Hacking PBXs for international revenue share fraud


Published on

PBX Fraud is still ranked as a top emerging fraud method globally and is a big concern in all telecom operators. In the last CFCA Educational Event in Seattle, Mr. Tal Eisner, cVidya's Senior Director Product Strategy, presented a case study on the topic of “Hacking PBXs for international revenue share fraud".

Published in: Technology, News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacking PBXs for international revenue share fraud

  1. 1. Hacking PBXs for International Revenue Share Fraud Tal Eisner CFCA Winter Educational event Seattle, WA October 2013 © 2013 – PROPRIETARY AND CONFIDENTIAL INFORMATION OF CVIDYA
  2. 2. Content  The PBX Hacking challenge – questions to be asked, answers to be given  Case study from A European operator – What happened? – How was it detected? – Action items and measures taken  Lessons learned 2
  3. 3. PBX Hacking
  4. 4. PBX Hacking  Global annual damages of over $ 4B  Reported incidents have increased dramatically since the introduction and penetration of IP-based PBXs  Mode of operation has became sophisticated & professional  IP-based PBX security layers are relatively thin and vulnerable  Consequences of hacking are extensive and its financial implications must be addressed 4
  5. 5. Frequently Asked Questions Who’s liable for the calls What is the incentive to commit PBX hacking How does such hacking take place What protective measures can be taken against such hacking 5 How is a PBX being accessed What kind of preventive measurements can be taken
  6. 6. Case Study Tier 2 operator in Europe detects an organized, sophisticated hacking scheme 6
  7. 7. Case Study  FMS started alerting on high volumes of calls within short time periods to Hot listed risky ranges  Primary investigation concluded the following: – Calls had long duration – All destinations were PRS/IRSF – Abnormal accumulated volumes in overlapping time frames (e.g., total of 5 hours in 45 minutetime frame) – All CDRs had CFW indicators, and optional numbers were present 7
  8. 8. FraudView Alerts on Abnormal Traffic 8
  9. 9. Mode of Operation  Calls come in over IP and port scanning takes place  Hackers seek an “open port” to use as an international gateway  In order to check whether the gate is “open” – hackers use test numbers to make sure the line has international access  Known test numbers circulate as hot lists in the hacker community  Once an open gate is established and verified, an immediate surge of calls follows  Calls are forwarded from the PBX extension to PRS numbers  ALL calls are transferred to PRS destinations 9
  10. 10. Forwarding All Calls to PRS Destinations 10
  11. 11. Online Publications of Test Numbers 11
  12. 12. Gathering Intelligence on Test Numbers 12
  13. 13. Detection Process  Controls on : – Calls forwarded to international destinations – Calls by optional numbers to known risky/PRS ranges – Aggregation of calls to international calls (mainly PRS) – Accumulation of calls within a short time frame (e.g., 5 Hours in 1 hour) – Detection of series of calls with similar duration (indication of automatic dialer) 13
  14. 14. Observations  Modus Operandi: ”Attack” CFW Hacking  Manipulation of a number/originating number for disguise  Relating attempt to forward calls straight after option is blocked  Significant volumes of calls - such acts are not designed for “small change”  Dominant motivation for hacking is inflation of PRS traffic 14
  15. 15. Detecting via Optional Number (CFW) 15
  16. 16. Scanning via Test Numbers for Open Ports 16
  17. 17. From Reaction to Prevention  Core of the attack lies in CFW to international traffic  Action taken: – Process of CFW INTL deletion on provisioning level – Request for cancelation of feature for existing and new customers – Response for exceptions  Hacker tries any means to disguise his/her identity, carrier, destinations and optional number – Quick analysis and response are therefore key!  ALL calls to known test numbers are being monitored and analyzed  Restriction of accumulated traffic simultaneously over PBX 17
  18. 18. CFW Provisioning by Hacker 18
  19. 19. Lessons Learned  Maximum visibility of customer details is must  Old methods of simply calling to PBX extensions are gone…  Controls must be updated constantly – Thresholds to be tuned – Destinations to be changed  SS7 info provides flexible switching info that might be key  Real-time alerting via email/SMS can prevent large-scale financial impacts  Cross-company cooperation is essential for profound investigations and deeper understanding of phenomena 19
  20. 20. THANK YOU! www.cvidya.com