Telecoms and PBX Fraud
From FraudWiki
There are many ways the Telecoms networks can be abused (TBD)
Contents |
PBX Fraud
There are many types of PBX fraud but all result in the company paying for calls that were not made by or on behalf of the company. Some of these frauds are perpetrated by employees of the company and others through hacking into network. The knowledge of how to hack into some PBX’s can be obtained from the internet; see for instance the web site http://www.2600.com:1984/
There are a lot of practical steps a company can take to reduce the fraud risk but many businesses require flexible communications and as a result will necessarily expose themselves to risk. In these circumstances the automated analysis of call patterns is the only way of managing and reducing this risk.
The following is a brief overview of just some of the threats:
Maintenance Port Access
Most PBXs have a dial-in port that allows a remote user o access the system for maintenance. The maintenance ports have standard user IDs. The standard IDs are well known to the hacker community. Many systems are compromised using the default passwords. What a hacker wants is a dial tone; an outside line. Once they obtain access through the maintenance port they have control of the system. They can set themselves up with outbound access such as DISA, described below, and turn off any control features. Hackers can get the maintenance port number in several ways. They may find it by scanning using automated diallers or by insider information.
DISA
This feature allows a caller to dial into the system, enter an authorisation code and get an outbound line. The codes are often not difficult to crack. A hacker can then use this feature to make long distance calls at the company’s expense. It does not necessarily need to be a hacker. One common scheme is where a caller may pretend to be from the Telco and claim to be checking a problem with the line, the scammer asks to be connected to an outside line.
Voicemail System (VMS)
Many voicemail systems are equipped with an outbound paging feature. When this feature is enabled, the voicemail system automatically calls a preset number whenever new voicemail messages are received. A hacker may gain access to these voicemail systems and change the preset number. These numbers could for instance be premium rate numbers. Each time a message is left in a tampered mailbox, the system will automatically call the telephone number and the company will be charged for this call.
Some VMSs allow an incoming call to access an outbound line through the PBX using a feature sometimes known as "thru-dial". When a hacker breaks the simple password to a mailbox they can use this feature to get an outbound dial tone. Also by using the call transfer feature of the VMS, the hacker may get dial tone by entering the transfer code and the first digits of the number to be called.
Premium rate numbers
Having set up a premium rate service a fraudster may then cause calls to be forwarded to this number and the company will then be charged at the premium rate. Call forwarding can be set up manually by an employee. Often this is done on extensions in semi-public areas like meeting rooms and often for periods when the phones are less likely to be used. Equally a hacker can gain access and cause incoming calls to a particular extension to be forwarded or a voice mail box to do the same (see 2.3 above). 3.5 Tandem calls A Tandem call has both an incoming part and an outgoing part. It will result in a cost to the company where the PABX has made an outgoing call to an external number. An example of a tandem call is if the where a particular extension has been forwarded to a mobile number.
By forwarding an extension a hacker can then place international calls at the cost of a local call.
Long duration calls
Long duration calls to foreign destinations (particularly out of hours) may be a symptom of straightforward employee abuse, call forwarding (see above) or a PBX which has been broken into. Long calls may also be modems using unauthorised ISPs. Employees have been known to attach their own modems to company PCs to gain internet access which bypasses corporate controls. If an outsider can gain access to a modem (authorised or unsecured) using war dialling (see below) then this can be used for anonymous ISP access for illegal purposes. Also calls may be made to access codes of telcos other than the companies main provider, which may circumvent call blocking.
Short duration calls (war dialling)
War dialling is a method of automatically scanning telephone numbers using a modem to discover numbers which have a modem attached and provide access into a computer or PBX system. A popular program used for this purpose was ToneLoc the source-code for which is available for download at http://www.oldskoolphreak.com/etc/ .
Once a number has been found that allows modem access then it can be relatively easy to break in.
Where the Call Data Record (CDR) contains the number of the caller then this sort of attack can often be detected by many short-duration calls from the same number. Some attackers are more sophisticated and will spoof the caller-id and vary the time between calls. To detect this form of attack it is necessary to look for short-duration calls across all numbers and to filter these against the normal expected frequency and duration of such calls depending on parameters such as time-of-day, department, etc.
Automated Attendant
Some systems have a feature known as an Automated Attendant. An Automated Attendant answers the line and invites the caller to enter the extension of the person they called or enter zero to speak to an operator. The caller can then simply enters a code which gets them an outside line.
See Also
