TOLL FRAUD AND SERVICE ABUSE - APPLICATION ATTACKS - Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)


Case Study: A Real-World Telephony Denial of Service (TDoS) Attack

The primary threats affecting enterprises are at the application level, coming from and carried over the public voice network. These threats include calling number spoofing, toll fraud, and harassing calls as well as telephony denial of service (TDoS), voice SPAM, and social engineering/voice phishing. These threats all are common because there are clear financial and disruption incentives behind them, and they can be safely launched from the public network, whereas most of the attacks covered in the rest of this book must be launched from within the enterprise. This case study covers a real-world TDoS attack seen in 2013.

The Payday Loan Scam

A payday loan is a small, short-term, unsecured loan. These loans are generally cash advances, with very high interest rates. These types of loans are available from many sources that prey on individuals who desperately or foolishly need the cash. Payday loans commonly involve very aggressive repayment and collection methods.

In 2013, we saw the “payday loan scam” that used extortion and TDoS attacks to coerce payments from victims. It started with the attackers obtaining a list of “payday” loan targets. This list included the name and phone numbers. Which company this list came from is unknown, but that really does not matter. The basic idea, though, was to select a list of target victims who would likely respond in a desirable way to the extortion threat. During 2013, there were many reports about this attack and bulletins issued by various parts of the government, including the Department of Homeland Security (see the list of bulletins about the TDoS attacks at The first public mention of this “payday loan scam” was by the FBI in June of 2013. (See “Twist in Payday Loan Phone Scams Affects Emergency Services” at

The attack proceeded with an actual person calling each number, saying that someone at the number had not paid their payday loan, that they owed some amount of money, ranging from $800 to $5000, and that if they did not pay up, they would be bombarded with a flood of calls—a TDoS attack. During 2013, this scam affected many enterprises and individuals. It even affected some public safety access points (PSAPs), which are the administrative part of a 911 center. It also affected emergency rooms and intensive care units (ICUs) at hospitals. At the time of this writing, it was not known if the calls to the PSAPs, ICUs, and emergency rooms were just dumb luck, where the numbers were on the list, or if the attackers expanded their attack to include numbers of targets that would, in their mind, be likely to pay up. Certainly it makes sense that the greater the criticality of the voice service, the greater the impact, and arguably the greater the chance that someone would pay up to stop the attacks.

These TDoS attacks did occur and affected many enterprises (and individuals). Reports vary as to whether the calling number was the same for all calls or changed for each call. Some calling numbers were spoofed to look like law enforcement, because the attacker threatened the victim with legal action. Some victims report that if they answered the calls, they were connected to an abusive individual who harassed them and continued to extort them for the payment. Reports were that the callers had “Indian” accents.

One would wonder, is anyone foolish enough to pay the extortion? Payment would not guarantee that the attack would stop; in fact, the attacks actually continued, because the attacker had found a target foolish enough to pay. Payment, though, is reasonable, considering the impact of having one or more business lines totally tied up with TDoS calls, preventing legitimate customers and users from calling in. At the time of this writing, some $4,000,000 total had been paid out to the attackers. In fact, one individual had made multiple payments to the tune of $60,000!

This attack is particularly nasty, because whereas most DoS attacks are designed purely for disruption, this attack leveraged the disruption with an extortion threat. If you don’t pay up, you won’t be able to get any calls. The attack so far has been successful, so it will likely continue, unless the attackers wise up and take their money and run. What is concerning is that because the attack has been successful, it is likely that it will continue, start again from a new location, or be copied by other attackers.

Technically, this type of attack could be done against governments, enterprises, contact centers, and even actual 911 emergency lines. However, a wise target would simply ride out the attack, because it would certainly stop at some point. After all, attackers only have so many resources, and we are sure they would prefer to direct their TDoS calls at targets likely to pay. Also, a sustained attack, especially if clear it’s part of a larger attack, would get law enforcement and service provider attention, and would eventually be traced back to the source. So these attacks will certainly continue, but will probably be directed only at targets viewed as likely to pay.

If you are a victim of this type of attack, contact law enforcement and your service provider, consider deployment of application security technology to mitigate the attack, and most importantly, don’t pay up. Otherwise, you will just end up on the list forever.


What the heck? My phone bill this month is $250,000! For some reason we made thousands of calls to parts of Africa. Hopefully my service provider won’t really charge me for these calls.

—A VoIP/UC manager at a small company

Toll fraud and long-distance abuse are still the most significant and prevalent UC issues facing enterprises. Whereas a massive TDoS attack or significant financial fraud in a contact center might rival it for some enterprises, toll fraud remains the largest threat affecting the most enterprises—and no enterprise is immune. Toll fraud is especially troublesome for smaller enterprises, which have enough capacity to amass a significant amount of fraud, but often don’t have the necessary time and expertise to secure their UC systems.

The reason toll fraud is so common is that significant financial incentive is behind it. Enterprise users can inflate enterprise UC usage bills, and attackers can make money selling and abusing the long-distance capabilities of the enterprise. Toll fraud ranges from minor abuse by employees, which adds up over time, to organized toll fraud, where losses in excess of $100,000 are not uncommon. The Communications Fraud Control Association (CFCA) is an independent organization focused on the UC fraud issue. Although the CFCA is focused on service providers, many of the issues they track affect enterprises. The CFCA produces a fraud report every few years, and the 2011 report estimates some $40 billion a year globally for fraud.1,2 This report is free and an excellent source of information. We expect that by the time you read this book, an updated report will be available. We leave it to you, the reader, to study this report at your convenience. Here is a summary of the information in the CFCA report:

• The 2011 global fraud loss estimate is $40.1 billion (USD) annually. Approximately 1.88 percent of telecom revenues were lost.

• Of those surveyed, 98 percent said global fraud losses had increased or stayed the same—an 8-percent increase from 2008.

• Of those surveyed, 89 percent said fraud had trended up or stayed the same within their company—a 13-percent increase from 2008.

• The top five fraud types were as follows:

• Compromised PBX/voicemail systems: $4.96 billion

• Subscription/identity (ID) theft: $4.32 billion

• International Revenue Share Fraud (IRSF): $3.84 billion

• Bypass fraud: $2.88 billion

• Credit card fraud: $2.40 billion

• Most toll fraud is not reported to law enforcement.

• The United States has the most originating toll fraud.

• The top countries where fraud terminates are Cuba, Somalia, Sierra Leone, Zimbabwe, and Latvia.

The Service Provider IT Insider group within Heavy Reading produced a report titled “Bigger Than Disney: Telecom Fraud Tops $40 Billion a Year.” This report must be purchased, but the summary itself is interesting.3 It states that British Telecom (BT), one of the largest global service providers, said that toll fraud was in play in 98 percent of the data-specific attacks they see.4 This means that if your enterprise experiences attacks on the data side, it is a given that you are also experiencing some form of toll fraud on the UC side.

Remember, if you do experience toll fraud in your enterprise, it is your problem. You may be able to avoid charges for one event, but don’t count on it. The service provider, who is in the business of delivering traffic and calls, will not cover the fraud. An exception is when you have explicitly purchased fraud protection insurance from the service provider. Again, this is especially an issue for smaller enterprises and consumers, who do not have the leverage to fight with the service provider on the issue. Larger enterprises can often settle with a service provider. Keep in mind that toll fraud costs the service provider money, too, because toll calls often cross multiple service provider networks. A recent example attack involved a small real estate office that was hit with over $600,000 of toll fraud.5

Attackers have many incentives to attempt toll fraud. Toll fraud is profitable and can make a significant sum of money for the attackers. Another incentive is that toll fraud is often undetected until large amounts of money have been lost. This benefits attackers by making them hard to identify, thus minimizing their sense of risk. So, the potential to make significant profits with a low risk of getting caught increases the likelihood of such attacks against enterprises. Individuals, organized crime, and even terrorist organizations create toll fraud attacks.6,7

Some UC industry pundits predict the elimination of voice usage costs, where enterprises will only pay for bandwidth/capacity and not the cost of calls based on destination. This is the case to some degree with unlimited calling plans, usage within one service provider’s network, and, of course, over-the-top services such as Skype that use the Internet. However, it is still very expensive to dial certain destinations and countries. In fact, some destinations and premium rate numbers are specifically set up and then traffic is intentionally generated in order to create revenue. This toll fraud scenario will continue to be the case for some time. As long as it costs money to call certain countries and premium numbers, long distance abuse and toll fraud will continue to be issues.

If we were challenged to provide a list of publicized UC attacks, over half would be toll fraud, again demonstrating how common this attack is. Our blog at has a list of toll fraud articles. Here, we’ve listed a few dates, sources, victims, and amounts. Of course for every reported attack, many go unreported.


Toll fraud ranges from relatively low-cost abuse by employees, which adds up over time, to full-scale Dial-Through Fraud (DTF), involving abuse of Direct Inward Service Access (DISA), voicemail, and compromised PBX attacks, which can result in hundreds of thousands of dollars in toll fraud costs to enterprises. These are not new issues and are not unique to UC, but they are becoming easier to exploit due to the increasing complexity of UC systems. UC introduces new vectors of attack for toll fraud, making the job of the attacker easier. Forms of toll fraud such as IRSF are a growing issue, where attackers benefit from the ease with which an attacker can automatically generate calls to premium numbers. An unsecured IP PBX or separate media gateway can be used to generate these outbound calls. UC has greatly simplified the ability for attackers to set up automatic dialing, password guessing, and DTF vulnerability detection capabilities, thus making it easier and cheaper for attackers to probe for vulnerable systems.

Internal Abuse of Unmonitored Phones

Internal long distance abuse occurs when enterprise employees, contractors, cleaning crews, and other users abuse fax lines for voice and unrestricted phones, or just abuse corporate policy and use services to which they are not entitled. This abuse is relatively minor, but still costs enterprises money and, if unnoticed, can really add up over time, especially if the abuse is widespread. Figure 5-1 illustrates this type of fraud.


Figure 5-1 Internal abuse of unmonitored fax/phones

Image Fax Machines and Other Unmonitored Phones


Many phones in an enterprise will have minimal or no calling restrictions. Enterprise fax machines are an easy target. Most fax machines have no calling restrictions, because you never know who you are going to send a fax to, and no one wants a critical fax to be blocked. Some fax machines go through the IP PBX, but even then, often do not have any calling restrictions. Some fax machines completely bypass the IP PBX and have analog lines delivered directly from the service provider. These are all perfect targets for internal toll fraud. Not only do these stations nothave calling restrictions, but their calling records are not saved by the IP PBX, so unless someone is paying close attention to the phone/UC bill, the abuse may not be noticed.

Fax machines still use analog lines for communication to the IP PBX or service provider. To take advantage of this, all the attacker needs to do is disconnect the analog line (an RJ-11 cable, shown in Figure 5-2) and plug it into any analog phone, which you can probably find in the enterprise, have at home, or can buy for $20. This is pretty foolproof, because a typical analog phone will have a single slot/adaptor to plug into. Once you plug in, you should have a dial tone within a second or two. Once the phone is connected, you can call just about anywhere, for as long as you want. Because the fax machine line may not go through the IP PBX, you can safely make long distance and international calls that aren’t likely to be detected until the bill arrives at the end of the month. Even if the fax machine line does go through the IP PBX, there probably aren’t any limits on the destination number or duration of the call. IP PBXs do not differentiate fax from voice, so they also will not be able to detect a voice call versus a fax call.


Figure 5-2 An RJ-11 cable

An enterprise will also often have many other phones with minimal restrictions. There is a pretty good chance that executive phones, sales phones, telemarketer phones, and other employee stations that must make long distance calls are not restricted. Another good candidate for minimal restrictions is conference rooms, especially the phones associated with video systems. No one wants an executive to try to make a call with a video system and have it blocked due to call restrictions. The fancy speaker phones (we call them “spider phones”) in conference rooms cost a bit of money, so some enterprises may keep them around for a while and still use analog lines that bypass the IP PBX. If the connector that plugs into the conference phone is an RJ-11, there is a decent chance it bypasses the IP PBX. Even conference phones that do use VoIP and are connected to the IP PBX still may not have call restrictions. An image of a conference phone is provided in Figure 5-3.


Figure 5-3 Conference phone

The bottom line is that in any reasonably large office environment, it is very easy to find a fax machine, conference phone, or other phone that will allow you to make unmonitored long distance and international calls.

Image Fax Machines and Other Unmonitored Phones Countermeasures

Ideally all fax machines and phones will run through the IP PBX, which can provide calling restrictions. Also, records of calls can be kept in call detail reporting (CDR), which can be periodically reviewed. All IP PBXs, as well as legacy TDM PBXs, offer CDR collection and reporting. Some enterprises implement CDR through third-party packages, but the majority of enterprises, large and small, have some sort of CDR collection and reporting. It is highly recommended that reporting of some kind be in place for long distance and international calling. Here are a few reports you can run:

• Average daily long distance and international

• After-hours long distance and international (evenings and weekends)

• Excessively long duration calls

• Summary of all international destinations

There are other ways to do this, but you get the idea. The key is to define reports and exceptions that can be reviewed to detect malicious activity. Ideally, reports can be defined and “pushed” to administrators or managers, who can review them for exceptions. The more frequently this can be done, the better. If you wait until the end of the month, you could get a very nasty surprise.

Another good countermeasure is class restrictions, which prevent one or more phones from calling long distance or international destinations. In a typical enterprise, the majority of phones have no business calling long distance, let alone international destinations. And don’t forget, you should also limit phones in public areas of an enterprise, such as lobbies and break rooms, from making any outbound calls.

Class restrictions can be defined and applied to many phones. Other phones and fax machines that do need to make long distance and possibly international calls can have class restrictions that allow this. This can get a little tricky when certain phones and fax machines are allowed to call certain areas or countries, but not others. This means a malicious user, if they identify such a phone, can make as many calls as they want to these countries. In this case, calls must be allowed, but a means of monitoring the number, duration, and cost of the calls must be implemented.

A number of companies provide toll fraud mitigation applications and services. These systems have a variety of capabilities to detect the sort of abuse we describe in this section. In general, these applications monitor outbound traffic and detect abusive calls and patterns in real time or near real time. We won’t go through these applications in detail in this book. For the sake of full disclosure, one of the authors of this book works for SecureLogix, which provides UC application security products that can monitor for toll fraud. We will simply state here that products are available, including those from SecureLogix, that provide granular real-time analysis and reporting for detecting and mitigating the sorts of issues described in this section.

Image Finding PIN Codes


Modern IP PBXs, including older TDM PBXs, provide a feature used to control access to outbound calling, such as authorization or PIN codes. The idea here is that before an enterprise user can make a long distance or international call, they must enter a PIN code. How these codes are used will differ from enterprise to enterprise. One model has codes set up for both overhead and projects. The idea is that any long distance call should be charged to the appropriate project, so it can be tracked and billed. The codes can have multiple parts, such as a business unit, followed by a subunit, followed by a project. There are many ways to set up and use these codes. This is common in service organizations such as law firms. This is just one example; a code or set of codes could be provided to business units, executives, sales, specific projects, and so on.

The use of PIN codes is a great idea. The challenge is that PIN codes, or at least the manner in which they are used, can become widely known. The codes for a business unit, group, new project, and so on, are generally known or can be guessed. As with any PIN or password, the codes are probably not changed often enough. An abuser simply needs to pay attention and check out a few cubicles for notes to find the codes. Using a little trial and error is also possible and is very unlikely to be detected.

Once you know a PIN, using it is simple. When you attempt to make an outbound long distance or international call, the IP PBX will expect you to enter the PIN before the actual number. If you enter a valid PIN, followed by the destination number, you will be allowed to make the call. As with other internal abuse of long distance and international services, this type of abuse is often not detected, and even if it is, detection won’t occur quickly.

Image Finding PIN Codes Countermeasures

The best countermeasure here is user education. Strongly encourage users to keep the PIN codes private. Also it is a good idea to change the codes frequently, but this can be quite difficult. Often there is a known pattern, and codes can be easily guessed based on a little information. For information on how to set up PIN codes on Cisco systems, see their solution titled “Client Matter Codes and Forced Authorization Codes.”8

Use of CDR is very important. Reports can be generated for very long calls, calls to international numbers, and above-average use of specific PIN codes. The codes often provide a way of charging calls to a specific business unit, which should use CDR reports to make sure malicious users are not abusing others’ codes.

As described in the previous section, a number of companies provide toll-fraud-mitigation applications and services. These systems can also provide real-time monitoring and reporting based on PIN code usage.

Image Manually Getting Transferred to an Outside Line


Everyone who has made an outbound call from an enterprise phone is familiar with having to dial 9 or 8 to get an outside line. External attackers can take advantage of this by social engineering attendants and employees. The attacker can call in, speak to an attendant, and say something like, “Please transfer me to extension 90xx.” When the attendant does the transfer, the “9” grabs an outside line and an operator in the service provider network. At this point, the attacker will have access to the operator and can complete the call to any destination they want. Because the call originates from the target enterprise, the enterprise will be billed for the call.

Image Manually Getting Transferred to an Outside Line Countermeasures

The best countermeasure here is education. Make sure attendants and assistants know not to transfer calls starting with 9 or 8. Also, make sure attendants know to listen to the start of a transferred call, to be sure it is to a legitimate user and not an operator.

Use of CDR is very important. Typical CDR reports for this type of attack will show two calls: one for the inbound call and one for the outbound call. The same reports monitoring for long distance and international calls can be used.

As described previously, a number of companies provide toll-fraud-mitigation applications and services. These systems can also provide real-time monitoring and reporting, including detection of a second dial tone for a “single” call.

Full-Scale Toll Fraud

All the issues discussed so far can cost enterprises a noticeable amount of money, but fortunately do not scale well in terms of involving a lot of fraudulent calls. Although they can be a chronic problem that adds up in cost over time, they don’t involve automation or thousands of calls. Now we’ll discuss some issues that scale and/or are automated and can cost the enterprise significant money.

Image Dial-Through Fraud


The biggest issue affecting enterprises in terms of toll fraud is the ability for an outside caller to obtain outbound access, sometimes referred to as a “second dial tone,” without any operator or attendant intervention. The basic idea is the attacker then makes a manual or automated inbound call and then hair-pins outbound to the international number. This is similar in concept to tricking an attendant into providing an outside line or getting a transfer, but worse because it doesn’t require an operator or actual person and can be abused by many more people dialing into the enterprise. In fact, once an attacker discovers such access, they can sell the information to as many people as they can. Imagine the attacker selling this information to hundreds of people, who use the service to call friends or relatives in foreign countries. The attacker can also organize many users to use the service to make calls to premium numbers, to drive traffic and share in the revenue.

The service that is typically abused for this type of attack is Direct Inward System Access (DISA). DISA allows an external user to make an inbound call and gain access to UC services. This may include access to the IP PBX, voicemail, or an outbound dial tone. Access to these services, especially the outbound dial tone, is typically protected with a PIN/password, but even if that is the case, these defenses are often weak and not changed very often. Note that this feature was quite important years ago for traveling users, who could call into the IP PBX, check their voicemail, and then make outbound calls using the enterprise’s lower-cost long distance plan. With much cheaper unlimited cellular plans, the need to enable DISA services and outbound dialing is much lower.

The DISA attack is also referred to as Dial-Through Fraud (DTF), because the attacker dials through the IP PBX to gain outside dial tone access to make long distance or international calls. Attackers identify this service and password through automated testing made easier by UC, social engineering, or an insider. Once access is found, access/passwords are provided to users, who abuse the enterprise service until the attack is detected. Attacks occur as wide-scale reselling of low-cost long distance and international calling on the streets of large cities. Attackers make the calls with disposable cell phones to mask the call origin and receive cash from the users on the street, making these calls very difficult to trace. Attacks can go on for weeks, until the enterprise reviews CDR or receives a bill from the service provider. According to the CFCA, DTF and compromised PBXs cost enterprises almost $5 billion a year. Figure 5-4 illustrates this attack.


Figure 5-4 Dial-Through Fraud (DTF)

Another motive for DTF is to generate traffic to IRSF numbers. Attackers will set up an IRSF number or otherwise arrange to share in the revenue for traffic generated to that number. The attacker will organize many users to dial into the compromised enterprise and then dial out to the IRSF number. As you will see later in this chapter, there are some even more effective ways of generating IRSF traffic.

You may hear of attacks where the attacker has compromised the IP PBX. Most often, the goal of compromising a PBX is to enable DISA and outbound dialing for the purpose of DTF. Attackers will attempt to directly compromise the IP PBX by logging in and gaining administrative access. We will cover this in more detail in later chapters covering specific platforms. Although attackers have other motives for compromising the IP PBX, DTF is by far the most common, because of the potential revenue involved.

The targeted enterprise does not have to have a large number of outbound trunks. A single ISDN PRI or low-end SIP trunk (with, say, 23–25 channels/sessions) can generate a large amount of fraud. Assuming 24 channels, with calls costing $1 per minute (which is low), times 60 minutes, times 8 hours of nighttime dialing, the charges would equal approximately $10,000. If an attack like this continued for a month, including weekends, a bill of over $100,000 could easily be generated.

A DISA or dial-through feature on Cisco systems is referred to as “two-stage dialing” and is described in the Cisco Unified Communications Manager Features and Services Guide. With two-stage dialing, the user can originate calls from the remote destination phone through the enterprise by leveraging the enterprise telephony infrastructure. Two-stage dialing provides the following benefits:

• The ability to make calls through the enterprise, which leads to centralized billing and call detail records. This ability provides the potential for cost savings by ensuring that international calls get billed to the enterprise rather than to the mobile or cellular plan. However, this capability does not eliminate normal perminute local/long distance charges at the mobile phone.

• The ability to mask the mobile phone number from the far-end or dialed phone. Instead of sending the mobile number to the called party, the user enterprise number gets sent to the called party during a two-stage dialed call. This method effectively masks the user mobile number and ensures that returned calls get anchored in the enterprise.9

ImageTwo-stage dialing is not enabled by default on the Cisco Unified Communications Manager (CUCM) and requires multiple lengthy processes to enable it. Because the effort required to enable two-stage dialing is not trivial, it ensures the service will likely never be enabled by mistake. Two-stage dialing is a component of Enterprise Feature Access of Cisco Unified Mobility. This means that the Cisco Mobility feature must be configured on the CUCM before two-stage dialing. We include detailed instructions on how to enable two-stage dialing on our

Image Dial-Through Fraud Countermeasures

DISA was designed to enable traveling enterprise users to dial in, check voicemail, or do other tasks, and have a way to make long distance calls on the enterprise’s long distance plan rather than their own. With low-cost cellular plans, this feature just isn’t needed like it once was, so there is often little business reason to enable it. There should be an exceptional business case for turning on this service because it is so potentially dangerous.

As described by Cisco, enabling DISA and dial-through is difficult, so it should be rare that these are enabled by accident. See “How to Prevent Toll Fraud on Cisco Gateways”10 and “Manipulating PINs to Abuse Cisco Voicemail”11 for more information on configuring Cisco systems. For Cisco or any IP PBX, if you must enable DISA, it is essential that the password used to provide access is as strong and long as possible, and only given to users with a business need to use the service. The password should be changed periodically, at least quarterly. Although it is always a good idea to monitor CDR for long distance and international calling, it is absolutely essential to do so when DISA is provided. Reports for overall long distance and international calls should be monitored at least daily.

As described previously, a number of companies, including SecureLogix, provide toll fraud-mitigation applications and services. The good news is that attackers performing DTF are normally greedy, and the spike in traffic is easily detected and mitigated by applications that monitor outbound traffic in real time.

Image Automated International Revenue Sharing Fraud


International Revenue Sharing Fraud (IRSF) is a variant of DTF that occurs when an attacker sets up premium rate services and numbers and then creates traffic from enterprises to generate revenue. Premium Rate Services (PRSs) are similar, but involve domestic long distance. According to the CFCA, IRSF is second only to DTF, accounting for almost $4 billion in losses a year.

A typical scenario involves the attacker first obtaining a set of IRSF telephone numbers. These numbers are designed to allow callers to access some form of value-added information or entertainment service. The service is paid for by directly billing the calling party and is similar to 900 numbers in the U.S. As an international scam, calls to these IRSF numbers carry tariff rates much higher than normal traffic to that same country. The revenue generated by IRSF numbers is shared by those involved. This includes the value-added service provider, the international carrier, and, because this is a scam, a third party, which in this case is the attacker. Attackers artificially generate a large number of calls to the IRSF numbers for the express purpose of increasing total fraud revenue, which can net from 30 to 80 percent of the tariff. Enterprises are most at risk when a compromised PBX is exploited and used for DTF. The attacker can then organize many individual users to call in and hair-pin the calls out to the IRSF numbers or, worse yet, automatically generate inbound calls that, in turn, hair-pin out. This has become the toll fraud attack of choice—compromise the IP PBX and then use automated inbound call generation to create the enterprise calls to the IRSF numbers. Attackers search for new, poorly configured IP PBXs, often with default passwords; identify a means to hair-pin out to IRSF numbers; and use automated inbound call generation to create the traffic. As we will describe in detail in Chapters 7, 8, and 9, free IP-PBX software such as Asterisk, call generators, and SIP trunks have made it easy to execute this attack. We cover automated inbound call generation in detail in these chapters. Figure 5-5 illustrates this attack.


Figure 5-5 International Revenue Share Fraud (IRSF)—hair-pinned calls


Some may prefer to refer to this attack as call pumping, which we cover in detail in Chapter 7.

We differentiate the attacks based on who gets billed. For automated IRSF attacks, the caller, in this case the compromised enterprise, gets billed. For call pumping, the destination number is usually a legitimate 1-800 number, so the callee or called party is billed.

Another form of attack occurs when malware running in the enterprise is used to generate hundreds or thousands of calls to the IRSF numbers, leaving the enterprise with a huge international phone bill. This attack can only be executed if the attacker has internal network access to the UC system. Figure 5-6 illustrates this type of attack.


Figure 5-6 International Revenue Share Fraud (IRSF)—internal call generator

UC architectures can make IRSF attacks possible and easier. In an example we are directly familiar with, a small organization noticed a sudden and unexpectedly huge increase in international calls to Cuba, which added up to over $250,000 during the month of the attack. This organization had a Cisco UC network. The Cisco Integrated Services Router (ISR) was configured in a default state, which allowed internal H.323 calls from any IP address. Calls should normally only be accepted from the IP PBX, which, in this case, was the Cisco Unified Communications Manager (CUCM). The attacker ran a call generator, which made H.323 calls to the router, which, in turn, converted them into international calls over legacy PRI TDM trunks. Since the calls did not originate with the CUCM, there was no CDR. Small enterprises should be especially wary because they often deploy UC systems in a default state and do not have the expertise to configure them in a secure manner. Note that this issue is easy to fix in the router, and newer versions of Cisco software prevent this issue by default.

To execute this type of attack, one of the first things you need to do is to make sure the ISR is actually listening on port 1720, which is the port H.323 uses for call setup. You can easily determine if the port is open by performing an Nmap scan of the ISR. If you don’t have the results from a previous scan available, you can scan for systems listening on TCP port 1720. The following command, for example, scans an entire class C subnet:


We can perform this scan on our test network for the systems listening on port 1720, as seen here:


Notice that we found our ISR has port 1720 open. Now that we know the ISR is listening on the H.323 port, we need to find a softphone client that uses H.323 to see if we can connect to the ISR and place calls.

Many softphone clients are available with wide ranges of features. One of the clients we have been using with good results is MiaPhone ( MiaPhone has SIP and H.323 clients that can be used on Windows systems. SJphone ( is another popular softphone client. It was developed by SJ Labs and has versions for Windows, Linux, and Mac. Ekiga ( is an open source softphone that got its start as GnomeMeeting and can now be used on both Windows and Linux systems. What softphone client you use doesn’t really matter as long as it uses H.323 for signaling and is configurable.

After you have downloaded and installed the client of your hacking system, you need to configure the H.323 client to connect to the ISR, which is usually as simple as accessing the settings, entering the IP address of the gateway into the softphone, and clicking Apply, as shown in Figure 5-7 demonstrated on the MiaPhone client.


Figure 5-7 Configuring the MiaPhone softphone to connect to the ISR

When the softphone is configured, you can attempt to place some calls. You will probably want to try several different combinations of numbers to see what will work and what won’t, such as dialing just a four-digit extension, dialing a seven-digit number, dialing eight digits (which includes the number for an outside line, such as 9 or 8), dialing ten digits to include the area code, and dialing eleven digits to include the full number with area code and the number for an outside line, as shown in Figure 5-8, just to name a few of the possible combinations.


Figure 5-8 Testing the different calling combinations using MiaPhone

While you are testing to see if you can place calls out of the ISR, you will also want Wireshark running to observe the messaging between your softphone and the gateway. Being able to observe the communications between these systems while making test calls will help fine-tune the attack to ensure you can use the gateway for sending calls. While testing, you should be able to see the H.225 setup, the H.225 call proceeding, and the H.225 connect messages if you’re successful. If you are not successful in placing calls out of your gateway, you will see the “release complete” messages from the gateway to the client. These messages may provide more information about why the call is not completing, thus allowing you to make changes to tweak your attack. Once you have determined how to connect to the ISR and make calls, you can use a call generator for the actual attack. Tools such as the H.323 call generator ( can be used for this function.


We use the ISR and H.323 as a specific example based on a real-world attack, but the same attack can be more easily performed on any call control system, ISR, IP PBX, and so on, that can place calls and use SIP. We covered scanning and enumerating SIP services in Chapters 3 and 4. Once a suitable target is found, you simply need to generate calls to it. We cover SIP-based call generation in Chapters 7, 8, 9, and 14 (where we cover SIP flooding).

Image IRSF Abuse Countermeasures

The current best practice for combating IRSF includes blocking calls to known IRSF countries and specific telephone numbers within those countries. The current CFCA list of IRSF numbers contains over 61,000 discrete numbers worldwide (up over 50 percent from the previous year).

For Cisco, the most recent ISRs are configured by default to prevent connections from any IP other than CUCM. Older versions allow other connections, so if you are not using the latest software, make sure to limit connections to CUCM.

Again, it is always a good idea to monitor CDR for long distance and international calling.

As described previously, a number of companies, including SecureLogix, provide toll-fraud-mitigation applications and services. The good news is that attackers using IRSF are normally greedy, and the spike in traffic is easily detected and mitigated by applications that monitor outbound traffic in real time.

Image Wangiri


Related to IRSF is Wangiri, which is Japanese for “one ring (and cut).” This, in essence, is a combination fraud and voice phishing attack, where the attacker sets up an IRSF number and then generates calls to unsuspecting users. The call rings once on the victim’s phone, but is then cut off. Users who receive these calls are often tricked into calling back or pressing their redial button, thinking that the calls were cut off in error. When a user is indeed tricked into calling back, the enterprise will incur the charge of connecting to the PRS or IRSF number. Figure 5-9 illustrates this attack.


Figure 5-9 Wangiri fraud

The inbound Wangiri calls may be generated manually or, more likely, automatically. Wangiri has the potential to generate quite a bit of toll fraud, especially if many inbound calls are made. Fortunately this attack depends on the gullibility of the target users to call the number back, and even when they do, they normally won’t stay on the call too long. We cover techniques for automated generation of inbound calls in Chapters 7, 8, and 9.

Image Wangiri Countermeasures

The best countermeasure for Wangiri is user education. UC administrators need to make sure that users don’t place calls back to premium or 1-9xx numbers. Administrators should also educate users that a call with one ring and termination may not be a legitimate disconnected call, but actually a potentially expensive scam.

Administrators can also combat IRSF by blocking calls to known IRSF countries or specific telephone numbers within those countries. Again, CDR is very important. You should monitor for calls to PRS and IRSF numbers. As described in a previous section, a number of companies provide toll-fraud-mitigation applications and services.

Image Call Pumping


Call pumping is an inbound fraud issue often seen in contact centers. We cover call pumping in detail in Chapter 7, since it is an inbound call attack, but because its intent is fraud, we mention it briefly here. The basic idea is that the attackers generate a large number of inbound calls to toll-free 1-800 numbers, usually in the larger contact centers. The larger contact centers are the preferable target because there is a very good chance the fraudulent calls won’t be noticed. The attackers either generate short calls because they are interested in sharing the connect charges or they generate long calls, leveraging analysis of the IVR, because they are interested in the 1-800 per-minute charges. Figure 5-10 illustrates this attack.


Figure 5-10 Call pumping

Image Call Pumping Countermeasures

We cover call pumping countermeasures in detail in Chapter 7.

Image Exploiting Video Systems via the Internet


With DTF, the attacker makes an inbound call and then hair-pins out to make an international call. With one form of IRSF, the attacker uses the same technique or an internal call generator that creates UC-based calls, which generate international calls. A developing class of attack involves entry into the enterprise via the Internet and then hair-pins out to make outbound international calls. This is sort of the best of all worlds from an attacker’s point of view, although the real opportunities to do this are uncommon. Most UC systems remain internal and are not visible on the Internet. Even SIP trunking is UC over dedicated networks. This will certainly change over time, and eventually all UC will use the Internet.

UC-based video systems are becoming more and more common. Companies such as Cisco are trying to make every call have a video component. A key to using video systems is ease of use because if they’re harder than normal audio calls, they won’t be used. Some video systems are made available over the Internet for remote users and partners. Some of these video systems have also been exploited for the purpose of toll fraud. If a video teleconferencing system is left in its default security configuration, it can be accessible to unauthorized callers, who establish inbound Internet SIP or H.323 sessions, which are converted to TDM and hairpin to outbound calls over the connected ISDN PRI or SIP trunks that are still used for legacy access to these systems.

Some recent research has shown that many video systems are accessible over the Internet. Attackers can access these video systems using the web interfaces and default passwords and then turn them on, pan and zoom, and eavesdrop in the rooms where the video systems are deployed. This often includes sensitive areas such as boardrooms and conference rooms. See “Technology Flaws in Videoconferencing Systems Put Boardrooms at Risk”12 and “Video Conferencing and Self Selecting Targets”13 for information on HD Moore’s research into exploiting video systems.

To perform this attack, an attacker can scan public IP address space for SIP and H.323 services. This includes scanning for UDP/TCP on port 5060 and TCP on port 1720. As we covered in Case Study 1 at the beginning of Part I, you can also use the Shodan search engine to find candidate servers.

Image Exploiting Video Systems via the Internet Countermeasures

Industry-leading video systems such as those from Cisco can be easily configured to block unauthorized inbound access and calls.

For the outbound trunks, call restrictions can prevent outbound calls to toll destinations. Monitoring CDR on these trunks is especially important. As described in a previous section, a number of companies provide toll-fraud-mitigation applications and services.

Image Smartphone Fraud


There have been a number of examples of malware on Android-based smartphones that generate text messages to premium services. The text messages are sent out without any indication to the user of the smartphone. This can be an issue for enterprises, if the enterprise is providing the smartphone and/or paying for the service. We cover this threat in more detail in Chapter 17, where we discuss emerging threats.

Although it hasn’t happened yet, there is no reason why a similar piece of malware couldn’t make a long outbound call, late at night, to a toll or IRSF number. If a smartphone could make a four-hour call every night for a month, and not be noticed by the user until the end of the month, this could generate a bill in the thousands of dollars. It is just a matter of time before an attack like this affects smartphones.

Image Smartphone Fraud Countermeasures

We cover smartphone fraud countermeasures in detail in Chapter 17.


Toll fraud continues to be the most significant UC security issue affecting enterprises. There is a significant financial incentive behind toll fraud and it is easy and safe to execute. Although toll fraud has been an issue for years, it has gotten worse because UC capabilities and architectures make it more effective to execute. The most damaging forms of toll fraud include Dial-Through Fraud (IRSF) and a variant called International Revenue Sharing Fraud (IRSF). In both cases, the idea is to exploit a PBX or IP PBX and find a way to take an inbound call and hair-pin out to an international or IRSF number. When this is exploited by hundreds of users calling international destinations or through automated inbound call generation, the resulting financial loss to an enterprise can be significant. Service providers often do not cover these losses, leaving the enterprise to pay for the loss. Small enterprises are a particularly attractive target because they have enough infrastructure to generate many calls and often have new IP PBXs that are installed with their default security configuration.


1. Communications Fraud Control Association (CFCA) Announces Results of Worldwide Telecom Fraud Survey, CFCA,

2. Global Fraud Loss Survey, CFCA,

3. “Bigger Than Disney: Telecom Fraud Tops $40 Billion a Year,” Service Provider IT Insider, Heavy Reading,

4. “98% of Hackers Also Hit Businesses with Dial Through Fraud,” BT Wholesale,

5. Susan Weich, “A $600,000 Phone Bill? St. Peters Real Estate Agent Says It’s Not Her Fault,” St. Louis Post-Dispatch,

6. Somini Sengupta, “Phone Hacking Tied to Terrorists,” New York Times,

7. “Sen. Schumer: Al Qaeda-linked Phone Hackers Costing NY Small Businesses,” Government Security News,

8. “Client Matter Codes and Forced Authorization Codes,” Cisco Unified Communications Manager Features and Services Guide, Cisco Systems,

9. Cisco Systems, Cisco Unified Communications Manager Features and Services Guide, Chapter 13, page 10,

10. “How to Prevent Toll Fraud on Cisco Gateways,” Configbytes,

11. “Manipulating PINs to Abuse Cisco Voicemail,” Insinuator,

12. Nicole Perlroth, “Technology Flaws in Videoconferencing Systems Put Boardrooms at Risk,” New York Times,

13. “Video Conferencing and Self Selecting Targets,”