The threat of VoIP fraud has risen in 2009 as hackers break into business and government IP systems to scam people out of their money or to try bringing down critical operations. And VoIP fraud has become an international security issue: when a group of conspirators were arrested last summer for stealing minutes from phone companies worldwide, authorities in Italy said the illegal profits paid for terrorist activities, according to The Wall Street Journal.
Experts at the SysAdmin, Audit, Network, Security Institute, or SANS, say VoIP security attacks are increasing, although they don’t provide statistics in their latest report, published in September. They do note, however, the “number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first."
VoIP fraud has also become big business: Last month the FBI finally got permission to extradite indicted VoIP fraudster Edwin Pena from Mexico to the U.S. for trial. Pena was arrested in June 2006 for a VoIP fraud scam that netted him almost $1 million, but he fled the country about three months later.
Finance companies, utility and telecom providers, and government and defense agencies bear the brunt of the attacks, SANS Institute report authors reported.
VoIP security fraud is growing in line with demand for VoIP services. For the first half of 2009, the worldwide VoIP services market was projected to reach $20.7 billion, according to Infonetics Research. That growth is welcome in a tough economy, but it also incurs new types of risk.
Two new types of fraud arose this year, said Michael McAndrews in a recent Webinar hosted by open-source developer Asterisk. McAndrews works as a special agent in the cybersquad division for the Federal Bureau of Investigation in Oklahoma.
The first compromises a VoIP server to allow outbound phone calls at the owner’s expense. Hackers invade the platform by finding vulnerabilities such as weak passwords and system definitions that define who can make phone calls. The primary purpose, of course, is to make free calls.
A second type of new scam uses VoIP systems to launch “vishing” scams. Vishing takes advantage of VoIP features such as auto-attendant to gain access to private personal and financial information. It’s the same basic idea as phishing: the person or business contacting the public attempts to appear legitimate.
McAndrews explained that hackers manipulate the VoIP system to reflect the local area code, although the call does not have to terminate locally. The scam is launched via an e-mail or text message asking the recipient to call the number provided because the person’s bank account, for example, has been compromised. The person then calls and is asked to enter information into the automated system hosted by the VoIP platform.
“People trust automated systems more than they trust people,” McAndrews said. “It’s odd.”
To read the full, in-depth article at our sister publication, VON, click here or on the source link below.
