I came across this piece and wanted to share it. It had been a while since a client had called me about their phone system being hacked. Well this week alone I received two in just 72 hours. This was not a specific carrier in fact it was AT&T, Level 3 and EarthLink and phone systems were Cisco and Mitel. You see this is not a specific carrier or phone system vulnerability but rather simply hackers finding security holes regardless of carrier or phone system in the clients network security set-up.
In both cases the hacking was done during midnight and 7am hours and thousands of dollars in calls were made to overseas countries where my clients had no business in. The carriers shut services off for all international and long distance calling to protect the client but in the meantime the client had no way of reaching real client overseas – needless to say not a good situation.
Read below and don’t hesitate to reach out to us for a telecom security assessment.
Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,” Mr. Foreman said.
It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill, according to a complaint it filed with the Federal Communications Commission.
The firm, in Norcross, Ga., was the victim of an age-old fraud that has found new life now that most corporate phone lines run over the Internet.
Who are the targets?
The swindle, which on the web is easier to pull off and more profitable, affects mostly small businesses and cost victims $4.73 billion globally last year. That is up nearly $1 billion from 2011, according to the Communications Fraud Control Association, an industry group financed by carriers and law-enforcement agencies to tackle communications fraud.
Major carriers have sophisticated fraud systems in place to catch hackers before they run up false six-figure charges, and they can afford to credit customers for millions of fraudulent charges every year. But small businesses often use local carriers, which lack such antifraud systems. And some of those carriers are leaving customers to foot the bill.
Does the law protect you?
The law is not much help, because no regulations require carriers to reimburse customers for fraud the way credit card companies must. Lawmakers have taken the issue up from time to time, but little progress has been made.
Last year, Senator Charles E. Schumer, Democrat of New York, pushed the Federal Communications Commission to adopt new regulations after dozens of small businesses around Albany were hit with the swindle. But the agency has not taken any action, and the cause appears to have petered out. Representatives for the agency and the senator’s office did not return requests for comment.
Exactly how does it work?
The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. In the United States, premium-rate numbers are easily identified by 1-900 prefixes, and callers are informed they will be charged higher rates. But elsewhere, like in Latvia and Estonia, they can be trickier to spot. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.
In 2012, hackers hijacked the phone lines at 26 small businesses around Albany and ran up phone bills as high as $200,000 per business over the course of a few days. Those businesses that contracted with major carriers received credit that covered much of the fraud, though some ended up paying a few thousand dollars. Those who had signed up with a local carrier, Tech Valley Communications, were not so lucky. Tech Valley sued three of its clients to pay huge bills, according to court filings.
Best Cleaners, a dry cleaning chain that operates in three states, was one victim. At that business, hackers placed more than 75,000 minutes of premium calls, totaling $147,000. At American Energy Care, a small consulting firm in Albany, the bill reached $200,353. A billboard advertising business in Cohoes, N.Y., was charged $18,000.
All settled their cases with Tech Valley. None would discuss the case because of the terms of the settlement, but Best Cleaners said the cost was enough to force it to cancel a planned expansion.
Industry groups are trying to tackle the problem but say it is hard to keep up with. Roberta Aronoff, the executive director of the Communications Fraud Control Association, said she routinely loads fake “hot numbers” into a fraud management system, sharing them with carriers so they can be blocked.
Catching the criminals is difficult because the crime can cross as many as three jurisdictions. In 2011, the Federal Bureau of Investigation and police in the Philippines arrested four men who used the scheme to make $2 million in fraudulent calls; revenue was directed to a Saudi Arabian militant group that United States officials believe financed the 2008 Mumbai terrorist bombings.
Foreman Seeley Fountain, the architecture firm, is disputing its $166,000 bill with its carrier, TW Telecom. The bill now includes $17,000 in late charges and termination fees.
In addition to asking the F.C.C., the firm has asked the local police, officials at the Georgia Public Service Commission, the F.B.I. and the Department of Justice for help. The F.C.C. and Justice Department declined to comment for this article, and the Georgia agency did not return requests for comment. The local police said there had been no progress in finding the hackers.
Joshua Campbell, a spokesman for the F.B.I., said the bureau was working with the industry to solve the problems but declined to discuss the specific case.
Bob Meldrum, vice president for corporate communications at TW Telecom, said Foreman Seeley Fountain should have better protected its equipment from hackers. “We had to pay for those calls,” he said. “Someone had to pay for those calls.”
Mr. Foreman said his firm didn’t even realize this was a potential risk. Not many do.
“It’s relentless,” said Jim Dalton, founder of TransNexus, which sells Internet calling management software. “If you put a computer on the Internet, it immediately starts getting probed for a weak point.”
To avoid the same fate, Mr. Dalton and other telecom experts advise people to turn off call forwarding and set up strong passwords for their voice mail systems and for placing international calls. He also said businesses needed to treat their phones as Internet-connected machines, since criminals already were doing that.
“People don’t realize their phone is a six-figure liability waiting to happen,” Mr. Dalton added.
Let the experts at nQuery Telecom review your business phone system for security breaches, contact us at firstname.lastname@example.org or 305-760-8491.