Dial Through Fraud (DTF)/Toll Fraud Attack Using Robocalls

Here is a video describing a Dial Through Fraud (DTF) attack. DTF is a form of toll fraud, there the attacker dials into a compromised PBX, gains dial tone, and then dials a new destination, usually an international number. They "hairpin" though the PBX. The destination is often a premium number and the attacker is using the compromised PBX as a way of generating traffic and revenue.


This attack is interesting because it shows how inbound call or robocall generation can be used for DTF and toll fraud. First someone compromises an IP PBX so that an external user can dial in, get dial tone, and dial to an international premium number. Once this access is gained, the attacker can use it at any time for DTF themselves or sell it to an attacker who wants to generate the actual fraud.

Most people think of DTF as being the case there the access to the compromised PBX is sold to many individuals who use it to make international calls, say to talk to relatives in their native countries. This still occurs, but by far the more common attack is to automatically generate inbound calls to the compromised PBX, which hairpin into outbound international calls to the premium numbers, thereby generating a lot of traffic and revenue. This really isn't much different than automated call pumping or Telephony Denial of Service (TDoS) attacks. The attacker sets up an automated call generation operation, probably using Asterisk, a call generator, and SIP trunks. They build an audio file that pauses, enters a code to get dial tone, enters the desired international destination number, and then just keep the call up for some period of time. They run the attack and call a number for the compromised PBX that will give them dial tone. They probably spoof their calling number. The calls are kept up as long as practical, but keeping the calls shorter and/or variable length can make the attack a little less likely to be detected. The calls will usually be generated overnight and/or on the weekend to avoid attention.

If you watch the video, this is what happened. The attacker generated the calls at night and the victim had a ton of calls, all to Somalia start up at the exact same time. The calls continued for about 5 hours, at which time the victim noticed the attack. They happened to be an organization that takes calls at night, so they noticed the attack.

As with any DTF or toll fraud attack, paying for the fraud is the responsibility of the enterprise.