a day to be effective. Reports are available that can
    indicate attempts at hacking; however these require diligent daily review.
    For these controls to be effective they must be specifically set and
    monitored. To effectively prevent large losses, you need a contingency
    What hackers want is a dial tone, an outside line. Once they obtain access
    through the maintenance port they have the run of the system. They can set
    themselves up with outbound access such as DISA, described above, and turn
    off the control features.  Hackers can get your maintenance port number in
    several ways. They may find it by scanning using automated dialers.
    Unfortunately, many cases of PBX fraud result from insiders or vendors who
    disclose the phone numbers, IDs and passwords. 
    Most systems have a feature known as an Automated Attendant. An Automated
    Attendant answers the line and invites the caller to enter the extension
    of the person they called or enter zero to speak to an operator. The
    perpetrator then simply enters 91 and the first two digits of the area
    code he wants to call. The Automated Attendant switches to that extension,
    but actually this may signify an outgoing call. When the caller gets dial
    tone, he simply enters the remaining digits needed to complete the call. 
    An Automatic Call Distributor (ACD) is a system that queues and routes
    calls to service departments. ACDs are often equipped with an automated
    attendant and voice messaging.  These systems are frequently compromised
    if care is not used when installing features that allow and incoming call
    to access an outgoing line. If a caller can get dial tone, you have a big
    exposure to fraud. 
    Call forwarding to outside numbers can be unsafe. In some systems, if
    'loop start' is used, when the call is forwarded and answered, the
    perpetrator will say they got a wrong number or say nothing. When the
    called party hangs up, the system briefly leaves a dial tone before
    disconnecting. The perpetrator quickly grabs the dial tone and places a
    long distance call. During a recent audit, my client was curious about
    some late night calls made to their technical staff at their offices. Such
    calls often are made by someone looking for a PBX with this weakness. 
    Call forwarding outside the system has other toll fraud possibilities. Any
    phone can be forwarded to any outside number. Recently a client found a
    phone in a locker room forwarded to a long distance number at another
    company. Our guess is that someone forwarded the phone so that when they
    dialed that extension, they were forwarded to a friend's company. Lobby
    phones and conference room phones are also susceptible to this simple
    An Article in "2600, The Hacker's Quarterly" suggested that the best place
    to start hacking was Voice Messaging Systems (VMS). VMSs are notoriously
    easy to hack and often have the added benefit of toll free 800 inbound
    access. Through an advertisement in 2600, I was able to purchase a
    document on exactly how to hack voice mail systems. The well-crafted,
    accurate document includes detailed information on most of the current
    voice mail systems manufactured, the menu structures, the default mailbox
    passwords and how many password attempts can be made before you are kicked
    out of the system. They even give you a (then current) list of 800 inbound
    lines to company's voice mail systems and the systems' manufacturers so
    hackers can practice their techniques. 
    Some VMSs allow an incoming call to access an outbound line through the
    PBX using a feature sometimes known as "thru-dial". When a hacker breaks
    the simple password to a mailbox they can use this feature to get an
    outbound dial tone. Also by using the call transfer feature of the VMS,
    the hacker may get dial tone by entering the transfer code and the first
    digits of the number to be called. An example would be *T91XX where T is
    the digit your system has assigned for transfer, XX is the first two
    digits and XX is the first two digits of the called number. 
    Hackers also can capture a mailbox and trade messages freely. The intent
    is to find an unused mailbox and take it over by giving it their own
    password, and using it for themselves. In effect, they establish their own
    bulletin board system. They also frequently record their own greeting.
    "Yes operator, we will accept the charges" as a greeting can result in
    thousands of calls billed to your company. 
    Far worse can happen. If the hackers are persistent, they can get into the
    system administrator's mailbox. From there they can listen to other boxs'
    messages (on some systems), or change, add and delete mailboxes. If they
    so desire, they can shut down the system! Hackers have published the
    default system administrators' mailbox numbers.  VMS's also have remote
    maintenance ports. If they penetrate the remote maintenance port, which is
    often less difficult to crack than a PBX, they will turn on "thru-dial" 
    and any other feature they want. They set up many of their own mailboxes
    so they can make many outbound calls at the same time. In addition to
    hacker use, your system could be used by criminals to trade messages. 
    Once you have closed the obvious holes in your CPE systems' security,
    there is still work to be done. Many companies are hit again and again
    after they thought they had solved the problems. No system is
    invulnerable. Hackers are always finding new weaknesses to exploit.
    Software and feature upgrades may create new weaknesses. Current or
    ex-employees become disgruntled or desperate for money. To control your
    systems, effective call reporting and monitoring must be in place. Most
    equipment has some level of call reporting. Add-on systems can supply even
    better information including calling patterns and trends that can indicate
    This document has covered the most common exposures and risks. "Social
    engineering"  practices and abuse of long distance privileges by employees
    are other areas that require attention. 
    Why haven't companies audited their voice systems? Most are not aware of
    the exposures, the risks and the sophistication of voice systems. This
    document solves that problem.  Second, although similar to traditional
    computer systems, these systems are very different. The jargon and
    acronyms are foreign to most business people and the learning curve is
    steep! There is scant detailed technical information about the risks in
    most vendors' systems. 
    As a practitioner in this area, I have to dig out the "golden nuggets" of
    information from vendor manuals. But I know that the other people who read
    the manuals are hackers, some are professionals. One piece of good news
    for auditors: they can audit their company's systems from anywhere by
    dialing in through the maintenance port. I often audit distant systems
    this way. 
    Note: This document is not designed to provide an audit program of all
    risks and features. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:00 PDT