Business telecommunication systems are the new focus of hacker attacks, according to last week’s New York Times and its piece, “Swindlers Use Telephones, with Internet’s Tactics.” At Avaya, we’ve been tracking – and helping prevent – these threats for many years. I talked to Richard English, Director of Strategic Consulting for Avaya Professional Services, and Gil Stevens, Director of Avaya’s Session Border Controller product R&D team and the VIPER (VoIP Exploit Research) Lab, to find out more.
Richard English, Director of Strategic Consulting for Avaya Professional Services
Gilman Stevens, Avaya’s Director of Session Border Controller R&D and VIPER Lab
What exactly are these malware and financial swindles that the New York Times says are being increasingly sent over Internet telephone lines, aka Voice-over-IP?
English: There are several basic threats. The first is a Telephone Denial of Service (TDoS) attack where the attacker “loads” all the incoming circuits serving a business or organization with incoming calls and basically creates an “all circuits busy” condition. This prevents any legitimate caller from contacting that organization and the caller would only receive a busy signal when calling. This is bad for regular businesses, but catastrophic for organizations that rely heavily on their contact centers, especially 911 dispatch centers, hospitals, and other public safety organizations.
There are also attackers using inexpensive IP-based phone services and automatic dialing software. These range from spammers who use this method to send recorded advertisements in bulk to hundreds of thousands of recipients, aka voicemail spam, to more dangerous fraudsters who try to trick victims into releasing their personal data. This is called Vishing, as it is a variant of the e-mail-based Phishing.
Stevens: Possibly the biggest threat is toll fraud. What they’ll do is scan your corporate network for the voice ports, figure out what handsets and telephone numbers are mapped to the network, and then crack the passwords. The hackers typically then sell that information to someone who will repeatedly call toll 1-900 numbers or make long distance calls on your corporate IP PBX, usually outside of the U.S., to rack up thousands of dollars per month to these numbers. These turn into charges on your company’s phone bill. For instance, the real estate company, Remax, faced a $600,000 bill from toll fraud. According to experts, toll fraud is a $2 billion problem.
The New York Times called these threats “new.” However, I remember reporting on things like SPIT (Spam over IP Telephony) almost a decade ago when I was a journalist. So how new are these threats, really?
English: The threats are not necessarily new, but the technology utilized to create this condition is more readily available and therefore, utilized by more attackers than ever before.
Stevens: The first wave of attacks started in the late 1990s, and surged in the early 2000s as more tools became available. Then really-powerful open-source tools emerged starting in 2004. By 2007, we were seeing million-dollar attacks, and now, experts are estimating that overall across many corporations there are billions of dollars of exploits.
English: Also, the cost of making long distance calls over the Internet has become very inexpensive – therefore more appealing to the schemers. It’s another form of cyber-terrorism.
So how come toll fraud, SPIT, Vishing and TDOS attacks haven’t gotten as much press as Spam or regular Internet hacks until now? Is it on the rise, as the New York Times says?
English: Yes, it is on the rise. The National Cybersecurity & Communications Integration Center of the Department of Homeland Security has identified numerous and increasing threats to public safety agencies for TDoS. The implications of these cyber-terrorism attacks haven’t received as much press in the past since there was not as great an individual financial impact as stealing ones credit card and making unauthorized charges. However, the operational stability of telecommunications for public safety is paramount and the financial impact to businesses is significant. Basically an organization can be crippled when all incoming voice circuits are busy and can lead to significant loss of business and revenue. Although public safety agencies utilize different types of trunk circuits, the threat is still relevant and must be mitigated.
As an end user, am I at more risk to these threats if I am a Vonage user at home or an employee at a company that uses VoIP?
English: Depends on what you define as risk. Providing personal information to any unauthorized caller is a risk to our personal welfare and financial stability. TDoS at home is more of an inconvenience rather than a risk. Many of us have multiple communications alternatives, such as mobile phones. Denial of Service at a company can cause catastrophic financial results and at a public safety agency – can result in loss of life.
Stevens: For the consumer, you ned to watch out for Caller ID spoofing. If you get a call from someone saying they are from your credit card company, the bank, or a government entity, please take down the number shown on Caller ID and politely tell the person that you need to call them back. If the caller demands that you stay on the call, there’s a good chance they are spoofing (faking) the Caller ID in order to steal your financial information or other personal details. Instead, hang up, check the official phone number of your bank, credit card company etc. and call it yourself. And when you get an operator, let them know that someone was trying to impersonate the company.
There is a growing increase in Caller ID spoofing targeting those working to get their Immigration Green Cards. The malicious individuals use Caller ID to aid in pretending to be immigration authorities or police. They then demand that wire transfer them money, usually overseas, both of which are indicators of fraud. Here is information from the US Government on the subject: http://www.us-immigration.com/blog/beware-of-caller-id-spoofing-new-immigration-services-scam
What are the best ways for companies to prevent and protect against incoming SPIT, Vishing, and/or VoIP-based DOS?
Stevens: For enterprises using the SIP (Session Internet Protocol) trunks popular with VoIP, the best thing is for them to have a Session Border Controller. This is basically a firewall built specifically to handle voice traffic. Unlike regular firewalls, which typically just turn VoIP ports off, SBCs can filter and do deep packet inspection of voice traffic to make sure it’s safe.
If your company is successfully attacked, how can you recover from this?
Stevens: If you are in the United States, I would call my regional FBI office or visit the Internet Crime Complaint Center (IC3). I would also work my security professionals to make sure I’m following best security procedures, and contact my carriers to set thresholds on long-distance services or block calls to/from certain countries.
What are services that Avaya offers that can prevent and minimize the effects of these VoIP-based attacks?
English: Avaya Professional Services provides Security Assurance consulting to assist our clients in their efforts to achieve effective, practical communications security objectives in a realistic time frame. We help our clients find ways to uphold those objectives over time even as their organization’s needs evolve. Available worldwide as an annual subscription with quarterly engagements, this Security Assurance Service is focused on keeping your security policies up-to-date and effective against the constantly changing landscape of business vulnerability and threats. The end result is peace of mind knowing that your company’s security policies and mechanisms are where they need to be to help keep your business safe and secure. Avaya Security Assurance Services are available for Avaya collaborative communications and contact center solutions, and they encompass several initiatives including; fraud, platform hardening and vulnerability management.