Phreaking out over the cost of network hacking

Phreaking out over the cost of network hacking

By Shane Wilson

Mobile network operators can globe struggle to contain efforts to defraud the networks, from wholesale and roaming frauds, to manipulation of premium rate services and the resale of hardware.

According to the Communications Fraud Control Association (CFCA) such fraud amounts annually to more than $46 billion which ultimately affects legitimate users, whether in terms of user experience or in their pocket as network costs increase to cover the losses.

While many frauds use traditional tools, especially identity theft, to hijack accounts or drive subscription fraud, it is the increasingly the communications technology itself which is targeted by the fraudster.

For more than a decade PBX hacking has been a favourite of fraudsters or ‘phreakers’, costing more than $4.4 billion last year.

With copies of the PBX manual and knowledge of dial-pad commands for remote access, fraudsters can access PBX systems with default passwords. These are usually identified by searching internet phone directories for phone numbers of organizations that use a PBX. Fraudsters can also deploy a PC with a “war dialler” programme computer that walks through numbers until it finds one that gives access to PBX’s commands, often through a voicemail menu, an unused extension on the system, or an extension with default passwords still in place.

Once accessed, the fraudster changes the password and exploits the extension line to make outbound calls. Some gangs have been known to use these lines to create their own long-distance services offering low-cost international calls. The extension line and passcode is also a valuable commodity that can be traded with illegal call centre operators across the globe.

An alternative option is for the fraudsters to use access to PBX systems to place outbound calls to high-rate international “premium-rate” services. Using an exploited PBX hundreds of calls can be directed to premium rate numbers services owned by the fraudster or accomplices.

In many case of PBX hacking the operator will refund customers for the fraudulent charges, incurring notable losses. But the customer can as easily be left with the bill as a result of poor PBX security. Ultimately though it should be the role of the operator to police its network and provide real time awareness of unusual billing patterns.

For help and advice on PBX hacking click here.