Internet phone systems become the fraudster's tool

Cybercriminals have found a new launching pad for their scams: the phone systems of small and midsized businesses across the United States.

Quiz: Separate cybersecurity fact from fiction

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.

Hackers made headlines for breaking into phone company systems more than 20 years ago -- a practice that was known as phreaking -- but as the traditional telephone system has become integrated with the Internet, it's creating new opportunities for fraud that are only just beginning to be understood.

VoIP hacking is "a new frontier in the crossover world of telecom and cyber [crime]," said Erez Liebermann, assistant U.S. attorney for the district of New Jersey. "It is an ongoing threat and a serious threat that companies need to be worried about."

Attacks on one of the most popular VoIP systems, called Asterisk, are now "endemic," said John Todd, who works for the product's creator, Digium, as open-source community director. "It's like stealing a baseball bat to break into a car. The first step is to break into Asterisk."

Asterisk hacking began evolving from a fairly "low-level problem" into a more serious issue around September of 2008, when easy-to-use tools were first published, Todd said. "There are now people doing videos on it and there are blogs and podcasts," he said. "The information is out there."

With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office's LAN to a network provider such as AT&T, which connects the calls to the rest of the world.

The hacker tries to guess the VoIP system's passwords, making thousands of guesses. While an Internet program such as Gmail will block visitors after a handful of failed password guesses, VoIP systems are often not configured this way and will often let any computer connect to them. So hackers pound away at them, trying to guess working phone extensions. Once they find an extension, they run their dictionary attack software. If the password is easy to guess, they're in the network and can phone out for free.

That's what happened to Innovative Technologies, in Wheeling, W.Va. It was hacked in early October, apparently by Romanian cybercriminals who used its VoIP system to make telephone-based phishing calls to customers of Liberty Bank, a small regional bank with offices in California.

The IDG News Service is a Network World affiliate.