VoIP Security Alert: Hackers Start Attacking For Cash
VoIP could become the newest opportunity for cyberthieves, with the recent arrest of a Miamian only the beginning.
IP phone crooks are learning how to rake in the dough. An owner of two small Miami Voice over IP telephone companies was arrested last week and charged with making more than $1 million by breaking into third-party VoIP services and routing calls through their lines. That let him collect from customers without paying any fees to route calls.
Hacking has become a decidedly for-profit crime, with crooks intent on theft rather than disruption. Voice over IP hasn't been a big target, but only because crooks haven't figured out how to make money off breaking in.
In that sense, Edwin Pena is a pioneer if federal prosecutors' allegations are true. Edwin Pena had been making easy cash for almost 18 months and sold about 10 million minutes before law enforcement caught up with him yesterday morning, prosecutors say. The newfound magnate is alleged to have lavishly spent his takings on luxury cars, a 40-foot Sea Ray motorboat, and Miami-area real estate. Now he faces losing all that and spending up to 25 years in jail, in addition to paying $500,000 in fines.
Pena didn't carry out his plan alone, according to authorities. He paid $20,000 to Spokane, Wash., resident Robert Moore, who helped Pena scan VoIP providers for security holes with a code cracking method called brute force. They sent these companies millions of test calls, guessing at proprietary prefixes encoded on packet headers used to show that VoIP calls are legit, until the right one gave them access. The two also hacked into computers at a Rye Brook, N.Y., investment company and set up other servers to make it seem like they were sending calls from third parties through more than 15 VoIP providers.
Those companies have to pay for access to the Internet's backbone, and they found themselves with up to $300,000 in charges for access stolen through Pena's hacks, authorities say. Yet it's not only carriers that could be concerned with the type of attack Pena and Moore launched, says Seshu Madhavapeddy, CEO of VoIP security company Sipera Systems.
In general, Pena's attack was a spoofing attack, designed to let his calls masquerade as those of another carrier. Madhavapeddy says these types of attacks are relatively easy to carry out and could hit at enterprises just as easily as carriers.
One possibility is stolen access, but there are others. For example, a hacker might spoof call-forwarding features to make all calls route to him. Customers trying to reach a help line could be tricked into giving credit card information to the hacker. "People remember the 'voice' and forget the 'over IP' part," says Mark Rasch, SVP of security company Solutionary Inc. "Just like data can be rerouted without authorization, VoIP can be rerouted without authorization."
The exponential growth of VoIP can only add targets. Infonetics Research predicts spending on VoIP will jump from $1.2 billion in 2004 to more than $23 billion in 2009. Meanwhile, IP communications are inherently more complex than traditional phone calls and are getting even more so.
Emerging technologies like unified communications that include voice, video, and data in one console, intended to drive collaboration through the roof, have the potential to put more and more information at the fingertips of hackers. And just as e-mail and the Internet opens the door for vulnerabilities, these next-generation tools could allow hackers to spoof a call and send illicit information and files to end users.
For now, VoIP is a wilderness for hackers, and there have been very few publicized attacks. But security companies like Symantec predict a coming epidemic of spam over Internet telephony, so-called SPIT. They warn about phishing not unlike what companies and consumers see in e-mails. And VoIP networks are just as susceptible to crippling denial-of-service attacks as are data networks, and mass calls generated by a worm could overload networks or kill productivity with ceaseless phone calls and messages.
That's another way hackers could make money from VoIP networks. "If I can take down the enterprise network, and I'm showing you demonstrably how I can do it, I can blackmail you," Madhavapeddy says.
And this case? "These modern day cyber-thieves had hoped they had engineered a brilliant 'toll free' calling network for themselves," Newark FBI Special Agent in Charge Leslie G. Wiser Jr. said in a statement. "They hoped wrong."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.