Christmas VoIP attacks. How did you fare?

Simon Woodhead

Simon Woodhead

6th January 2014

In December we released yet more features (balance locking and automated alerts) to protect you from VoIP fraud should one of your customers or your equipment be compromised. Knowing people were winding down we also gave “4 quick ways to help stay safe from VoIP fraud this Christmas“. It was really pleasing to see some customers immediately embrace those and implement them through our API and even more so for them to have a festive period free of intrusion. Then there were those who didn’t…

We saw a record level of customer intrusions over the period, with a handful of customers being compromised repeatedly, or rather having multiple end-users compromised. One customer found all their (big brand) customer PBX’s were susceptible to the same security hole when a fraudster took to abusing each one in turn on consecutive nights. Our customer found and dealt with this hole but intervention and notification was required here several times to alert them to the consequences of it. The potential costs to them were unlimited had we not done so – they’d have exhausted their credit here, worked through credit with other carriers and potentially overflowed to CPS with surprise bills next month. The point here is not to criticise or shame as the reality is this happens to everyone engaged in this business but to highlight that if it hasn’t happened to you, it will, and it will be expensive! But we make the tools available to minimise the pain and alert you to problems, so it is entirely avoidable. Please do use them; perhaps start with the 4 quick ways post which is an easy start.

What was interesting in a number of the cases over the period was the profile of the attack. There was no heavyweight scan followed by dialling known numbers and then slamming equipment with a high volume of calls. This is typical and invariably triggers our automated fraud alerts (remember, they’re available by SMS too if you don’t check your email at 3am!) as we routinely reject calls to those numbers for all customers. In this case the traffic just started gently to an unknown number and remained at a low level. This shows pre-meditation and from the consecutive nature it was evident that the scanning and reconnaissance had taken place in advance. Further, when one door was closed they didn’t move down the list to the next, they calmly left it and came back the following night. That shows a maturity and cunning we don’t see very often and is perhaps a sign of this already $45bn annual industry professionalising. That makes it even more of a threat.

We know some customers have developed their own fraud monitoring solutions and that is a very good thing. It at least demonstrates a recognition of the problem and can only help. However, there’s a risk here. We tend to find that those most confident in their own solution are most dismissive of additional steps. We think that is short-sighted – you have locks on your car but do you disable the alarm? Several of the attacks we have seen have not been at the VoIP layer they have been targeted at databases and administrative systems. Where they have been compromised administrative access has been used to provision ghost accounts with unrestricted rights. Can you be confident your solution would pick that up or does it depend on the very system they may have compromised? We’ve even seen customers disabled from access to their own systems. Using the features we offer gives you an additional layer of protection, completely separate to your own. We’re alerting and restricting what you pass through your account here, regardless of the current state of your own network and equipment.

Simwood is the only carrier we know of that offers such a rich array of real-time control features. To be honest, we’re probably the only one who can due to the unique way all our call routing is software-defined. There is zero database involvement in our call-routing, it is all carried out in RAM, which makes it not only lightening quick but enables us to carry out far more checks on large data-sets than would otherwise be possible. We wrote a brief blog post about this some time ago: Real-time big-data.

We’ll keep on adding new features and welcome any suggestions from customers. We know from those who use them that they help and really hope others implement them without the benefit of expensive hindsight.



Related posts