PBX in Texas
How hackers gave a small town a $27,000 phone bill
By Alex Wukman
First published in two parts: here and here
Everyone knows the sinking feeling of getting a bill that’s larger than expected. But for Bell County in Central Texas that sinking feeling was caused by a phone bill about $27,000 higher than usual.
An unknown number of hackers attacked the Bell County phone system from Nov. 30 to Dec. 2 and placed a series of international calls that rang up almost thousands in fraudulent charges.
“Our bill was $27,220.22 for one day,” County Auditor Donna Eakin said. “Our bill in October was $855. I have staff members who’ve been here 35 years and they’ve never seen anything like this.”
The stratospheric phone bill came from the first of two separate incidents when the hackers exploited weaknesses in the county’s phone system to place outgoing calls that appeared to be coming from, and were billed to, Bell County.
The first attack, which started on Nov. 30, targeted a weak password on an extension in the Road and Bridge Department.
Cracking the four-digit password gave the hackers access to the phone’s automated menu system and allowed them to route calls to the Caribbean island nation of Grenada through Bell County’s switchboard.
Jim Chandler, director of Bell County’s Technology Services Department, said AT&T personnel first detected suspicious activity on the county’s phone network soon after the incursion happened.
“AT&T spent several days doing an investigation to determine whether the calls were being made internally within the Bell County phone system,” Chandler said.
On Monday, Dec. 2, AT&T alerted the technology services department to the suspicious activity. Since AT&T’s personnel believed that the calls were originating from within the county’s phone system, they requested that county personnel conduct their own internal investigation.
“We immediately asked AT&T to disable our international call capability upon learning about the issue and continue to monitor for unusual activity,” Chandler said.
After spending a day troubleshooting, Chandler’s team was able to isolate the source of the problem — a third-party caller who was able to defeat the phone’s voicemail password and co-opt the remote dial feature.
Chandler said that in the two days before the international calling capability was disabled, the hackers placed “thousands of phone calls to Grenada, each lasting a few seconds.”
Sean Brown, a director of network operations with 15 years in the telecommunications industry, said that in his experience, multiple short-duration long distance calls, like those Bell County experienced, are the hallmark of a “connect charge scam.”
“Companies in South Africa and South America will charge these really high fees to connect to a phone number, like $10 a call,” Brown said. “And they get a lot of connections in a short time and then send the bills to U.S. carriers.”
An October report from the Communication Fraud Control Association, a communication security organization, estimates that total phone fraud costs communications companies more than $40 billion annually.
The scope and size of phone fraud can be mind-blowing when its first encountered. Brown said that its so common that its not really talked about outside of the industry.
“Up to 10 percent of the calls going on at any given time are fraudulent,” Brown said.
Jennifer Shearer, an FBI spokeswoman, said that private branch exchange (PBX)attacks, the type that Bell County experienced, are among the most common and, with an estimated $4.42 billion in damages last year alone, one of the costliest of intrusions
Because of their simplicity, hackers simply need to brute force their way through a few thousand possible combinations, they can be extremely profitable.
“The worst I’ve ever seen was a $228,000 phone bill for six hours worth of fraud,” Brown said.
Roberta Aranoff, executive director of the Communication Fraud Control Association, said that despite phone fraud’s staggeringly high cost to U.S. telecom companies, the cost rarely shows up on customers’ bills.
“Usually the cost is absorbed by the carriers,” Aranoff said. “There have been some successful government prosecutions, but those are rare.”
Although the total cost of the attack won’t be revealed until the county gets the December bill, Chandler said the county has already made plans to appeal the fraudulent charges.
Unfortunately, the charges don’t just include fraudulent calls made on Dec. 1 and Dec. 2. On Friday, Dec. 13, a second incursion into the Bell County phone system was made.
While it remains unclear if both attacks were related, they both employed similar methodology. Chandler said the second attack also involved someone defeating the voicemail password on a different phone.
After gaining access to the voicemail system, the hackers “used the ‘forwarding voice message’ feature to leave an actual message on the phone and then forward the voice message to an international number” also located in Grenada, Chandler said.
The second attack was far less successful. AT&T personnel detected the intrusion within an hour and allowed only two messages, each less than 20 seconds in length, to be sent. Chandler said county technical staff has subsequently restricted the forward voice message feature to only internal use within the county’s phone system.
Additionally county personnel contacted Hewlett Packard — which acquired the manufacturer of the county’s phone system, 3Com, in 2010 — to discuss its phone system’s vulnerabilities and to determine if all best practices were being followed.
“The HP technical support team was unaware the ‘forward voice message’ vulnerability was even possible with our system,” Chandler said. Unfortunately the lack of knowledge about the capabilities of phone systems isn’t uncommon.
Brown said that a large part of the problem in combating phone fraud is the attitude people have toward their phone system.
“Phone systems aren’t cheap,” Brown said. “And people use them until they literally don’t work anymore. And any backdoors that were there 10 or 12 years ago are still there.”
