Default Passwords Led to $55 Million in Bogus Phone Charges

The U.S. Justice Department today unsealed indictments against three Filipino residents accused of hacking into thousands of private telephone networks in the United States and abroad, and then selling access to those networks at call centers in Italy that advertised cheap international calls.

The indictments correspond to a series of raids and arrests announced today in Italy, where authorities apprehended five men alleged to have been operating the call centers and using the profits to help finance terrorist groups in Southeast Asia.

The U.S. government alleges that the individuals arrested in the Philippines were responsible for hacking so-called private branch exchange (PBX) systems — computerized telephone switches and voice mail systems — owned by more than 2,500 companies in the United States, Canada, Australia and Europe.

The indictment alleges that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez broke into PBX systems, mainly by exploiting factory-set or default passwords on the voicemail systems. The government charges that their Italian call center operators paid the hackers $100 for each hacked PBX system they found.

The indictments explain the scam like this: People wishing to make cheap, international phone calls from Italy would enter one of several local call centers set up by the alleged co-conspirators there. They would be charged a cheaper per-minute rate than what it would otherwise cost for them to make a call from their own phone, yet more than what the call center operators are paying by routing their calls through a hacked PBX that has access to cheaper dialing rates. The call center operators are still charged for the initial long distance call to the hacked PBX, but since the rates per minute are much less than if they dialed from their own country, they can pocket the difference between what their customers pay and the cost of the hacked PBX routing rate.

According to a Google-translated Reuters piece, the trio allegedly then sold access to those systems to 40-year-old Pakistani Mohammed Zamir, the manager of a call center in Brescia, Italy. Italian authorities arrested Zamir and at least four other Pakistani men operating call centers throughout Northern Italy.

The U.S. government’s case was filed in the U.S. District Court of New Jersey, the home of long distance provider AT&T, among the companies whose customers were most impacted by the scheme. The charging documents allege the thieves used the hacked PBX systems to relay more than 12 million minutes in unauthorized international phone calls, or $55 million worth of telephone charges.

Erez Liebermann, assistant U.S. attorney for New Jersey, said the hackers broke into most of the systems by using default passwords already set on them.

“The default passwords were left open in most of these PBX systems,” Liebermann said.

The indictments filed by the Justice Department are available here (PDF). The defendants are charged with computer hacking, conspiracy to commit wire fraud, and access device fraud.

By Brian Krebs | June 12, 2009; 2:13 PM ET
Categories: Cyber Justice , Fraud , U.S. Government , Web Fraud 2.0 | Tags: pbx hacking Share This: E-Mail | Technorati | Del.icio.us | Digg | Stumble Previous: Spear-Phishing Gang Resurfaces, Nets Big Catch
Next: Apple Patches Java Flaws, At Last

Join the forum discussion on this post - (1) Posts