The use of VoIP in the enterprise has risen considerably over the course of the last few years, as better technology has been put in place and faster, more reliable internet speeds have come about. But like any technology that becomes popular, with it also comes the problem of it coming to the attention of cybercriminals. For VoIP, this means that we’ve seen a rise in fraud, on both consumer and PBX systems. Unlike traditional systems, VoIP relies on computers to transmit voice and it’s these systems which have opened up inroads for cybercriminals to exploit. In consumer systems, Skype, being the most popular VoIP app on the market, has been subject to hacks and attacks and this has seen some consumers finding themselves to be on the end of a large, unexpected bill. Shadow IT in the enterprise could also be said to create a vulnerability within a business when employees use apps like Skype without authorisation. In 2013, VoIP fraud cost businesses $4.73bn globally, with small and medium-sized businesses the most targeted, according to the Communications Fraud Control Association. It’s thought that as well as consumers, VoIP fraud affects both enterprises and telecoms providers as the latter are often left covering the bill. And the charges racked up by fraudsters can be substantial – in 2009 small business owner Michael Smith found that he was left with a bill of $900,000 after his PBX system was hacked. AT&T attempted to sue Smith for $1.5m to recover the call costs, claiming that the responsibility lay with him as he should have ensured that his systems were secure. However, the telecoms company later dropped the suit, although they maintained that it wasn’t their responsibility. The top five countries from which fraud originates are:
Types of VoIP FraudThere are lots of techniques that can be employed by attackers to exploit VoIP systems. Some are borrowed from traditional phone fraud, whilst others use hacking and software and hardware exploits. Other types include:
- Arbitrage – exploits the settlement rate between countries – with VoIP this falls into “a legal grey area” which means that telecos often withhold payments to providers if it’s suspected that the provider is artificially increasing traffic in countries where higher rates can be charged.
- Buffer overflow – where hackers use buffer overflow errors in certain packets, causing apps to crash or run arbitrary code.
- Bypass/GSM gateway fraud– in this scenario unauthorised traffic is inserted onto another carrier’s network and then uses advanced technology in order to make it appear that calls overseas are domestic calls being made as usual. In reality, the fraudster is usually selling phone cards abroad that are then used on the network.
- Call transfer fraud – where the PBX is hacked and its services used to make long distance calls, usually at night or weekends when it’s unlikely that it will be noticed.
- Premium rate calls – cybercriminals pair up with premium rate number providers to generate traffic to the numbers using illegal methods.
- PBX hacking – the most common type of fraud, this sees the attacker hacking into the PBX system in order to generate large amounts of traffic.
PBX HackingSince this is most common, let’s have a look at this one in a little more detail. Once the system is hacked through vulnerabilities in the IP PBX, then the attacker can carry out other types of fraud. This can be done by guessing extension pins or by simply finding an extension which uses a default pin – so you should always change these to something more complex when setting up a VoIP system. Other common configuration mistakes include:
- Poor user authentication and access control
- Reliance on SBCs for security
- Inadequate LAN separation and control
- Lack of use, or inadequate use, of encryption