By J. Nicholas Hoover
InformationWeek
IP phone crooks are learning how to rake in the dough. An owner of two
small Miami voice-over-IP telephone companies was arrested last week
and charged with making more than $1 million by breaking into
third-party VoIP services and routing calls through their lines. That
let him collect from customers without paying any fees to route calls.
Hacking's become a decidedly for-profit crime, with crooks intent on
theft rather than disruption. Voice-over-IP hasn't been a big target,
but only because crooks haven't figured out how to make money off
breaking in.
In that sense, Edwin Pena's a pioneer, if federal prosectuors'
allegations are true. Prosecutors claim he paid $20,000 to Spokane,
Wash., resident Robert Moore, to help send VoIP telecoms millions of
test calls, guessing at proprietary prefixes encoded on packet
headers. Eventually, the right one gave them access. The two also are
accused of hacking into computers at a New York investment company to
set up servers to make it look like calls came from third parties.
Edwin Pena had been making easy cash for almost 18 months and sold
about 10 million minutes before law enforcement caught up with him
yesterday morning, prosecutors say. The newfound magnate is alleged to
have lavishly spent his takings on luxury cars, a 40-foot Sea Ray
motorboat and Miami-area real estate. Now, he faces losing all of that
and spending up to 25 years in jail and $500,000 in fines.
Pena didn't carry out his plan alone, according to authorities. He
paid $20,000 to Spokane, Wash., resident Robert Moore, who helped Pena
scan VoIP providers for security holes with a code cracking method
called brute force. They sent these companies millions of test calls,
guessing at proprietary prefixes encoded on packet headers that are
used to show VOIP calls are legit until the right one gave them
access. The two also hacked into computers at a Rye Brook, N.Y.,
investment company and set up other servers to make it seem like they
were sending calls from third parties through more than 15 VoIP
providers.
Those companies have to pay for access to the Internet's backbone, and
they found themselves with up to $300,000 in charges for access stolen
through Pena's hacks, authorities say. Yet it's not only carriers that
could be concerned with the type of attack Pena and Moore launched,
says Seshu Madhavapeddy, CEO of VoIP security company Sipera Systems.
In general, Pena's attack was a spoofing attack, designed to let his
calls masquerade as those of another carrier. Madhavapeddy says these
types of attacks are relatively easy to carry out, and could hit at
enterprises just as easily as carriers.
One possibility is stolen access, but there are others. For example, a
hacker might spoof call forwarding features to make all calls route to
him. Customers trying to reach a help line could be tricked into
giving credit card information to the hacker. "People remember the
voice and forget the over IP part," says Mark Rasch, SVP of security
company Solutionary Inc. "Just like data can be rerouted without
authorization, VoIP can be rerouted without authorization."
The exponential growth of VoIP can only add targets. Infonetics
Research predicts spending on VoIP will jump from $1.2 billion in 2004
to more than $23 billion in 2009. Meanwhile, IP communications are
inherently more complex than traditional phone calls, and are getting
even more so.
Emerging technologies like unified communications that include voice,
video and data in one console intended to drive collaboration through
the roof have the potential to put more and more information at the
fingertips of hackers. And just as email and the Internet opens the
door for vulnerabilities, these next generation tools could allow
hackers to spoof a call and send illicit information and files to end
users.
For now, VoIP is a wilderness for hackers, and there have been very
few publicized attacks. But security companies like Symantec predict a
coming epidemic of spam over VoIP, so-called SPIT. They warn about
phishing not unlike what companies and consumers see in emails. And
VoIP networks are just as susceptible to crippling denial of service
attacks as are data networks, and mass calls generated by a worm could
overload networks or kill productivity with ceaseless phone calls and
messages.
That's another way hackers could make money from VoIP networks. "If I
can take down the enterprise network and I'm showing you demonstratably
how I can do it, I can blackmail you," Madhavapeddy says.
And this case? "These modern day cyber-thieves had hoped they had
engineered a brilliant 'toll free' calling network for themselves,"
Newark FBI Special Agent in Charge Leslie G. Wiser, Jr., said in a
statement. "They hoped wrong."
Copyright 2006 CMP Media LLC.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more high-tech news from the daily media, please go to:
http://telecom-digest.org/td-extra/technews.html
J. Nicholas Hoover (infoweek@telecom-digest.org)