News out of the U.S. Federal Bureau of Investigation (FBI) last week was that a New Jersey man pled guilty to charges that he and his co-conspirators stole over $4.4 million USD of VoIP services from a range of VoIP service providers including AT&T, Verizon and many others.
Reading through the FBI news release, the scam really has nothing to do with “VoIP security”, per se, and everything to do with “social engineering.” Essentially, the group managed to appear to be a legitimate business so that VoIP service providers would let them resell their services to businesses. They then resold that service and pocketed the money without ever paying the service providers.
From the news release, it seems to have been a rather extensive scam:
To make it appear as if the shell companies were legitimate VoIP wholesalers and to induce the victim providers to extend credit to the companies on favorable terms, Tonangi and his co-conspirators took several fraudulent steps, including establishing fake business addresses for the shell companies at prominent New York locations, including the Empire State Building.
The co-conspirators also used Internet-based answering services that purported to connect callers to the shell companies’ various departments, such as accounts receivable and marketing, but really connected to cell phones controlled by the co-conspirators.
Tonangi and his co-conspirators created shell company e-mail accounts in the names of non-existent employees for communicating with victim providers; websites that contained false information, such as the names of non-existent employees and the companies’ fabricated qualifications to serve as VoIP wholesalers; and aliases to negotiate the purchase of VoIP services.
They also fabricated year-end financial reports that bore the logo of a national accounting firm in order to give the appearance that the shell companies’ financial reports had been reviewed by that firm.
When the victim providers sold VoIP services to the shell companies on credit, Tonangi and his co-conspirators would “bust out” the account by causing the companies to use substantially more VoIP services than the companies had been approved to buy in such a short period of time. The co-conspirators would do this over weekends and holidays so that the providers would not notice.
When the invoices for the services came due, the co-conspirators would send fake wire transfer confirmations via e-mail or submit small payments to keep the victim providers from cutting off service.
If victim providers sued or threatened to sue the shell companies, Tonangi and his co-conspirators would respond in legal pleadings or letters that they prepared in the name of a non-existent attorney, Frank Soss. Tonangi and Bhambhani created and used a fraudulent United States passport in the name Frank Soss by downloading and altering a exemplar passport image and photograph from the Internet.
Given the degree of subterfuge undertaken by the group, I’m not at all surprised that they fooled numerous companies into extending credit for VoIP services. When you are doing due diligence on a new customer, you would explore many of the avenues that these folks seem to have covered.
It’s not clear from the news release or any other information I’ve seen online what if any VoIP technology was used here but given that the group was acting as a legitimate business they didn’t need anything very sophisticated. Many software and service options would have met their needs.
It’s good to see the FBI successfully cracking this fraud ring… sadly I’m sure there will be others as we see the increased usage of VoIP across the industry.
P.S. Thanks to J. Oquendo in the VOIPSEC mailing list for alerting us to this news from the FBI.
Pingback: Seven Deadliest Unified Communications Attacks