© 2013 – PROPRIETARY AND CONFIDENTIAL INFORMATION OF CVIDYA

Hacking PBXs for International Revenue Share Fraud

Tal Eisner CFCA Winter Educational event Seattle, WA

October 2013

2

The PBX Hacking challenge – questions to be asked, answers to be given Case study from A European operator

– What happened? – How was it detected? – Action items and measures taken

Lessons learned

Content

PBX Hacking

4

PBX Hacking

Global annual damages of over $ 4B

Reported incidents have increased dramatically since the introduction and penetration of IP-based PBXs

Mode of operation has became sophisticated & professional

IP-based PBX security layers are relatively thin and vulnerable

Consequences of hacking are extensive and its financial implications must be addressed

5

Frequently Asked Questions

Who’s liable for the calls

How is a PBX being accessed What protective

measures can be taken against such

hacking

What kind of preventive

measurements can be taken

What is the incentive to commit PBX hacking

How does such hacking take place

6

Case Study

Tier 2 operator in Europe detects an organized, sophisticated hacking scheme

7

Case Study

FMS started alerting on high volumes of calls within short time periods to Hot listed risky ranges

Primary investigation concluded the following:

– Calls had long duration

– All destinations were PRS/IRSF

– Abnormal accumulated volumes in overlapping time frames (e.g., total of 5 hours in 45 minute- time frame)

– All CDRs had CFW indicators, and optional numbers were present

8

FraudView Alerts on Abnormal Traffic

9

Mode of Operation

Calls come in over IP and port scanning takes place

Hackers seek an “open port” to use as an international gateway

In order to check whether the gate is “open” – hackers use test numbers to make sure the line has international access

Known test numbers circulate as hot lists in the hacker community

Once an open gate is established and verified, an immediate surge of calls follows

Calls are forwarded from the PBX extension to PRS numbers

ALL calls are transferred to PRS destinations

10

Forwarding All Calls to PRS Destinations

11

Online Publications of Test Numbers

12

Gathering Intelligence on Test Numbers

13

Detection Process

Controls on :

– Calls forwarded to international destinations

– Calls by optional numbers to known risky/PRS ranges

– Aggregation of calls to international calls (mainly PRS)

– Accumulation of calls within a short time frame (e.g., 5 Hours in 1 hour)

– Detection of series of calls with similar duration (indication of automatic dialer)

14

Observations

Modus Operandi:

Manipulation of a number/originating number for disguise

Relating attempt to forward calls straight after option is blocked

Significant volumes of calls - such acts are not designed for “small change”

Dominant motivation for hacking is inflation of PRS traffic

Hacking CFW

”Attack”

15

Detecting via Optional Number (CFW)

16

Scanning via Test Numbers for Open Ports

17

From Reaction to Prevention

Core of the attack lies in CFW to international traffic

Action taken:

– Process of CFW INTL deletion on provisioning level

– Request for cancelation of feature for existing and new customers

– Response for exceptions

Hacker tries any means to disguise his/her identity, carrier, destinations and optional number – Quick analysis and response are therefore key!

ALL calls to known test numbers are being monitored and analyzed

Restriction of accumulated traffic simultaneously over PBX

18

CFW Provisioning by Hacker

19

Lessons Learned

Maximum visibility of customer details is must

Old methods of simply calling to PBX extensions are gone…

Controls must be updated constantly

– Thresholds to be tuned

– Destinations to be changed

SS7 info provides flexible switching info that might be key

Real-time alerting via email/SMS can prevent large-scale financial impacts

Cross-company cooperation is essential for profound investigations and deeper understanding of phenomena

THANK YOU! www.cvidya.com