Phone system and voicemail hacking have been going on ever since they were invented it seems. Recent attacks, though, show a new level of complexity and severity.
THEN
In the 80’s hackers would get hold of DISA numbers (Direct Inward System Access- numbers that were often used to allow remote workers make long distance calls on a company’s phone account). These numbers allowed the hackers to route their dial-up modems through toll free numbers that passed the call through the company PBX phone system. The hacker could then access long distance electronic bulletin board numbers and not worry about the cost. (Long distance calls were a bit more expensive back then, and no Internet as we know it today.)
In the 90’s, voicemail systems became much more affordable and the varieties of hacks grew. A hacker from the Philippines calling himself “the sniper” became well known in certain telecom circles hacking numerous US based PBXs, forcing the systems to automatically outdial into the Philippines to expensive profit-making numbers (the international version of a “900” number). This method of hack has continued and is still common today.
More recent hackers have used various methods to trick phone systems into connecting a company’s outside line through to the caller, so they could again make international long distance calls on the victim company’s account. We have often been called to help protect systems that had hacked calls going to Cuba, Sierra Leone, Guam, and many other countries.
The information contained within voice mailboxes is another obvious target, from corporate espionage such as Compaq hacking HP’s voicemail in 2002 to journalists hacking celebrities’ mobile voicemail accounts as revealed by the now defunct News of the World and the Daily Mirror scandals.
Most of these hacks involved taking advantage of system features that were normally accessible to users just by dialing in on a regular voice line, and then getting through by figuring out simple or non-existent passwords. They did not involve more sophisticated or complex hacks involving programming of system software.
NOW
Recently, though, there are reports of phone systems having their lines and voicemail recordings re-programmed to assist with phishing and vishing (“voice-phishing”) schemes and used for credit card fraud.
Brian Krebs (krebsonsecurity.com) reported that fraudsters had been sending out text messages to hundreds of thousands of mobile users in the Houston, TX area. The SMS messages informed the recipients that there was a problem with their bank account and they should call a specific phone number and follow the prompts to verify their credit card information.
One of the phone numbers supplied to the victims was that, originally, of a Holiday Inn Express in Houston. While the number should have been going to the hotel, the hackers had taken control of the line and provided a fake recording targeting Bank of America customers. The prompt spoken was as follows:
“Thank you for calling Bank of America. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press one now.”
The callers were then prompted through entering the last four of their Social Security number, their credit card number, and the expiration date.
A similar hack occurred in January where a fax line for a different Holiday Inn was re-directed to a recording that targeted Key Bank customers (and that number sent out in a phishing text message). A copy of this recording was obtained by “Numbercop“, a telephony security firm, and posted on SoundCloud:
Eventually, the owner of the phone number realized their number had been compromised and took steps to restore it, but by then a large number of their normal clientele were not able to get through, not to mention their system had been used to perpetuate credit card fraud.
While this does pose the threat of credit card fraud to the recipients, it is also a very serious concern for corporate telecom security. It shows how systems are vulnerable in ways that may not have been given attention before. Such redirecting of lines or reprogramming of voicemail menus requires a higher level of access and sophistication of efforts. More advanced knowledge of the inner programming methods would be needed, not necessarily more difficult, but certainly more involved than typical user level features that had been compromised in the past.
Cyber and data security efforts have to look at communications on all levels. This degree of access could come from an insider threat- a disgruntled or recently fired employee, or perhaps someone with the necessary telecom experience making his skills available to the criminal world. We will be interested to follow this story and learn more about how the Holiday Inn systems were compromised and to see if other attacks may yet be revealed.
Bank of America recording: