PBX hacking continues to threaten business owners


13 May 2009

PBX fraud, which is estimated to cost businesses in this country around €75m a year, is on the rise, and businesses are being encouraged to be vigilant and report suspicious activity to the authorities.

The Commission for Communication Regulation (ComReg) said last night that a recent PBX hacking incident, which has hit an Irish business in the wallet, has encouraged it to re-issue warnings to business about the ease with which PBX telephone fraud can occur.

“These incidents tend to occur at weekend periods when business premises are unattended,” ComReg said.

“Calls are placed and routed via the PBX of a business and, in the majority of cases, the business owners are unaware that their system has been hacked. ComReg understands that these ‘attacks’ occur because the PBXs in question have not been fully secured.”

The telecoms regulator has urged business owners to contact their PBX phone system supplier to ensure their system is secured.

Business owners who notice suspicious phone activity at times when the office would normally be closed are advised to report instances to the Garda Bureau of Fraud Investigation on 01-666 3766.

Telecoms fraud, or technically private branch exchange (PBX) fraud, is one of the most prevalent, yet under-publicised, forms of computer fraud around. IDC estimates there are more than 200 variants of the fraud in operation.

Telecoms fraud currently accounts for between 30pc and 50pc of European telecom firms’ bad debts, and the arrival of new services such as internet telephony or voice over IP (VoIP) and mobile services like 3G have led to an increase in options for hackers to get into phone systems.

The International Forum of International Irregular Network Access (FIINA) estimates that telecoms fraud is costing companies €42bn a year and is growing at 15pc a year.

In Ireland, according to figures last year from Energis, telecoms fraud costs companies €75m per annum.

In one case, US mobile operator Omnipoint was hit for US$9.6m by a GSM international roaming fraud. When the announcement of the fraud was made, around 75pc of the company’s market capitalisation was wiped off, despite it having upwards of 200pc customer growth.

In another case, a major multinational bank lost over US$1m following a phone fraud sting that had been in operation for three years before it was discovered. In another case a European police department was hacked to the value of £1m sterling over a six-month period.

No Irish business or government body will willingly admit being a victim of telecoms fraud.

However, the most high-profile instance of telecoms fraud in Ireland occurred in 2003, when a Comptroller and Auditor General report revealed that the Department of Social Affairs was defrauded to the tune of €300,000.

In one weekend alone, an overseas crime gang that had hacked into the department’s phone exchange (PBX) racked up calls of €12,000.

Fraudsters had taken advantage of a remote dial-in number used by engineers to maintain the system, and used the number to make international calls. Calls to the number came in from the Netherlands, Belgium and Italy and went further afield to Africa and the Far East.

At the time of the breach, the department was unaware the number was still in operation.

In another case, this time an attack on an unidentified business in Dublin, an organised gang obtained over a dozen phone lines in a house in the UK.

They had found a way of making calls through a succession of PBXs, eventually making international calls through a system in Dublin.

The owners of each of the PBXs had substantial carrier bills to pay, particularly the PBX of the unidentified Dublin business, where costs of over €75,000 were run up on a weekend. The destinations of the calls were in India, Pakistan and Africa.

By John Kennedy