Wall St. Journal – Denial of Service attacks on phones responsible for $70 million fraud losses

wsj.jpgHave you received a barrage of phone calls to your number? If so, you may be in the process of being victimized, according to a Wall St. Journal article over the weekend called “Preventing a Hack Attack.” The article outlines how a cyber-theft ring that was broken up last week used automated dialing programs to tie up users’ phone lines while the attackers were raiding bank and brokerage accounts to the tune of around $70 million in losses.

Per the article, the attack had two components. First a malware program went out through email messages and attachments. Once a user clicked on it, the trojan searched the local computer for usernames and passwords for brokerage or online banking accounts and sent that info back to the attackers. Second:

At the same time, victims’ phones were tied up with a barrage of phone calls, according to the federal complaints, preventing them from contacting their bank or brokerage. Busy signals also prevented fraud monitors at the institutions from contacting victims, according to FBI officials who were interviewed before the announcement of the arrests.

The telephone bombardments lasted as long as a week, sometimes forcing victims to disconnect their lines or switch phone numbers, which bought the suspects time to raid their accounts.

The reality today is that our VoIP infrastructure makes these kind of automated attacks trivial to carry off – and they will only continue to grow as an attack mechanism. The equipment to carry off those attacks can simply be open source software running on servers or even virtualized into a cloud (or distributed on a botnet). Connections to VoIP providers which can then get you PSTN access are both trivial and incredibly cheap.

The article’s recommendations about how to protect yourself were the typical basic steps… use secure passwords, change them often, ideally use a separate computer for online banking (I highly doubt people will do that), use anti-virus, don’t open untrusted attachments, etc. For protection against malware, those are all certainly viable strategies.

For protection against a DoS on your phone number? Not so much. That kind of protection requires more systemic steps within the larger infrastructure – and is at odds with the fundamental aspect of the PSTN where anyone can call anyone else.

Welcome to our brave new world…

2 thoughts on “Wall St. Journal – Denial of Service attacks on phones responsible for $70 million fraud losses

  1. TLAC

    Hi, this is really frightening. One thing I wanted to ask though, how does it correlate with our VOIP infrastructure? I don’t understand why VOIP makes this trivial to do.

    Thanks,
    TL

    Reply
  2. Dan York Post author

    TL, Thanks for the comment. I wrote that VOIP makes this “trivial” because before VOIP you certainly *could* do these kind of automated attacks – but there was a certain level of expense involved. You needed some kind of platform to initiate the calls and then you needed the number of actual connections out to the PSTN. Those connections would be in the form of multiple phone lines or larger connections – but there was a real cost and real time delay for installation, configuration, etc. There were also per-minute costs of the connection – and also some of the inherent latency in dialing across the PSTN.

    With VOIP, you don’t need any of that traditional infrastructure. You can run all the software you need on a server anywhere on the internet – or in fact on many different computers all over the net. You don’t need any of the expensive PSTN termination equipment. Your costs with SIP trunking providers can be close to zero. (and criminals can attempt to compromise systems so that their per-minute cost is in fact zero) Plus, there are plenty of scripts out there to get you started.

    That’s why I said it was “trivial”… much of the historical friction that would have made these attacks hard to do has been removed by VOIP.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *