Phone “Phreakers” Steal Minutes

The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:

‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’

This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.

Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?

2 thoughts on “Phone “Phreakers” Steal Minutes

  1. Dan York


    I, too, would be interested in more background about the stats and the actual method of compromise. I did, though, have a bit of a knee-jerk reaction that some of this may be hype from the firm quoted in the article, “Stealth Communications”, because of the last paragraph:

    For protection, telecoms are turning to private VoIP networks, separate from the public Internet. More than 1,000 telecoms, including AT&T, SunRocket and China Telecom, now buy and sell minutes on a network owned by Stealth Communications. It carried more than 10 percent of all VoIP traffic last year, a sevenfold increase over 2005. That percentage is expected to keep growing.

    This, to me, does not exactly make them a neutral provider of statistics and information. I will be very interested to see if more concrete info from neutral sources can be found.


  2. Emmanuel Gadaix

    There are several methods used to compromise VoIP companies:
    – Vendors platforms’ vulnerabilities. Some vendors have glaring holes in their proprietary platforms, and anyone knowing about them can compromise them. While such vulnerabilities are not generally made public, they do exist and are actively exploited by VoIP hackers and criminals.
    – Obtaining SIP credentials. All you need to setup a rogue VoIP trunk is a SIP username and PIN/password. It is easier to obtain that you may think. One easy target are the VoIP devices such as ATA. We have seen VoIP hackers bruteforcing VoIP companies’ websites (the one used e.g. by subscribers to check their account balance) in order to obtain a valid SIP user. Once they have the user they’ll bruteforce the PIN code, you’d be surprised how many times it’s the same as the SIP account number or simply a 4-digit number.
    – Hacking in the VoIP internal network. Because VoIP companies are usually busy with their business they often overlook securing their infrastructure properly. Particularly young companies in emerging countries. Once inside their network VoIP hackers locate the subscribers’ database and either create a new ‘ghost’ account or extract credentials for existing accounts. We have seen such intrusions, some of them had also removed CDR records to evade detection.

Comments are closed.