Phreakin’ hell: phone hacking costing Australia millions
Phreaking, or telephone hacking, has resulted in significant losses for some of Australia’s largest companies. David Hovenden investigates this disturbing twist on traditional hacking
Australian companies are regularly falling victim to a form of hacking, which has cost some companies up to $1 million in a single attack, and yet the threat is neither new nor particularly difficult to prevent. ‘Phreaking’, as the crime is known, is essentially gaining access to an organisation’s telephone system and using it to make calls, charge phone cards or commit other forms of larceny.
Media reports of companies falling victim to this crime in Australia date back to 1992 and beyond, but it’s the wholesale absence of such reports that has allowed the crime to go largely unnoticed and unchecked, so much so that there could be as many as 50 such attacks every week in Australia. According to the US-based Communications Fraud Control Association, annual worldwide telecom fraud losses are believed to be in the range of US$35-$40 ($48-$55) billion.
As with most cyber crimes, there is a huge reticence in corporate Australia to report such incidents as the reputation risk attached to admitting inadequate security is considered more important. Of course, since no one admits they’ve fallen victim to the crime, as far as the rest of corporate Australia is concerned it’s not a problem. That is, of course, until you’re the next victim.
Of the few companies that have gone on the record, the losses are frightening. Perpetual Trustees was left with a $600,000 phone bill racked up between 31 October and 15 November 2000. On one day alone, the company was stung to the tune of $80,000 – the result of 5,000 illegal calls.
Among the most recently reported incidents was one involving a private hospital in Canberra, which had its Private Automatic Branch eXchange (PABX) system hijacked on 22 March 2005. In the following 24 hours, John James Hospital had between $4,000 and $5,000 worth of international calls charged against its account. In newspaper reports following the incident, hospital chief executive Phil Lowen said that if Telstra technical staff hadn’t noticed the sudden spike in activity and warned the hospital, a bill of $50,000 to $100,000 could have been run up over the Easter break.
The hospital’s PABX had a facility that allowed someone to dial in from outside the hospital to check the system. It appeared that hackers had dialled into the line and then made international calls.
“It looks like it was some sort of organised group,” Lowen told The Age. “It was ... like we were being used for someone else’s business for a while.”
In another incident, Australia importing business Plastic Plumbing Supplies was stung for an undisclosed amount exceeding $50,0000 over a three-month period with all of the illegal calls being made when the office was empty overnight. Commercial manager for the business Peter Krohn told Risk Management magazine that he while he had reached a settlement with his telecommunications provider, which forbade him from outlining the specifics of the settlement, the experience had left him bitter and his business had suffered a very substantial loss. “It was akin to having a very large bad debt,” he said.
Plastic Plumbing Supplies had been informed in January 2004 that they had an unusual spike in international calls; however, it wasn’t until March that the provider was able to stop the calls from being made. After protracted discussions with the mid-tier telco, Krohn made a commercial decision to settle the amount because the telco was adamant that it would proceed to court with the case.
One of his biggest frustrations is trying to find other organisations that have suffered similar attacks and points to the fact that he had to settle out of court as one of the main reasons this is a largely unreported crime. Krohn also advises that when using a telecommunications provider you should “read the fine print”, because he was unaware that he had signed away most of his legal rights with regards to disputes.
Telstra has admitted that up to 20 hacks are perpetrated against its clients every month. Add to that the legion of other companies no longer with our soon-to-be fully privatised national carrier and the number could easily be double.
Yet a spokesperson for ACT Policing told Risk Management magazine he was unaware of any more cases being reported to that police force since. In 2004 there were only two reported cases in the ACT. On the one hand, with there being at least more than 200 such attacks every year reported to Telstra alone, but on the other hand the ACT police having three cases in almost two years, it is clear that companies are electing to take the hit.
Australian High Tech Crime Centre director, Federal Agent Kevin Zuccato, says it is hard to put a figure on the impact of hacking, but there is no doubt criminals are becoming more astute.
“I think that that type of crime is only limited by the imagination of the criminals who perpetrate them,” Zuccato told ABC radio. “I think we are going to see some far greater sophistication in terms of the attacks.”
Common attacks
Calling his company’s services an audit, Stevens says that his percentile success rate of being able to hijack a company’s phone system is in the very high nineties. Worse news still, is that having secured a company’s system, often within 12 months he’s able to get back into a company’s phone system against his own security measures.
“Just as in conventional computer hacking, you’re only ever one step behind the hackers, you’re always one step behind the phreakers,” he says. “However, unlike computer hacking, where just about every business, not to mention individuals, has some sort of antivirus software or firewall at least, the vast majority of Australian companies are completely unprotected.
“So while you may risk falling victim to a phreaker who’s more driven by ego than criminal intent, if you have put security measures in place, the more serious side of phreaking, that being driven by organised crime, is far more likely to go for the low-hanging fruit – organisations with little or no defences in place.”
Among the most common forms of phreaking attacks are the direct accessing of a company’s PABX system via a dial-in modem. Frequently unguarded by a password, or easily worked around security, once a phreaker gains access to your PABX system, it’s a very quick and easy step to turn your PABX into an international exchange. Numbers can be assigned to other users, or made via computer to relentlessly dial into 0055 style numbers anywhere in the world and rack up enormous bills practically overnight. This was precisely what happened to Canberra’s John James Hospital. It has since removed dial-up access to the PABX as well as several other functions. It still receives calls attempting to get back into the system.
If the PABX system proves secure, the next most common form of attack according to Stevens, is via a company’s voicemail system. Just about every voicemail system can be accessed via a remote telephone line. Using relatively straightforward hacking programs, phreakers are able to gain access to an organisation’s staff voicemail boxes. Cracking the four digit passwords, a process which usually takes less than two days at most and if common pass codes such as “0000” or “1234” are used, “a matter of seconds”, gives the phreakers access to another phone line or lines depending on how many they can access.
From here it’s easy to forward that line to another number. “It just so happens that that number can easily be 0011,” says Stevens. This method is most common with phone card scams. Operating on a global scale, this is the realm of organised crime and it is so far proving impossible to catch the perpetrators.
Stevens explains a typical scenario: A backbacker in South America buys a phone card, which like all phone cards requires the user to dial a series of numbers before entering the number they wish to dial. Usually, via multiple countries and through potentially a bank of computers, the call is routed through one of a selection of phreaking victims’ PABX systems. The backpacker is none the wiser that they have not been using a legitimate service.
Counter measures
“With all the precautions being undertaken to prevent computer network hacking these days, it is surprising how little mention is made about phreaking or PABX hacking,” said Denis Rowe, national marketing manager, Macquarie Telecom. “While perhaps not as common as the current spate of phishing scams hitting Australia, it is lethal in its cost to business.”
Phreakers breech PABX security and re-originate calls to anywhere in the world. While it has been going on for many years, the widespread use of email, the internet and mobile communications has left company ‘weak spots’ open to exploitation by ever more sophisticated phreakers.
“Phreakers don’t discriminate between small or large business – in some instances the costs can be enough to put a company out of business,” he said.
Minimising the risk?
There are a number of simple precautions business and government can put in place to lower the risk of phreaking. These include:
• Change all default passwords on remote access to PABX and voicemail systems
• Potentially disconnect remote programming modems when not in use
• Implement a policy of monthly changes to personal voicemail and remote access pins
News