Toll Fraud - Old Hacks Die Hard
31 July 2015





Forgotten by many, reported on by the few and rarely disclosed by those affected, toll fraud has never gone away and is on the increase. With single breach losses reaching in excess of $100,000 the illegal use of an organisations telecommunications can devastate a SME (Small to Medium Size Enterprise). A business loosing $100,000 to $500,000 to toll fraud may not make the news headlines or industry press yet in 2013 it was estimated that global telecom fraud cost industry $46.3 billion [1].

Telecom fraud has many aspects and toll fraud is one of them. Toll fraud was one of the original hacks from the 1960's and 70's. It was termed 'phreaking' derived from 'phone freak'. Phreaking included the illegal practice of manipulating the telephone network to allow the attacker to make free long distance telephone calls. It is rarely referred to a phreaking today but despite being one of the oldest hacks in the book, phreaking has evolved into a multibillion dollar toll fraud industry. The fraud is usually perpetrated by generating unauthorised outbound calls from the victim organisation to premium rate numbers setup by the attacker or by selling cut price international voice services that use the compromised phone system. $8 billion of the total estimated losses in 2013 was attributed to hacking and abuse of PBX and VoIP services [1].

The evolution of toll fraud has moved on from small time hacking of analogue systems to digital systems to large scale international fraud targeting IP-PBXs (Private Branch Exchange). The exploitation of modern IP based systems has been further compounded by poor awareness IP voice related security, in particular IP-PBX and SIP (Session Initiation Protocol) vulnerabilities. SIP is one of the most common VoIP protocols adopted by industry. It is generally implemented within an organisations internal VoIP network. SIP trunks are also gaining significant traction with the industry by providing a cost effective replacement for ISDN (Integrated Services for Digital Network) connections between an organisations IP-PBX and their telecoms service provider. It is estimated that by 2018 42 percent of global organisations will put their voice traffic over SIP trunks [2].

The measures required to defend against toll fraud attacks are straight forward but the statistics and increasing losses demonstrate that they are not being applied in many instances. It appears complacency, poor understanding of how to secure IP-PBXs, including SIP configuration, by those designing and implementing the systems are all factors leading to vulnerable systems being deployed. The re-skilling of traditional voice engineers to undertake IP voice installation and configuration may also be a factor. It is extremely difficult for these engineers to get an appreciation of VoIP technology and vulnerabilities with only a brief introduction to IP. Conversely, those with a solid grounding in IP appear to be apprehensive when approaching the different terminology, concepts and protocols of VoIP. All of these factors culminate in a critical area of an organisations technology neglected and often lacking well defined governance, ownership and responsibility.

The likelihood of falling victim to toll fraud, in particular the malicious high value premium rate dialling or international call dialling, can be significantly reduced by understanding the business needs and carefully planning what telephone system features are required. These requirements should then be the only features implemented in the PBX configuration. All too often PBXs are installed, switched on with minimal configuration and default settings and left with nobody taking responsibility for understanding its purpose and monitoring its use. An initial design should start with blocking all premium rate number dialling, all international dialling blocked and all forwarding to mobile numbers blocked. Governance and administration processes and procedures much be established and only then should these commonly exploited features be enabled on an individual case basis. Authorisation to access such features should be controlled in the same way as authorisation to access sensitive company data. Voice services authorisation should be embedded in the joiners, leavers, movers process. Where premium rate or international dialling is required for individuals or groups, time and date periods should be configured since many attacks are perpetrated out of office hours or at weekends. Call thresholds should be set to minimise the impact of an attack should it take place. Request that the ITSP (Internet Telephony Service Provider) also apply call thresholds such that an alert can be raised and an attack thwarted. Above all else, default passwords on the PBX must be changed to long and complex passwords. Default or easy to guess PBX administrator passwords or SIP client passwords is one of the most common vulnerabilities exploited in this type of attack. It is also critical that the SIP trunk connection through the firewall or SBC (Session Boarder Controller) is restricted to specific IP addresses of the service provider. As with data networks, VoIP systems must be protected with a layered security model including tightly controlled VoIP aware firewalls or SBCs. However, the basic best practice for IP-PBXs and SIP configuration is an essential and primary requirement to mitigate high value toll fraud.

Although there many types attack against telecoms systems the one described here is one of the most costly to an organisation. Unfortunately SMEs are also the most affected by the financial impact as it is the organisation not the telecoms provider that is responsible for the losses. While a large organisation may be able to write off or absorb the financial cost of an attack, an SME can be devastated or indeed be bankrupted by the financial loss incurred. All organisations should remember, and be reminded, that it is vital to understand the risks associated with IP-PBX and SIP deployment. Neglecting to implement the simple steps to mitigate high value toll fraud could ultimately put an SME out of business.

It should not be forgotten that the insider threat to an organisations voice services remains high. A rouge administrator could modify the PBX configuration or divulge PBX credentials to a third party to facilitate toll fraud. As such, PBX and voice logs should be monitored for abuse and PBX configurations audited on a regular basis.

[1] CFCA 2013 Global Fraud Loss Survey
[2] Eastern Management Group

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution