Fresh fraud alert over PBX hacking as firms face large bills

21 Dec 2012

Businesses have been warned about the risk of a fresh round of telecoms fraud, after a number of recent PBX phone system hackings that in some cases cost victims thousands of euro.

The telecoms regulator ComReg said operators had reported 12 cases in the past four months. “In one recent case of hacking, calls to the value of €90,000 were made without the knowledge of the customer. This type of incident is of particular concern as we approach the festive season when many businesses will be closed over the holiday period and may not notice their phones making thousands of international calls automatically,” the regulator said.

Earlier this year, a similar case resulted in calls worth more than €250,000 were made through another company’s PBX. ComReg said it intervened but the victim still ended up owing more than €100,000 to its telecoms provider.

PBX fraud spearheaded by international crime gangs

Earlier this month the security consultant Paul C Dwyer urged businesses to check the security of their phone systems. He said in cases he had been made aware of, hackers appeared to be gaining access to victims’ PBXs using a Dublin number.

“They then dial from the compromised system to an ‘auto-dialler’ in Denmark … The auto-dialler then runs up a huge bill on the compromised phone system,” Dwyer said.

ComReg said the risk comes from the maintenance ports on PBXs which allow third-party service providers to dial in to the phones to diagnose problems. However hackers can easily exploit the same feature when the ports are left open and are protected by either weak or default passwords, the regulator said.

Businesses often use simple passwords such as 0000, 1234 or the same number as a particular phone extension, which hackers can easily guess to break into the system and run up large phone bills without the victim knowing until they receive their next bill.

ComReg recommended using strong passwords on all phone extensions to avoid hacks through that source. “These passwords should not refer in any way to the extension number.”

Other steps to take include asking the telecoms provider to bar access to premium rate numbers or even block international calls if the business doesn’t need them.

Telecoms fraud or PBX hacking isn’t new: first reported on it in 2005, and it is known to have occurred on many occasions since. It has consistently been one of the main computer-based crimes reported to the Garda Bureau of Fraud Investigation and at the time, the then head of the Unit said it had collectively cost businesses millions.

In 2006, the first cybercrime survey conducted by ISSA and UCD found that 29pc of large organisations had fallen victim to telecom fraud at some stage.

ComReg said any company that discovers it has been hacked should contact the regulator immediately to stand the best chance of being assisted, and they should also report the fraud to An Garda Siochana.

Gordon Smith was a contributor to Silicon Republic