 This is Fishing with VoIP. We're taking a look at some new attack techniques and a review of some preventive policies to protect your company's assets, if you guys have companies, as well as an overview of detection and evidence gathering for prosecution, or lack thereof. The points of interest that I'm going to cover in this talk is the proof of concepts, the actual systems. I'm going to show you some examples as well. Fear. Also, I'm going to show the anonymity of the attacks, how people can stay anonymous, and how it is very hard to track these people. We're going to talk about some of the losses by the consumers and corporations that are affected by these, and some suggestions for defensive thinking. The enterprise attack. This type of attack can go down in a lot of different ways. I'm just going to show some couple examples. The enterprise attack. If a malicious freaker would, not a freaker, a malicious fisher would get at their hands on an email list. They can just send out mass emails to particular corporations, like customers, stating some type of rules where they need to call in to put something wrong with their account, they need to call in, blah, blah, blah. They'll put a number in the email when the customer calls that number back. There's a system that sounds exactly like an IVR system for the company that they're pretending to be, like Washington Mutual, T-Mobile, etc. I do have a short example. What you're about to hear, it's actually not sure how it's going to sound, so give me a second to adjust it. I've never seen this phone in my life. Right now I'm listening to one of his ringtones by mistake. Dude, this is a fear. In call, yo. There we go. Did you have a call? Came in here? This is all going on my system. All this audio that you're hearing is coming from my system and all of this data is being logged. So, you know, they put it in. It logs it, but it says that it did it because it's trying to get more information. I don't know if you can see that. Now it goes for the full, like, 16-digit number. This just actually happens when you call their system if you enter, like, the wrong information. I'm just going to put in some silly stuff. What I just entered, what I just entered, it saved it in there. So I put it in. It did. Now it's going to ask it twice just in case they enter the wrong number. Now it's going to throw them on hold. Now what I could do is, I'm done. I apologize because I've never seen this phone in my life. I don't know. I don't know how well you guys can see it over here, but all that information I just put in, it just logged it on, like a MySQL database. Now, if I wanted to, I could set up, like, a queue, which I was going to do because I bought some several phones around here. I was going to try to register, but I was being blocked to be able to have my devices actually register out and come in, so I wouldn't be able to show that, so I apologize. But you can have it ring any cell phone, anything you want to use. You know, you can have it ring those phones at the same time. And, you know, you just pick up the phone, thanks for calling, whatever. That's what these people are doing. They're doing stuff like this. Another type of attack that I'd like to talk about would be the man in the middle attack. Now, people who research about phishing, they are aware of the man in the middle attack. This particular man in the middle attack has to do with your phone call being routed, not with your computer. So, it's not just people getting a hold of email lists and stuff. A lot of these attacks are being taken place on the services side. I'm not sure how many people are aware, but if you have a toll-free number in your business, the only thing that's required for you to reroute your toll-free number to another dentist or pot is just to have the business name and the shipping and the billing address for the company that you have. That's very bad because how easy is it to get the business name of a phone number and how easy is it to get the business billing address? Very, very easy. So, if a person has information, they can reroute certain percentages of the calls coming into the company's voice systems. So, what the malicious fissure would do is they would call up and either social engineer to have, like, 15% going to their POTS line, which wouldn't be a very difficult thing to do at all. So, 15% of the time for all calls coming in, it would come in and hit the fissure's voice platform, which then in turn, not playing any audio. All of the media is coming from the actual corporation's IVR system. The agents that you would hear on the phone would be the actual real agents that work for the company. When the call comes in, when a customer tries to place a call and they call the real telephone number for the corporation, it would hit the fissure's system. As soon as it hits that system, the fissure could tell the call, complete control the call. What they would do is send out another call, spoofing charge number. I'm not sure if people are aware of that, but spoofing charge number is just like spoofing caller ID. It's just with SS7. It's one of the fields. Back out to the corporation's number. So, when an agent would reach, would get the call, the real representative for the company would get the call. They would be talking to the real customer. Both parties would be met. However, the agent for the corporation would also see that the person is calling from their telephone number. So, I don't know how they were going to tell that it's any different. And I have an example of that as well. I apologize about the phone. An example of that would be this. Now, take in mind, the audio that you're hearing from this is coming from the actual Washington Mutual System, not to say Washington Mutual. I think this is the number. I just forgot the number. Okay, it just came in. I just skipped it. Just to get through it to the rest. I went through a different option by the way as well. So, this actual system is completely mocked to the TE, like Spanish everything. Can you guys see this? Okay, what's going on on the screen? If you look over here, I fear. Okay. What happens is it answered the call and automatically threw the calling party number into a MySQL database, labeled it called fish, and set out, you know, set call ID as the number that I called from and then placed an outbound call to the toll-free number for, you know, a lot of companies have multiple toll-free numbers as I go to, like, the same systems, like MCI as an example, 80444444, 804444, 3233, you know, et cetera. So, all this is doing is just wrapping around the numbers. And everything that is going on between the customer and the agent is being recorded into three different audio files in the middle from the system that it hit. So, they're reaching real agents, they're reaching, that's just a man in the middle of attack. The next one is the individual target attack. The individual target attack is kind of the, it's when you, you know, target an individual. An example of that would be, this is like a level seven. Say there's Wendy, okay? Wendy's the target. Now, what the malicious person would do is they would have, you know, when you send an email to, like, T-Mobile's cell phones, like, number at my, at T-Mobile.net, it shows up, if it's just an email with text, it shows up from, like, 603, and then, you know, your email credentials. Now, when you receive a text message from T-Mobile themselves, it comes up the similar way, the same from 603 or 602, whatever, the same, like, three-digit number. Well, someone can easily spoof an email, you know, from that. When they receive it on their phone, they could put a message on their phone, like, you know, please call T-Mobile, risk assessment immediately before your account gets, you know, suspended. Then they would call another one of these systems. It's exactly the same way set up, same prompts and stuff. But what happens is at the other end is the, of the Fisher. And they can use, like, a social engineer attack once they get to call, like, you know, thanks for calling T-Mobile, this is Chet, 729-420. Can I have your mobile number, please? The person would say, you know, they give them the mobile number. After they get the mobile number, they would call as much as a passcode, they'd tell them what the passcode is, and then they would say, all right, well, before I can go any further, I have to verify your account to the fullest extent. Your account has been flagged. And they'd be, okay, and they'd be, like, what's your, you know, nine-digit social security number, what's your billing address on the account. Take in mind, these people were calling back a number, a toll-free number, that's the same exact prompts. You can't really tell, you know, it's the same prompts. Some are representative on the other side, asking these questions, trying to verify their account. I mean, you know, every time I call, not all the time, but people verify. But it's not a hassle, but, you know, people verify. It's a normal process of doing business when you call in to make changes in your account. Now, after he gives them that information, what's he going to do? Just hang up? No, he wants to play it off smooth like so that he doesn't even know anything has even happened. So he would say to them, all right, your account's been locked, it's been flagged. This is what he's saying to Wendy. He says, someone tried to access your account more than ten times without providing the password, and we didn't think it was you. We have an automatic script on our system that, if that happens, your account gets locked. Once your account gets locked, we try to get ahold of you through the risk assessment team and create, like, a more difficult password if you feel that your password could be breached. So what would you like your password to be, and Wendy would make up a new password after making up a new password, finish the call, call up, you know, Team Mobile, add a new password to the account because you already have the first password because they just gave it all of the information, you know? The anonymity of the malicious attackers, the way that they keep hidden. There's access to free open source, you know, white platforms. There's free PBXs all over the place. I'm not going to mention any of them. My favorite is Astrophiers. Access to free incoming direct and word dial numbers, DIDs. You know, you only need an email address to set them up. They can be rerouted to, like, a new IP address real-time. So you don't need to have your SIP server be in one location at all times. You can always update that information. You're having a number with no information, you know? The use of an open Wi-Fi connection with the bootable SIP server from a CD. A person could go sit on someone's Wi-Fi, you know, an open access point, spoof their MAC address if they want, you know, and just load their SIP server from their CD and just put their configs on it. And now they're completely on someone else's network, running their own PBX system, receiving all the calls, changing location whenever they want. Spoofing charge number. That's related to the man in the middle attack and also social engineering service providers. You know about spoofing charge number at Google, you'll see. Spoofing MAC address, like I mentioned. There's another way of, you know, keeping yourself hidden. It affects the consumer by identity theft, diminished credit score, anxiety about personal information. I know I flip out all the time. I don't know what's going on with my info. And it leads to problems in personal life, you know, like arguments with your wife, with your husband, you know, like why can't we get this house? Why can't we get this car? You know, you have credit problems, you have credit problems. And if it's not your fault, it becomes really frustrating. Very, very time consuming. I don't know who has had identity theft in this room in the past, but you know that it takes so long to fix. How it affects the corporations, you know, more charge backs, unnecessary charges, charges that are fraudulent, you know, higher premiums for their insurance, trust issues with customers. Like, customers are not going to really know who to do business with. They're not going to know who they're talking to when they pick up their phone. They're going to hear the same prompts, but who's really at the other end? Bad publicity, you know? Revenue loss. That's what it ends up being. Some suggestions. On the services side, like AT&T, MCI, LCI, International, which is Quest, Sprint, you know, they handle these toll-free services for these businesses. Those are the points that are going to be attacked as well. I recommend having like a group email alert from the services side. So when someone calls in AT&T and they make a change on your network for what's DNS is being sent over, or if there's any changes to the routing of your telephone numbers that's going into your company, that there needs to be a group notification sent out. And the reason why I say group is you could have someone that has that position and they get fired, or they leave, they quit, and then where does it get picked up at? Raise awareness to customers, to reach your customer service only from the numbers indicated at website. Now, if they make sure that they have some type of group email alert when something's changed, and they make sure that the customers only call the numbers that are on the website, that's not going to be completely 100% full-proof, because you know that that's not ever going to happen, but that's going to be pretty good, you know. Make a note that your company is ready to prosecute to the fullest extent and is aware of such attacks. You're not just like an idiot, you know, like not a noob. Consider some new ways of authenticating customers to representatives and vice-versa. There's never really been ever a company that has allowed you to verify who they are. It's always been about who you are. Now, with these types of attacks happening, the consumer really wants to know who are you? Are you really the company that I do business with, you know? There's never really been anything like that. Maybe there could be some type of passcode or something that the representative could read off at their account so they can be like, your passcode is this. Some type of authentication. I'm just throwing that off the top of my head. Evidence gathering. If such attacks have been made, you want to make sure that you find the time when changes have been made. If someone has re-routed your number, you want to know exactly when these changes have been made. You want to check the SS7 records for when the call came in that made the routing changes. When you check the SS7 records, you want to know what's going on. The GIP, the jurisdiction information parameter. It's in the SS7 records. It indicates what switch that the call came from. Now, with people spoofing the charge number, calling party number, call ID, all that stuff, it's still going to show up. They're not going to know what's going on, but if they look at the GIP parameter, they're going to see what switch, NPA, NXX that the call came from. So then they can narrow it down and when they subpoena that telecommunication provider that's going from that switch, then they can grab all the IP information from who registered. They can grab the MAC address. I'm sure the attacker probably came from a Wi-Fi connection, but you always got to check all ends. One thing that when you are investigating, you want to make sure that you check all the activity on the account. Like the first number dialed as an example. I don't know who's ever set up like a voicemail in here for K7. Has anyone ever heard of K7.net? What's the first phone that you ever call from that number that you ever call to your voicemail? Your phone, right? You call from your phone to activate it. Most people do that and they don't think about it. You can track people down to call logs and whatnot. But once you get the MAC address, you want to check it and make sure because it's probably the spoof, but if not, whatever. People make mistakes, you know. You can subpoena the computer manufacturer, hosting provider for the billing information of the MAC address if it is valid, but it's just options. If you're a fall victim to these attacks, checking the malicious fissures can be an exhausting task. You just don't want everyone to give up. Everyone makes mistakes. Stay on top of the investigation and always remember to make the malicious criminals fear. So, that's it. Yeah. There's been some rumor of BGP router hijacked voice response systems. You have any, you know, information regarding those? What was that? People hide doing BGP hijacks of IP addresses to route them to a false IVR? My experience, the easiest way to reroute traffic from one IVR to another IVR would be hitting these services like AT&T, MCI. You call them in the middle of the night. If you own a company and you have a toll free number going, all you need is your billing address and your name of your company to make changes. Real time. If you want to change your toll free number to something, you can have it go to like a POTS line, which would be your DID registered with the SIP server that you have, which if you're on an open Wi-Fi network, you can reroute that traffic to whatever IP on your own side through your DIDs after the toll free number is already rerouted to the DID. What are you talking about? I don't know. That's just the easiest way I would think to get that solution done. I want to demand the middle attack is being done. Say using ASHISC. How is the... When does it pass the audio of the DTM up tones along to the real of what you're talking about in the system? With the particular SIP server that I use, it doesn't. So it plays the sound so the user hears? Because the way that it's set up, when it needs to use DTMF, it generates it itself. I mean, will you hear it if you push a button? You're not going to hear it. It's going to be muted. You know how when you hear recorded, it's like you know, it's going to be the way that the server that I'm going to right now, it's muted. But all audio is recorded into three files in channel, out channel, and mixed. I mean, if you're doing a man-the-middle attack, how does it pass the DTMF tones that the user is pushing to the real voice you're sponsoring it? How does it relay it? It doesn't. It depends. It doesn't. It only records audio. That particular method. On the server that I'm using... I don't mean on your end. On my end? Yeah. It doesn't pass on DTMF tones. Yeah, it doesn't pass on DTMF to record. So how does it...