Internet phone systems become the fraudster's tool

Attacks on the Asterisk VoIP system are now 'endemic'

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams.

Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.

Hackers made headlines for breaking into phone company systems more than 20 years ago -- a practice that was known as phreaking -- but as the traditional telephone system has become integrated with the Internet, it's creating new opportunities for fraud that are only just beginning to be understood.

VoIP (voice over Internet Protocol) hacking is "a new frontier in the crossover world of telecom and cyber [crime]," said Erez Liebermann, assistant U.S. attorney for the district of New Jersey. "It is an ongoing threat and a serious threat that companies need to be worried about."

Attacks on one of the most popular VoIP systems, called Asterisk, are now "endemic," said John Todd, who works for the product's creator, Digium, as open-source community director. "It's like stealing a baseball bat to break into a car. The first step is to break into Asterisk."

Asterisk hacking began evolving from a fairly "low-level problem" into a much more serious issue around September of 2008, when easy-to-use tools were first published, Todd said. "There are now people doing videos on it and there are blogs and podcasts," he said. "The information is out there."

With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office's local area network to a network provider such as AT&T, which connects the calls to the rest of the world.

The hacker tries to guess the VoIP system's passwords, making thousands of guesses. While an Internet program such as Gmail will block visitors after a handful of failed password guesses, VoIP systems are often not configured this way and will often let any computer connect to them.

So hackers pound away at them, trying to guess working phone extensions. Once they find an extension, they run their dictionary attack software. If the password is easy to guess, they're in the network and can phone out for free.

That's what happened to Innovative Technologies, based in Wheeling, West Virginia. It was hacked in early October, apparently by Romanian cyber criminals who used its VoIP system to make telephone-based phishing calls to customers of Liberty Bank, a small regional bank with offices in California.

"They had scanned a whole bunch of IP addresses on the Internet in order to find [VoIP] servers," said Terry Lewis, CEO of Innovative Technologies.

On Oct. 3, Lewis started getting voicemail from Liberty customers who had received the scam calls. He checked his VoIP system logs the next day and found that the hackers had made about 300 calls over the weekend -- not so many calls that it would normally have even been noticed.

Once the VoIP system is hacked, the criminals use it to perform phone-based phishing attacks, sometimes called vishing. Vishing attacks have been around for a few years now, but they've largely flown under the radar, because they often target smaller regional banks rather than high-profile national institutions.

The scammers move from bank to bank each week after completing their campaigns.

According to Liberty Bank, other regional institutions have also been hit with vishing attacks from hacked VoIP systems in recent weeks.

Liberty did not name the other banks involved, but in recent weeks, Union State Bank and Solvay Bank have reported similar scams.

Lewis was lucky that he didn't get hit with major phone charges. Depending on how their systems are configured, businesses can be held responsible for any phone charges -- international call charges, for example -- that arise from the incident.

"If someone starts abusing your telephone system, you are potentially on the hook for a lot of money," Digium's Todd said.

Liberty Bank First Vice President Jill Hitchman believes that the scammers who targeted her bank probably hit between 30 and 35 businesses and were making between 20,000 and 30,000 phone calls per day.

"I don't think these companies realize they're probably going to be getting charges," Hitchman said. "The bigger issue is, how are these phone systems being accessed and why can't we stop it?"

Only a few Liberty customers fell for the scam, Hitchman said, but the attackers knew what they were doing.

First they would sign up for AOL accounts, to test that the card numbers worked. Because AOL offers free trial memberships, these charges do not show up for months. By that time, the scammers have put the information on fake ATM cards and emptied the bank accounts.

Businesses could prevent a lot of these attacks by changing the port they use for Session Initiation Protocol (SIP) connections on their VoIP systems, by blocking connections after a certain number of failures, and by simply using better passwords on their voice systems, security experts say.

The problem is that for most small and medium-sized businesses, security is just not a priority.

"People care way more about whether their conference calls are going to have decent phone quality," said Rodney Thayer, chief technology officer with VoIP security company Secorix.

They don't think about their VoIP systems as vulnerable to Internet attacks just like Web or e-mail servers, and that's a mistake, Thayer said.

"They think about it as a different system, and it's not," he said. "It's all the same stuff; it's all data going over a network."

Join the PC World newsletter!

Error: Please check your email address.

Tags VoIP securitysecurityvoipscamsasterisk

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?