Now this is our first real cyber crime article.
So we have a bunch of others, ‘How I would Phish’, ‘How I would steal your phone to steal your wallet’ but they are all reactive, now we always say with cyber crime we need to be pro-active, but for some reason the limit of that seems to stop at “educating on existing crimes”.
So here we are going to be pro-active, we are going to highlight a method of cyber crime that will become profitable from 2020 after PSTN starts to be replaced with VoIP.
Before we go on, let’s just get a few definitions
PSTN – traditional phone services, like you have in your home today, or ISDN lines (for businesses)
VoIP – Calls are run over the internet
Provisioning Server – As this is a consumer article, this will refer to the user interface that you go to to add or amend an extension (this is something else in the VoIP technical world, but here where we talk about provisioning we mean the User Interface that a customer can use to amend their phone services.)
We have made a video for this using VR which you can see below.
Please subscribe to our channel on Youtube (you can click the link in the video when it comes up)
Below we cover the video content in more detail and on the following pages we look at what you can do to prevent this.
“Wire tapping, not just for the FBI anymore, anyone can do it!”
Let’s start with History
Wire Tapping, Phone Tapping, the concept has been around almost as long as distance communication over a cable has been available for consumers.
It is something that has evolved over the last 150 years, it was used in World War 1, so at least 100 years ago its purpose was espionage. The counter espionage method in World War 1 is both interesting and at the same time kind of sad, you can google ‘Native Americans World War 1 Wire Tapping” for a bit more information on that.
Intercepting a communication transmission is not an easy thing, it would usually be something physical that has been compromised, but there are always issues with profiting from that method, especially if you do not know the target.
So the element of Random attack and gain is quite low in this scenario, given the slow speed that mass data is available, essentially, listening to all calls to get some details.
So lets give a manual method to begin with, then we will look at how all of that WILL change from 2020
Tapping your copper line
I could lean out an upstairs window right now and spur off a cable from my next-door neighbour’s phone line.
This would be no different to having a phone line downstairs and an extension upstairs listening in on the call.
But there is no benefit to the effort involved, I would only know when you receive a call and I would have to listen to, potentially, a lot of talk time before anything of value came up.
The only real benefit here is to a stalker.
So it is very unlikely you would find hundreds or thousands of people, wondering around tapping into phone lines to listen to calls.
I am also limited to a physical location 1 on 1 style monitoring.
Accessing Call Recordings
This would be very industry dependent, but the problem here is the temporary drop in call recording for the data I want.
So, regulations will state that if the data being spoken about is sensitive, like taking payment details, the business side will enter a code which will in temporarily stop call recording
They then enter a code to start call recording again once the, for example, payment details have been passed over.
While I can’t imagine this process is followed on every call, mistakes happen, I would have to sift through a lot of real time data and listen to calls to find one where this process was not followed.
Again, it is just not worth the time and effort required.
Then for a lot of industries, say trading, it is time sensitive information. Essentially, it needs to be acted upon relatively quickly in order to benefit from the information being discussed. Well, how do I decide which ones to go through? How many people do I have going through them?
Essentially, not enough hours in a day for 1 person to really do much of anything significant in this scenario.
It could be possible to refine, but that would take a bit of understanding so against my rules for publishing cyber crime (i.e. should not be a training guide), cannot go into that detail.
So What are my needs in order to prosper in a criminal enterprise
- I need to be able to listen into, in real time, phone calls as they happen
- I need to be able to hear all parts of the call
- I need to be able to listen in regardless of geographical location
- I need to know when a call is being made or received
- I need a large volume of potential targets to be available
- I need to be able to set this up in the simplest and quickest way possible
- I need to do this in a way that no one knows I am listening in
With the current varied infrastructure in place, this is actually quite difficult
IP PBX Example
It is possible to do this on an IP on site Phone system, but I am reliant on a couple of things
- The phone system is networked
- The router and the phone system are weakly configured
- OR I have provider software and can configure over an ISDN channel (also needs a weak password, would still need to be networked as well, but allows a different route bypassing any infrastructure security)
I then need a model of the phone for a lot of IP systems
The phone system would need licences for certain features
- Call Notification – Requires the phone system to be configured to an email exchange
- Busy Lamp Field – Would require some expensive handsets my side, and quite some time to configure them
- Call Listen / Call Barge / Silent Call Barge
Now this last feature could be called “Wire Tapping” or “Phone Tapping”, what it is used for is to allow one internal extension to listen into the calls of another internal extension, like a manager in a call centre listening in on staff calls.
The time taken to find a suitable PBX, set one up and find out if it was even worthwhile for the effort is reasonably substantial
Given the varying phone systems in play out there, and the configuration required at this level, this is limited to essentially a Telecoms Engineer.
There are other ways to do it, but this would be the least technical method I can think of for this technology as it relies on existing functionality within the Phone system. So it does parts of the required effort for me, so in theory, you wouldn’t need an in depth knowledge of telecoms infrastructure, but rather an understanding of configuring an on site phone system.
This isn’t the same thing, so you receive an email from your bank telling you to phone them urgently, that number you phone routes via a different service, it is then forwarded onto your bank.
The fraudster listens in on the call.
So this require you to call a number that does not belong to your bank to instigate the call, so it doesn’t fall into our wire tapping example.
Now here is where we get interesting, any type of physical interception is pretty damned difficult, the communications are for the most part secure, so in theory, when we watch a film with the FBI going forward, they would probably go via the VoIP company to listen into calls in order to provide continuity to the narrative.
However, the ease of access and convenience of VoIP, well that presents us with a bit of a problem.
Like we said at the start of this article, the purpose is to be pro-active, so considering an upcoming industry change, is there a more efficient and easy way into a phone system that would allow me to achieve this relatively easily?
Can I do this without relying on you calling a different number by phishing you?
I’m Glad you asked, so back to our normal format with a slight variation
- How the Crime
iswill be Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the Crime
is will be Committed
I wouldn’t be surprised if some people already do this, it is just it will become more profitable from 2020, it will then hit the news, there won’t be a valid solution for a while, then other people will start doing it as it is really easy in the grand scheme of things.
So, to be pro-active, before the crime becomes profitable let’s publish the method.
This applies to a VoIP handset solution (or softphones) and this would also apply to SIP trunks to a PBX, as I can still utilise the VoIP exchange side functionality within the same group, so it opens up something that would traditionally be quite difficult.
Well lets look at some selling points for VoIP to see why this becomes an easy method
- It is so easy to configure and intuitive, you won’t need training. Any customer can set up a handset and add features, they do the install themselves.
- Your communications are not limited by a geographical location, you can take your handset home and use it or benefit from a soft phone on any network.
- Feature rich services available (including all the ones we need)
So lets see how that relates to our requirements
- I need to be able to listen into, in real time, phone calls as they happen – Tick
- I need to be able to hear all parts of the call – Tick
- I need to be able to listen in regardless of geographical location – Tick
- I need to know when a call is being made or received – Tick
- I need a large volume of potential targets to be available
- I need to be able to set this up in the simplest and quickest way possible – Tick
- I need to do this in a way that no one knows I am listening in – Tick
Well, point 5 in my MoSCoW rating scheme is quite high, this is a Must Have, I need a large volume or what is the point?
Currently there is a substantial diversity in telecoms methods that provides enough issues to me that It would still put me off this route, too much mix of traditional solutions and VoIP solutions.
What I need is a Trend
Enter Trend, or solution to point 5
In 2020, BT will make the PSTN network Legacy. No more new lines will be provisioned on ISDN or Analogue lines
The current plan is to phase out the PSTN network by 2025
My targets from 2020 will start to increase.
A trend in the consumer market is created.
This gives me 12 months from the time of writing to work out a method that I need to start deploying from month 13
This also opens up a remote residential market, most of which are currently on either mobile only or copper PSTN.
So how do I do it
Well, we are not intercepting communications, that would be a difficult task, instead we take advantage of how VoIP is easily configured by the consumers and re-purpose that use to our needs
My ideal route is to access a VoIP provisioning application that sits in front of a VoIP exchange.
This is the same thing that a genuine customer of a VoIP service accesses to configure their phone services without requiring any technical know how
There are a lot of these available, produced by various companies, I worked on one in a previous job so me personally, I wouldn’t have an issue with this method.
These have the same issues of exposure as any application on the internet today
VoIP Customer Access
- Each end user has an account – least productive for my goal
- Each Group has an account – This would achieve my goal, but often just for 1 physical location for the company I am targeting
- Enterprise – This would provide me the level required to manipulate an entire customer and all of their locations
- Reseller/Agent accounts, this will give me access to multiple customers for that reseller or agent
- Service provider accounts, this will give me access to service providers
In the above hierarchy, on any given VoIP exchange there will be more End user accounts than there will be Service provider accounts, the number of user accounts decreases from end user to service provider.
Now the more end users there are, the less secure it will be as a whole. So much like everything else in cyber crime, I am looking for the weak 1 in 100 to take advantage, this could be an employee of yours, or you directly.
But what are my most likely access points to the VoIP provisioning server
Account Recovery Options
The access to the VoIP provisioning application (what customers access) is most likely configured against an email address.
I either go via the VoIP provisioning server trying to guess your password, Malware could be an option here instead of brute force/Dictionary attacks.
I go via gaining access to an email address of a customer, then use that to reset the portal access for the VoIP provisioning application.
The notifications sent out by the VoIP provisioning application are probably more like an audible alarm than an alarm monitoring system when it comes to the end user accounts, so resetting the password then deleting the email would be the way to go here.
Either way, we have demonstrated in the previous articles, and given the volume of hacks today, we know access is inevitable, so questioning the fact that someone can gain access is irrelevant, we know it is possible and methods available that require little to no technical ingenuity.
Essentially the problem comes where we make access for users easier, and each user on an application poses a security risk, so my on Site PBX would have probably just had an admin account access, whereas my VoIP provisioning service from a customer perspective would have at least 1 account for all my employees plus a group admin account, often this is managed at small business level by a non-technical individual.
What we know is, a hacker gaining access to something is inevitable, they will find a way much like they do today.
So, once access is gained at either the Group Level or the Enterprise level, which would be the most likely way in, I do the following
- Amend email address on the account I have just logged into, I want any notifications veered away from them and onto me. Check to see if there are other group level users, amend their email addresses as well.
- Check services already available
- Purchase services I need, which will be available from the VoIP provisioning application, this will then generate an order confirmation now diverted to my email address.
- Create a new extension for, likely, a soft phone licence.
- Generate the link for the soft phone app specific to this provider, the ease of extension set up means it is unlikely I need any real detail here.
- Add Call listen feature
- Add Busy Lamp Field (visual way of seeing if extensions in my group are on a call or not via the soft phone)
- Purchase and add the counterpart call listen feature that needs to be applied to the extensions I want to listen into
- Purchase and add call notify to the extensions that I need to listen into (this can be configured to email me whenever they make or receive a call)
In short, I am not intercepting calls, I am posing as essentially a virtual employee of the company. The VoIP exchange does not care about my location, there is always 1 method that will work, like a soft phone or a mobile application.
The features available enable me to intercept calls as part of the functionality that is provided to the customers.
The ease of configuration makes, according to most VoIP providers, the above task take about 10 minutes start to end once I have access and ‘it is so intuitive anyone can do it’.
So what it comes down to now is
- Is the cost of my purchases noticeable and when is it noticeable?
- Does that put a half-life on my hack?
It does… UNLESS I configure some other functionality at the group or enterprise level
So I have access to the Service Providers provisioning application, this likely tells me the re-seller by virtue of branding.
I can find out the customer service numbers of a re-seller, I do this as when my activity is noticed, what is a customer likely to do?
Phone the re-seller
But the VoIP provisioning application may very well have passed the calling plans or CoS (class of service) functionality further down the chain as well
With this, it is possible to do a number redirect, essentially, when you dial a certain number I re-route that to a different number.
Its design is more around authorising something like an 09 number or an international call, so one phone in your group dials an 09 number, instead of just blocking them all, you re-route to a handset to authorise the call.
In this case, I re-route the service providers numbers back to the extension I set up, so if you dial them from one of your extensions, it comes to me.
“Looking at the records, it appears to be a billing error, we will credit the next bill” or whatever it is you want to hear, I’m not going to do anything in real life, but this will delay you.
But if I can do that, then why don’t I look through your call history to see the numbers you dial and from what extension?
Now we are getting interesting, so I take your last 30 days of call records, compare that to known number lists to see what companies you call, then I see how frequently you call them, like maybe a bank.
This is a much better option, so the VoIP customer portal likely has the call records, all I really need to do with these call records is match against advertised numbers for banks
When I have identified the number dialled for a bank, I have also likely identified the A Number, which would be the particular extension or extensions that would dial the bank (not every phone in the office would do this)
Now I reconsider my set up, as listening to all calls for all extensions is still a lengthy process
- Use call records to identify user who deals with bank
- Set up Call listen on that extension only
- Set up call notify to send an email to me when that extension dials the banks number (call notify can be configured to just email me when a specific number is dialled)
So I have streamlined my task, instead of needing to listen to hundreds or thousands of calls to get benefit, I just need 4 or 5 which I can collect over the period of a month or so
Why 4 or 5?
A lot of bank telephone pins are 6-8 digits, they ask you for 2 random ones each time.
By listening to 4 or 5 calls, there is a good chance that I get most of your passcode if not all of it, along with your other security questions.
So with a VoIP customer portal, providing easy configuration, easy purchase of new services, easy billing and easy access to call logs, I can easily commit fraud against you via your bank account.
But I can only easily do that from 2020, certainly 2025 when PSTN is switched, because at that point I know that every business I try to do this to has VoIP, they then likely have access to a VoIP provisioning server.
So If I gain access to one of your employees log in details, where do I go from there? A bunch of scams I have running, ones you maybe know about, but also I now have this scam as well, that you maybe didn’t know about.
Right, so that is how the crime can be committed going forward, there are other ways but they all have the same solutions on the next page.