PBX phone system hacking nets crooks $50 million over four years A bloke has admitted laundering millions of dollars for hackers who ripped off US companies by hacking into their telephone systems. Miscreants in Bangkok and Pakistan wormed their way into American organizations' PBX systems and identified phone extensions that weren't assigned to a user but were still live. These were then …
"A common route for criminals is to tap into a private branch exchange (PBX) through a remote access feature, steal the code, and then set up a "call-sell" operation. Scam artists also tap into voice mail systems to "crack a code" and then proceed to transfer toll calls through the public switched network."
That's from a press release from the Alliance to Outfox Phone Fraud, at
http://www.thefreelibrary.com/FIRST+ANNIVERSARY+OF+ALLIANCE+TO+OUTFOX+PHONE+FRAUD+IS+CELEBRATED...-a018271340
It's from 1996 (whenever 5/9/96 is).
Nine teen nine ty six, grandad (I won't shout, it's not polite).
This is still going on twenty years later? Why? How?
Upvoted for the implicit ISO 8601 reference.
As to 'why is this still happening' - the first edition of the ISO 8601 standard was published as ISO 8601:1988 in 1988.
As to why are these phone scams still possible: I blame the "give me convenience or give me death" mindset.
If you are interested in ISO 8601, but don't want to read it, try this.
Last year hackers found a weakness in the FreePBX portal (running on the PBX). THey moodified the dialplan to allow access to trunks, and then called their own premium rate numbers to scam admin's of tens of thousands of dollars each. Even a properly setup PBX is not enough, you need to add security around it. The builtin security of these tools is a joke. Admins think f2b or a firewall will protect them - it won't. You need to secure your sip connections below the FreePBX/Asterisk level so that even if the dialplan is hacked calls won't succeed.
Yes, but IP-PBXes are now commonly designed and administered by idiots. Internal telephones on outside IP-Addresses is actually a feature many of them explicitly have. The really bad ones even run on some badly maintained Windows system which is probably open to lots of exploits.
Plus there are things like the cleaning staff getting to a phone to do fraud.
When I was testing our first FreePBX system, I left a firewall rule on to experiment with using an external SIP client for a whole 2 days, and in that time, more than one IP had hijacked it, cracked the admittely pisspoor password on one of the extensions' accounts, and made a bunch of dodgy international calls. Luckily, I used a pay as you go SIP trunk provider and only loaded it with £5 of credit. The number of unsuccessful calls from after the credit ran out made my eyes water...
Lesson very much learnt. Now in production for 18 months, handsets can only connect from our internal network, the firewall rule for the trunk provider only allows their IP range and all the handset passwords are MD5 hashes (as they are by default in FreePBX). To date, no problems... but our ISDN30 system in another office, handled by an external firm, used to get bombarded every couple of weeks with calls attempting to gain access to outside lines. To my knowledge they never did, but no-one could make any calls for about 15 minutes at a time as they could take all the lines up.
"This scam is the original IoT, and exactly why we should be very worried... The tech / electronics giants are just run by suits / lawyers that have indemnified themselves morally and financially from any holes in their products."
The problem is the most companies, assuming they are aware of the fault, will work out the cost of fixing it, the cost of any penalties (such as litigation) if it's not fixed and if the latter is lower than the former, will often just allow the fault not to be fixed. OK, so they may factor in damage to their image or reputation, but whether that has an impact depends on the cost they put on their reputation.
For instance, Whirlpool have safety bulletins out for tumble dryers from multiple brands with design faults in the UK. While they *are* fixing the problems, the rate they are doing it, they will take over a year to fix all of them. Yet they have still stopped short of a full product recall, even though the fault can cause the dryer to catch fire.
It is worrying that the same mindset will probably be held by the people who run the companies making IoT things..
"Whirlpool (and other) tumble dryers ... though the fault can cause the dryer to catch fire."
Not just can, the fault *has* caused multiple fires - one consumer group (Which?) estimates 12,000 fires in the last three years. Many tumble dryer fires lead to fatalities (just use your favourite web search engine).
Whirlpool actually come out of this with a bit of credit - it's not really *their* tumble dryers, but some of Creda, Hotpoint, and Indesit's, going back over a decade, which are now Whirlpool's responsibility because Whirlpool as of a year or so ago own all three brands and have initiated a recall, something which hadn't previously been done properly.
http://www.electricalsafetyfirst.org.uk/product-recalls/2016/02/hotpoint,-indesit-and-creda-tumble-dryers/
https://safety.hotpoint.eu/
Why are not the telco's being prosecuted for money laundering?
The money doesn’t, (or at least doesn’t need to) leave the Telco premium rate coffers until at least a month (judging by their terms of business). So they are plainly CHOOSING to transfer the money to a less reliable deposit holder.
A few CEOs in Jail would kill this problem stone dead!
"The money doesn’t, (or at least doesn’t need to) leave the Telco premium rate coffers until at least a month (judging by their terms of business)."
Exactly.
I thought that approach had been adopted in Europe, for those reasons, but can't quickly find any confirmation.
Regardless, it's not hard to do, and reduces the odds of this kind of dodginess being profitable.
The Telco hosting the PBX won't be the one hosting the premium rate numbers. They might be four or five steps removed. Each Telco pays the next one in the chain. It's likely that the one hosting the PBX will have already paid the bill it received from the next Telco in the chain before it bills the PBX owner.
The responsibly to have properly secured kit rests with the manufacturer and owner - unless you want a return to the days when you could only connect equipment your Telco has supplied.
1996 it would all been about dialling multiple numbers to find a Direct Dial that gave you dial tone again, or hacking a Voice Mail system allowing you to dial through a PBX.
These days hackers are looking for open 5060 ports to log a SIP endpoint on to your PBX or trying to find your SIP trunk login details to steal your trunks altogether!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
