Here are a couple of links to the Department of Homeland Security (DHS) Cyber Security Division (CSD) showcase earlier this year.
The Federal Trade Commission (FTC) is continuing their fight against those annoying robocalls, by sponsoring their Zapping Rachel challenge at the most recent DEFCON 22 conference.
See the video in the link below. This is another case of robocalls, specifically automated debt collection calls, gaining significant national attention:
We all know that these calls are a big issue for consumers on their land lines. The robocallers, whether they are selling a product, harassing their victim, trying a scam, or attempting to get information (vishing), have traditionally targeted landlines because they have lists of numbers and because the targets can be especially vulnerable (elderly consumers).
However, we are all getting some of these calls on our cell phones. This is in violation of the Telephone Consumer Protection Act (TCPA). This document, while old, is a must read. Now it is also illegal to make robocalls to normal land lines, but I predict that robocalls to cell/smart phones will get more attention and make it likely that the victims will complain. As covered in the video, attorneys have started to notice and I predict will work to make their share off of this issue, which is only getting worse and more common. Now attorneys will only be able to go after "legitimate" robocallers. They will have equal challenges as law enforcement going after illicit robocallers or those outside the country, but there are a lot of attorneys, and between them, law enforcement, the FTC/FCC, we may see a growing civil and law enforcement response to the robocalling issue.
This will also be a boon for companies building smart phone applications to block these calls.
While this is going on, the robocallers are also increasing their call volume into businesses and enterprises. Land lines are slowly going away and the target base is getting saturated. It may be too risky to hammer away at consumers precious cell/smart phones (heaven forbid a call comes in in the middle of composing an Instagram or Snapchat message), so the logical next target will be businesses and enterprises.
Here is a link to a good video on VoIP and SIP security.
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
- Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
- Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
- Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is holding a special interest group in their annual conference in San Francisco, February 17-21, to focus on issues unique to voice.
More news about the FTC going after robocallers/Voice SPAM generators, who are scamming consumers.
There has been quite a bit of press about a voice phishing/vishing scheme in the UK that has netted the crooks some $7,000,000 pounds.
J. Oquendo has created the "VoIP Abuse Project" or "VoIP Blacklist Project"
Here is a video describing a Dial Through Fraud (DTF) attack. DTF is a form of toll fraud, there the attacker dials into a compromised PBX, gains dial tone, and then dials a new destination, usually an international number.
As I have reported, the FTC has a challenge and $50,000 award for whoever can come up with the best solution to the issue of robocalls
I thought it would be a good time to post MY OWN list of what see as the 8 most common UC threats (I even provided a chart).
Here is an article from earlier in the year on VoIP phishing/vishing.
The FTC held a recent summit conference and has created a challenge to the industry to identify solutions to unwanted robocalls.
Here is another article talking about how automatically generated (robodialing, robocalls) marketing and SPAM calls are on the rise
Here are a couple of articles about various DDoS services set up and ready for hire. There is also a brief discussion about how a service was used to attack a VoIP service. This isn't TDoS per se, but as I have said before, the botnets that the attackers use could easily generate VoIP based calls (rather than lots of packets) and target any enterprise site, contact center, user, consumer, etc.
So a tiny bit of background here. Attackers create botnets by assembling a collection (100's, 1000's, 10,000's) of individual bots on zombied computers. These bots sit dormant, but are ready to go if the attacker wants to generate an attack (or is paid). The bots can do pretty much anything - often it is to generate specific or floods of packets for DDoS attack. The more bots, the more traffic and harder it is to mitigate the attack. Of course the bot can generate one or more VoIP/SIP based phone calls, which could for example all hit a large contact center. If the bots are smart enough to spoof their caller ID, the would be difficult to differentiate from real traffic. If they play similar audio, that could be detected, but if they did something really nasty, like play a random audio file/song from the zombie computer's iTunes directory, the attack would be very difficult to mitigate.