back to article PBX phone system hacking nets crooks $50 million over four years

A bloke has admitted laundering millions of dollars for hackers who ripped off US companies by hacking into their telephone systems. Miscreants in Bangkok and Pakistan wormed their way into American organizations' PBX systems and identified phone extensions that weren't assigned to a user but were still live. These were then …

  1. Anonymous Coward
    Anonymous Coward

    Set the wayback machine to [?]

    "A common route for criminals is to tap into a private branch exchange (PBX) through a remote access feature, steal the code, and then set up a "call-sell" operation. Scam artists also tap into voice mail systems to "crack a code" and then proceed to transfer toll calls through the public switched network."

    That's from a press release from the Alliance to Outfox Phone Fraud, at

    http://www.thefreelibrary.com/FIRST+ANNIVERSARY+OF+ALLIANCE+TO+OUTFOX+PHONE+FRAUD+IS+CELEBRATED...-a018271340

    It's from 1996 (whenever 5/9/96 is).

    Nine teen nine ty six, grandad (I won't shout, it's not polite).

    This is still going on twenty years later? Why? How?

    1. allthecoolshortnamesweretaken

      Re: Set the wayback machine to [?]

      Upvoted for the implicit ISO 8601 reference.

      As to 'why is this still happening' - the first edition of the ISO 8601 standard was published as ISO 8601:1988 in 1988.

      As to why are these phone scams still possible: I blame the "give me convenience or give me death" mindset.

      If you are interested in ISO 8601, but don't want to read it, try this.

  2. Daniel Hall

    MAkes me question how secure "FreePBX" actually is....

  3. BernardL

    PABX

    First rule of PABX admin: Don't let incoming calls connect to an outbound trunk. Yes, the pointy-headed-managers will whine, but it's just asking for trouble.

    1. This display name is already taken

      Re: PABX

      I'm a network admin who is has just moved over to pabx admin. Can you recommend any best practice guides? I expect our system has holes like this and I want to review the whole voice environment for bad practices.

      1. Just another badger

        Re: PABX

        Look up CFCA.

      2. jason_n

        Re: PABX

        Take a look athttp://www.voip-info.org/wiki/view/Asterisk+security for how to secure your FreePBX. We install SecAst (www.telium.ca/?secast) on all of our FreePBX installations. While you're there, watch their video of the FreePBX user who lost $100,000 in one day to hackers.

    2. Anonymous Coward
      Anonymous Coward

      Re: PABX

      I don't think that's the exploit in this case.

      Even if it were though, all users expect to be able to divert their desk phones to their mobiles. Once you accept that use case, your rule is lost for ever.

      1. jason_n

        Re: PABX

        Last year hackers found a weakness in the FreePBX portal (running on the PBX). THey moodified the dialplan to allow access to trunks, and then called their own premium rate numbers to scam admin's of tens of thousands of dollars each. Even a properly setup PBX is not enough, you need to add security around it. The builtin security of these tools is a joke. Admins think f2b or a firewall will protect them - it won't. You need to secure your sip connections below the FreePBX/Asterisk level so that even if the dialplan is hacked calls won't succeed.

    3. Christian Berger

      Re: PABX

      Yes, but IP-PBXes are now commonly designed and administered by idiots. Internal telephones on outside IP-Addresses is actually a feature many of them explicitly have. The really bad ones even run on some badly maintained Windows system which is probably open to lots of exploits.

      Plus there are things like the cleaning staff getting to a phone to do fraud.

  4. jde96

    Close...

    When I was testing our first FreePBX system, I left a firewall rule on to experiment with using an external SIP client for a whole 2 days, and in that time, more than one IP had hijacked it, cracked the admittely pisspoor password on one of the extensions' accounts, and made a bunch of dodgy international calls. Luckily, I used a pay as you go SIP trunk provider and only loaded it with £5 of credit. The number of unsuccessful calls from after the credit ran out made my eyes water...

    Lesson very much learnt. Now in production for 18 months, handsets can only connect from our internal network, the firewall rule for the trunk provider only allows their IP range and all the handset passwords are MD5 hashes (as they are by default in FreePBX). To date, no problems... but our ISDN30 system in another office, handled by an external firm, used to get bombarded every couple of weeks with calls attempting to gain access to outside lines. To my knowledge they never did, but no-one could make any calls for about 15 minutes at a time as they could take all the lines up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Close...

      Don't use a firewall, it won't work properly and just buys you a little time. Use an SBC, configure it properly and learn how it works in detail.

  5. Anonymous Coward
    Anonymous Coward

    Anyone for 1996 IoT?

    This scam is the original IoT, and exactly why we should be very worried... The tech / electronics giants are just run by suits / lawyers that have indemnified themselves morally and financially from any holes in their products.

    1. Stuart Castle Silver badge

      Re: Anyone for 1996 IoT?

      "This scam is the original IoT, and exactly why we should be very worried... The tech / electronics giants are just run by suits / lawyers that have indemnified themselves morally and financially from any holes in their products."

      The problem is the most companies, assuming they are aware of the fault, will work out the cost of fixing it, the cost of any penalties (such as litigation) if it's not fixed and if the latter is lower than the former, will often just allow the fault not to be fixed. OK, so they may factor in damage to their image or reputation, but whether that has an impact depends on the cost they put on their reputation.

      For instance, Whirlpool have safety bulletins out for tumble dryers from multiple brands with design faults in the UK. While they *are* fixing the problems, the rate they are doing it, they will take over a year to fix all of them. Yet they have still stopped short of a full product recall, even though the fault can cause the dryer to catch fire.

      It is worrying that the same mindset will probably be held by the people who run the companies making IoT things..

      1. Anonymous Coward
        Anonymous Coward

        Re: tumble dryers

        "Whirlpool (and other) tumble dryers ... though the fault can cause the dryer to catch fire."

        Not just can, the fault *has* caused multiple fires - one consumer group (Which?) estimates 12,000 fires in the last three years. Many tumble dryer fires lead to fatalities (just use your favourite web search engine).

        Whirlpool actually come out of this with a bit of credit - it's not really *their* tumble dryers, but some of Creda, Hotpoint, and Indesit's, going back over a decade, which are now Whirlpool's responsibility because Whirlpool as of a year or so ago own all three brands and have initiated a recall, something which hadn't previously been done properly.

        http://www.electricalsafetyfirst.org.uk/product-recalls/2016/02/hotpoint,-indesit-and-creda-tumble-dryers/

        https://safety.hotpoint.eu/

  6. Roq D. Kasba

    When they arrested the guy

    Do you think he got his one free phone call? Anyone want to take a punt at what he dialed?

  7. Ken Moorhouse Silver badge

    Ah, reminds me of 2600 Magazine...

    ...which used to be available in good newsagents in England (even further back).

    1. Roq D. Kasba

      Re: Ah, reminds me of 2600 Magazine...

      Indeed - I had a few articles published by them :)

  8. Panicnow

    Telcos are money laundering too

    Why are not the telco's being prosecuted for money laundering?

    The money doesn’t, (or at least doesn’t need to) leave the Telco premium rate coffers until at least a month (judging by their terms of business). So they are plainly CHOOSING to transfer the money to a less reliable deposit holder.

    A few CEOs in Jail would kill this problem stone dead!

    1. Anonymous Coward
      Anonymous Coward

      Re: Telcos are money laundering too

      "The money doesn’t, (or at least doesn’t need to) leave the Telco premium rate coffers until at least a month (judging by their terms of business)."

      Exactly.

      I thought that approach had been adopted in Europe, for those reasons, but can't quickly find any confirmation.

      Regardless, it's not hard to do, and reduces the odds of this kind of dodginess being profitable.

    2. Terry Barnes

      Re: Telcos are money laundering too

      The Telco hosting the PBX won't be the one hosting the premium rate numbers. They might be four or five steps removed. Each Telco pays the next one in the chain. It's likely that the one hosting the PBX will have already paid the bill it received from the next Telco in the chain before it bills the PBX owner.

      The responsibly to have properly secured kit rests with the manufacturer and owner - unless you want a return to the days when you could only connect equipment your Telco has supplied.

  9. daveinch

    It's moved on a bit since 1996

    1996 it would all been about dialling multiple numbers to find a Direct Dial that gave you dial tone again, or hacking a Voice Mail system allowing you to dial through a PBX.

    These days hackers are looking for open 5060 ports to log a SIP endpoint on to your PBX or trying to find your SIP trunk login details to steal your trunks altogether!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022