PBX Fraud is still ranked as a top emerging fraud method globally and is a big concern in all telecom operators. In the last CFCA Educational Event in Seattle, Mr. Tal Eisner, cVidya's Senior Director Product Strategy, presented a case study on the topic of “Hacking PBXs for international revenue share fraud".
2. Content
The PBX Hacking challenge – questions to be asked, answers to be given
Case study from A European operator
– What happened?
– How was it detected?
– Action items and measures taken
Lessons learned
2
4. PBX Hacking
Global annual damages of over $ 4B
Reported incidents have increased
dramatically since the introduction and
penetration of IP-based PBXs
Mode of operation has became sophisticated
& professional
IP-based PBX security layers are relatively thin
and vulnerable
Consequences of hacking are extensive and
its financial implications must be addressed
4
5. Frequently Asked Questions
Who’s liable for the calls
What is the incentive to commit PBX hacking
How does such hacking take place
What protective
measures can be
taken against such
hacking
5
How is a PBX being
accessed
What kind of
preventive
measurements can
be taken
6. Case Study
Tier 2 operator in Europe detects an
organized, sophisticated hacking scheme
6
7. Case Study
FMS started alerting on high volumes of calls within short time periods
to Hot listed risky ranges
Primary investigation concluded the following:
– Calls had long duration
– All destinations were PRS/IRSF
– Abnormal accumulated volumes in overlapping
time frames (e.g., total of 5 hours in 45 minutetime frame)
– All CDRs had CFW indicators, and optional
numbers were present
7
9. Mode of Operation
Calls come in over IP and port scanning takes place
Hackers seek an “open port” to use as an international gateway
In order to check whether the gate is “open” – hackers use test
numbers to make sure the line has international access
Known test numbers circulate as hot lists in the hacker community
Once an open gate is established and verified, an immediate surge of
calls follows
Calls are forwarded from the PBX extension to PRS numbers
ALL calls are transferred to PRS destinations
9
13. Detection Process
Controls on :
– Calls forwarded to international destinations
– Calls by optional numbers to known
risky/PRS ranges
– Aggregation of calls to international calls
(mainly PRS)
– Accumulation of calls within a short time
frame (e.g., 5 Hours in 1 hour)
– Detection of series of calls with similar
duration (indication of automatic dialer)
13
14. Observations
Modus Operandi:
”Attack”
CFW
Hacking
Manipulation of a number/originating number for disguise
Relating attempt to forward calls straight after option is blocked
Significant volumes of calls - such acts are not designed for “small
change”
Dominant motivation for hacking is inflation of PRS traffic
14
17. From Reaction to Prevention
Core of the attack lies in CFW to international traffic
Action taken:
– Process of CFW INTL deletion on provisioning level
– Request for cancelation of feature for existing and new customers
– Response for exceptions
Hacker tries any means to disguise his/her identity, carrier, destinations
and optional number – Quick analysis and response are therefore key!
ALL calls to known test numbers are being monitored and analyzed
Restriction of accumulated traffic simultaneously over PBX
17
19. Lessons Learned
Maximum visibility of customer details is must
Old methods of simply calling to PBX extensions are gone…
Controls must be updated constantly
– Thresholds to be tuned
– Destinations to be changed
SS7 info provides flexible switching info that might be key
Real-time alerting via email/SMS can prevent large-scale financial
impacts
Cross-company cooperation is essential for profound investigations
and deeper understanding of phenomena
19