Is Your Virtual PBX Susceptible to Phreaking?

When attempting to swindle money out of a major corporation, it’s always easier when the corporation is in a position to help you collect on your efforts. 

According to this Ars Technica report, hackers based in the Philippines not only scammed AT&T – and potentially other telecommunications companies – out of millions of dollars for their own gain and to boost the accounts of a terrorist organization, the telecommunications giant apparently helped in the process. 

Few details have been offered by the virtual PBX provider, AT&T, regarding the arrest of four people in the Philippines by the National Police's Criminal Investigation and Detection Group and the FBI. One thing has become certain though, as at least one of the four arrested has previously been involved in phone hacking otherwise known as phreaking. 

This activity involves hacking into telecom customers’ private branch exchanges (PBXs) or a virtual PBX. The sting that brought down this ring was part of a larger FBI investigation to try and curb the activity worldwide. 

When virtual PBX hacking is successful, the scam turns corporate phone systems in virtual ATM machines. Many a large organization lacks the necessary security to prevent such activities, making them a prime target. The hackers didn’t need too much help to break into the systems as many still had the default password on them. 

To accomplish this scam, hackers simply need to collect information regarding different virtual PBX systems by securing physical or digital copies of their manuals and learning the dial-pad commands for remote access. Next, a vulnerable PBX system must be identified by searching phone directories or with a “war dialer” program. By working in the Philippines, this group was able to dial through large volumes of numbers of U.S. businesses after hours. 

When the hackers or phreakers gain access to extensions they simply change the passwords and use the extensions to make outbound calls using the DISA number. If a DISA number is discovered, the hackers break through possible passwords and gain access to the virtual PBX to place calls to any number they choose. 

While some phreakers may complete the process for the simple thrill of breaking through a virtual PBX, others are doing it for profit. The group in the Philippines was hacking into any vulnerable virtual PBX and sold access to compromised systems to a reported Pakistani member of a terrorist sect who then used the access to sell low-cost international calls through retail store fronts in Brescia and Mascerata, Italy. 

That scam ended with arrests in 2009, but new management on the retail side introduced a new approach to making money with phreaking techniques. This time, the scam focused on making telcos into accomplices. Access to virtual PBX systems was used to place outbound calls to high-rate international premium-rate services – much like 900 numbers in the U.S. – directing hundreds of calls to these services. AT&T unwittingly played a part in collecting for the services and as a result, absorbed the losses from this latest scam.
Susan J. Campbell is a contributing editor for virtual-pbx and has also written for eastbiz.com. To read more of Susan’s articles, please visit her columnist page.

Edited by Jamie Epstein