Ad fraud

What steps would you take to protect your business from the burglar arriving after office hours and stealing £40,000? I suspect that you'd be sure that most of the doors have great locks. You would put in a burglar alarm and maybe even have CCTV surveillance. Which should protect your business. Wrong! The burglar didn't break into your office; they broke into your internal phone exchange (PBX). Unseen by human or electronic eyes, 1000s of pounds are being spent on international telephone calls and your business will pay the Ad fraud.

How Does It Work?

Dial through fraud is not a new problem, it just has limited publicity. It exploits a PBX feature that enables employees to ring into the switchboard and by keying certain dialling codes, make national and international requires which the organization will pay the bill.

Many businesses will take an "It won't occur to me" way of dial through fraud, even though most business PBXs are setup to be maintained remotely. That is to allow engineers from the maintenance company to make changes to the configuration without needing to produce a site visit nonetheless it exposes the PBX. The administration port on the PBX will be connected to a modem that consequently is connected to an expansion on the PBX.

Using trial and error, hackers will identify the amount that modem is on. The default passwords like "admin", "0000" or "1234" will be tried first. Even if the password has been changed, there are many of free utilities on the Internet that will use brute force to use every number and letter combination until the right password is found. It has been known for 16 character passcodes to be cracked in this way.

When the hacker has gained administrative use of your PBX, they will identify unused extension numbers and set them up to allow dial through utilizing the company PSTN lines. For the cost of an area telephone call, the hacker can be making calls to the Middle East, Far East, Africa, Australasia, etc. Several of those calls might be costing the business enterprise as much as £3 a minute.

To compound the situation, the hacker will usually create a disguised PBX that routes its calls through the organization PBX. The hacker will operate a "Call Sell"; selling international calls to customers at cheap rates. Alternatively they may make calls to their own premium rate revenue share services. It's possible that through the 15 hours whenever your office is closed, as much as 10 simultaneous calls might be occurring. And that is just for 1 day! The thing is prone to go unnoticed and unresolved until the phone bill arrives by the end of the month Ad fraud.

It Will Never Happen To Me

A recently available report in the Guardian highlighted the plight of one UK Company that experienced a fraud attack. The business had secured its PBX with a 16 character password but it had been still compromised. The discovery of the fraud was by pure chance when the MD of the organization arrived to any office early 1 day to find the lights on the telephone switchboard lit up like a Christmas tree, even though he was the only person in the office.

The report indicated that recovering the losses wasn't easy. Even though company's Telco admitted that the calls were fraudulent, it wasn't their responsibility to secure the customer's equipment from attack. Therefore the customer was liable for almost any calls made through the PBX. It had been also discovered that the company's insurance policy had a typical clause exempting it from any "electronic losses" ;.

A Matter For The Police

Surely if your fraud has been perpetrated, then a police should investigate the matter? That is true. The Regulation of Investigatory Powers Act 2000 (Ripa) gives police the power to request "intercept data" from the Telco that would identify the origin of the inbound calls in to the PBX. Under the act, a Telco is permitted to charge as much as £1,500 to cover their costs of retrieving the information asked for by the police. Which means that in every case, the police must decide perhaps the financial losses mixed up in fraud justifies the cost of the "intercept data" ;.For big losses, the solution is apt to be yes every time. However, in small cases involving just a hundred or so or few thousand pounds, the solution may possibly not be so clear cut.

View the Guardian report.

How Can It Be Prevented

The absolute most obvious way isn't to allow remote use of the administration facilities of the PBX. However this may possibly not be practical and could lead to increased charges from the maintenance company. The next method is to use a very random password on the PBX, as much as the utmost amount of characters and to lock the modem such that it will only answer calls from just one phone number. This solution is quite inflexible and before long might be put off if it becomes impractical.

Ideally, you'd want a remedy that could offer these benefits:

Work with a modem that employs authenticated encryption to prevent hackers with standard modems from to be able to connect.

Some hardware to behave being an intermediary between the bond and the PBX. The hardware could then determine through a username/password what degree of use of give the PBX.

The hardware should proactively monitor the PBX searching for the initial signs of fraudulent activity.

Secure Access Modems

Secure access modems tend to be hardware based. One modem is connected to the PBX, while more than one modems are deployed in the field. The modems use an encrypted secret key and a unique ID to provide a challenge/response to incoming calls. Consequently just a modem with a corresponding encrypted secret key, having an ID that is allowed by the PBX modem will have a way to connect.

This gives a far more flexible option to calling from just one phone number. The modem is self contained and doesn't require any special software. It's unlikely that a random hacker utilizing a standard modem will have a way to breach this initial barrier.

Hardware Acting As An Intermediary

If you are using a hardware appliance, it may behave as a gateway between the PBX and the user. It could log all login attempts. Maybe it's configured to send an alert (as an email for example) when it detects multiple login failures. This type of behaviour would occur if your hacker was utilizing a brute force attack to use and discover the password.

Different combinations of usernames and passwords could get different degrees of use of the PBX. Users can therefore be restricted to performing only certain actions from a limited menu choice. This prevents the hacker from gaining full unrestricted use of all of the administration functionality.

Proactively Monitoring For Dial Through Ad fraud

A switch through fraud solution can proactively monitor the decision output from the PBX. It may be set to look for suspicious call activity. In the event of the organization featured in the Guardian article, this could use a "ruleset" to look for any call that occurred outside office hours. When suspicious activity is detected, an alert will be sent out containing the details. This allows a suitable reaction to be taken, reducing the potential losses due to the fraud.

Dial through fraud can quickly and silently cause 1000s of pounds worth of losses to a business. The conventional security precautions set up to prevent it are weak, especially compared to those used on IT networks. Trying to recover any loss can be as difficult as detecting the fraud in the initial instance. Data Track can provide a range of phone fraud solutions that will not only add extra security to your PBX but provide a way of detecting losses before they progress too far.

Dominic Martin is the Marketing Manager for Data Track Technology plc. Data Track products enable value added resellers and systems integrators to remotely monitor and maintain a selection of customer located voice and data equipment. We offer ways for these organisations to lessen the amount of site visits by engineers and to provide better response times to their SLA agreements. Using our products and services, organisations can raise the revenue that they gain from support contracts by promoting a selection of value-added services to their customers.

Data Track also supply the Enterprise, public sector and other private organisations. Our aim is to provide products and services that help our customers to control their voice and data networks more effectively and to solve any communications challenges faced by the business Ad fraud.