Have you received a barrage of phone calls to your number? If so, you may be in the process of being victimized, according to a Wall St. Journal article over the weekend called “Preventing a Hack Attack.” The article outlines how a cyber-theft ring that was broken up last week used automated dialing programs to tie up users’ phone lines while the attackers were raiding bank and brokerage accounts to the tune of around $70 million in losses.
Per the article, the attack had two components. First a malware program went out through email messages and attachments. Once a user clicked on it, the trojan searched the local computer for usernames and passwords for brokerage or online banking accounts and sent that info back to the attackers. Second:
At the same time, victims’ phones were tied up with a barrage of phone calls, according to the federal complaints, preventing them from contacting their bank or brokerage. Busy signals also prevented fraud monitors at the institutions from contacting victims, according to FBI officials who were interviewed before the announcement of the arrests.
The telephone bombardments lasted as long as a week, sometimes forcing victims to disconnect their lines or switch phone numbers, which bought the suspects time to raid their accounts.
The reality today is that our VoIP infrastructure makes these kind of automated attacks trivial to carry off – and they will only continue to grow as an attack mechanism. The equipment to carry off those attacks can simply be open source software running on servers or even virtualized into a cloud (or distributed on a botnet). Connections to VoIP providers which can then get you PSTN access are both trivial and incredibly cheap.
The article’s recommendations about how to protect yourself were the typical basic steps… use secure passwords, change them often, ideally use a separate computer for online banking (I highly doubt people will do that), use anti-virus, don’t open untrusted attachments, etc. For protection against malware, those are all certainly viable strategies.
For protection against a DoS on your phone number? Not so much. That kind of protection requires more systemic steps within the larger infrastructure – and is at odds with the fundamental aspect of the PSTN where anyone can call anyone else.
Welcome to our brave new world…