In the Cyber era, companies have been investing heavily into their data infrastructure, protecting information vaults, CRM databases and critical production management systems. But when is the last time someone took a look at the customer service center IP phone server? How about the phone bills accumulated by the desktop phones of the call center or personal office phones? Those same phones might be still on your desk, but you have not used them in months or even years.
Through our work with our customers, we have on multiple occasions witnessed that the primary data infrastructure components are well secured and under constant surveillance, but the support service infrastructure has been left unmaintained. One of these systems that we call a gray area system is the phone system, with many still viewing it as the ‘old landline’ system. They are, in most cases, run nowadays through Voice over Internet Protocol (VoIP) and managed with dedicated VoIP servers, enabling hundreds or even thousands of personal office desk phones to be connected through one main system.
The protection of these systems is often left unattended, which provides a lucrative opportunity for a mischievous individual. In this post, we are not diving deeper into the topics of possible eavesdropping or hacks targeting other data network components that can be accessed through the phone server.
Rather, what has been witnessed on many occasions is that the phone system has been utilized to call into pre-determined service numbers, with high per-call costs for the caller. The server has been automated to conduct these calls outside of office hours to minimize the possibility of detection. With automation and due to the payment scheme of tens of euros per connected call, thousands of calls can be made within a short period of time. The receiving end is on many occasions somewhere outside of EU and US, in countries with non-existent control against this type of fraud, such as Nigeria and other African countries. The service numbers set up can have costs as steep as 50 euros per call.
What usually reveals the attack is the phone bill at the end of the month. We are not talking here about any small change either. There have been cases in recent months where attackers were able to pile up these service charges into the hundreds of thousands of euros within one month. In some of these cases, the attackers were too greedy to make a systematic, long-drawn out process of it, and tried to leech as much money as possible within as short a time period as possible.
In these situations, the targeted entity contacts the phone operator to discuss possible refunds or discounts into the bill. What must be remembered is that there is no de facto requirement for the phone operator to hand out these concessions. They usually just give them purely out of their end goal of good customer service, as they want to keep their long-term customers. The bare minimum that the targeted company must pay for is at least the indirect costs relating to solving this issue. It will take a good chunk of the working time of multiple individuals to address these cases, including time away from their primary business function intended to bring in money for the company.
In the above situation, the attack was easy to recognize because of the massive charge in the phone bill at the end of the month. But what if the next attacker is equipped with a bit more patience? Their intention is not to gain short term profit, but to embed a long term scheme into multiple systems, racking up the profits consistently in the long term. Think to yourself, what amount of increase in the monthly phone bill would go unnoticed in your company? This increase in many cases can only be seen once, in the phone bills one month prior and one month after the attack. After that, the new end amount is the standard.
So, what can you do to protect yourself against money leaching out through automated service number calling?
- Block any international and service numbers at least outside of office hours.
- Conduct log inspections into call logs looking for: suspicious countries, call times, and extremely short durations.
- When installing new phone or network equipment, change the default passwords and ensure that “access attempt limitation” is turned on.
- Make sure that all system administrators have unique access credentials.
- Ask you service provider about its fraud monitoring capability; especially if they have real-time toll-fraud mitigation in place that would stop suspicious calls.
- Take the phone infrastructure into account in your data environment documentation and update it regularly.
This article was written by Vilho Westlund, a Security Manager of Centry Ltd. If you have any questions regarding this topic, please feel free to contact us via email at firstname.lastname@example.org or through any of our social media platforms.