Tuesday, June 27, 2006

More on the recent VoIP fraud

There has been much discussion lately (for example, in Business Week, TechWeb and TMCnet) of the VoIP fraud allegedly perpetrated by Edwin Pena, abetted by Robert Moore, on a number of VoIP service providers.

The complete story, of course, has not been told. I had a brief email conversation with the owner of a Houston-based VoIP service provider that was scammed, and what follows is his tale.

In his case, the protocol was H.323 and not SIP. He tells me that his VoIP-PSTN gateway was expertly hacked, apparently using a master password, and its configuration was altered. To verify that the hack worked, test calls were made to a cellphone in New Jersey, according to logs in the equipment, which also revealed that they were made from Brazil.

Once it was verified that the calls got through, traffic was directed to the hacked gateway from (presumably) an H.323 gatekeeper, apparently located at the NAP of the Americas in Miami.

The fraud was discovered by the unusual traffic patterns that resulted, when all the circuits on the gateway became busy. The destination of most of the calls was Jamaica, with origins as diverse as the UK, Australia and the US.

Once alerted to the fraud, the aggrieved business owner did some investigation, and traced the cellphone to Fortes Telecom in New York.

What surprised me about this story is that it doesn't involve hacked networks at New York hedge funds, decoy servers at hosting companies, nor brute force attacks to discover account prefixes, as laid out in the criminal complaints against Edwin Pena and Robert Moore. It seems as though a variety of attacks were made, not all of which were described by the US Attorney's office.

Nevetheless, it does stress the need for adequate perimeter security around VoIP softswitches and gateways, a case I think the proponents of session border controllers have made fairly convincingly on the VOIPSEC list recently.


Post a Comment

<< Home