It’s not exactly a message of festive goodwill but Fortify Software’s warning about the threat of fraudulent international VoIP calls is no doubt well intended.
Citing a recent case where a hacker ran up a USD $52,000 phone bill, the application vulnerability specialist said it was a timely warning to all organisations to protect their PBX IT resources.
According to Robert Rachwald, Fortify’s director of product marketing, this time of year is one of the busiest periods for phone companies on the
international call front, with the result that international call resale fraud is also at its highest.
The fact that HUB Computer Systems in the US was hit by a phone bill for USD $52,359.59 in calls to Bulgaria, he said, illustrates the demand for
fraudulent international calls.
Once a hacker has reprogrammed a company PBX to allow free dial-through international calls, one or more people act as human operators, accepting payments – always in cash – and then allow callers to place international calls at a heavy discount to their chosen destination.
"The advent of IP-enabled PBXs, and the facility of remotely- programmable conventional PBX systems, means that hackers can – with sufficient time and access – rack up large phone bills on the unfortunate victim’s account," said Rachwald.
"And with the holiday shutdown looming, this is the perfect time for hackers with time on their hands, to crack a firm’s PBX and engage in more than a little phone call resale fraud."
Rachwald said the modus operandi was always the same – the hackers stand at known meeting and gathering points for international visitors in a given city and then announce they are offering calls home, typically via prepay mobile phones, for a fraction of the normal costs.
"After that, they simply rake the money in – probably around USD $5,000 to $10,000 in the case of the HUB Computer Systems telephone hack," he said.
Rachwald warned IT staff to take extra care over the holiday shutdown to protect their company PBXs, as well as their firm’s IT resources, shutting down systems that are unlikely to be used.
He said locking down the ability to reprogram the system remotely has to be high on the list of holiday period checklists.