http://www.networkingpipeline.com/shared/article/printablePipelineArticle.jh... June 08, 2006 The Inside Story of A Million-Dollar VoIP Scam A Miami man allegedly defrauded Internet voice providers to the tune of $1 million, with a sophisticated hacking scheme. Here's the inside story of exactly how he did it. By Preston Gralla Networking Pipeline The $1 million scheme by a Miami man to allegedly defraud VoIP providers, and sell long-distance calls surreptitiously through their networks, was a surprisingly easy technical feat, and should give pause to providers and enterprises alike about how insecure voice services have become in a world where all calls will eventually be routed over IP networks. Federal prosecutors charge that Edwin Andres Pena of Miami hacked into the networks of Internet telephone providers and fraudulently sold more than 10 million minutes of VoIP calls. Pena allegedly sold $1 million of phone service to his customers at extremely reduced rates. But rather than buy long-distance minutes from existing providers to provide the service, he instead hacked into the networks of VoIP providers, and provided the minutes for free. Here's how he did it. Starting with a "Brute Force" Attack The basic service that Pena provided is not uncommon. Telecommunications brokers often buy long-distance minutes from carriers -- especially VoIP carriers -- and then re-sell those minutes directly to customers. They make money by marking up the services they buy from carriers. Pena sold minutes to customers, but rather than buy the minutes, he instead decided to hack into the Internet phone company networks, and route calls over those networks surreptitiously, say prosecutors. So he had to pay virtually no costs for providing phone service. The first step in the scheme required that Pena find the special prefixes that Internet phone companies use to identify calls that are allowed to be routed over their networks. Prosecutors say that Pena did this with a "brute force" attack, by "slamming" Internet phone networks with thousands of test calls, using many different variants of prefixes. When a call was able to get through to one of the Internet phone service networks, Pena knew that he had the proper prefix for that network. Once he had the proper prefixes, he turned to someone else for help with the scam, say prosecutors. He contacted Robert Moore of Spokane, Washington, they say, who runs the site moorer-software.com. The site includes links to hacker sites and to hacker tools. Moore, say prosecutors, immediately set to looking for vulnerable ports in "unsuspecting companies and other entities in the United States and around the world." He wasn't looking for Internet phone service ports, but instead for open, vulnerable ports and routers in private companies. When he found vulnerable ports, he would also hack into the network to get administrator names and passwords. The scope of the scanning was massive, say prosecutors, who claim that he performed six million scans of AT&T's worldwide network alone from June to October of 2005. Pena allegedly sent the IP addresses of the open ports and routers to Pena, and also sent the network administrator names and passwords. Hacking the Routers With the IP addresses and network administrator names and passwords in hand, say prosecutors, Pena reprogrammed the routers to allow the routers to handle VoIP calls, and to disguise the true source of the traffic. Prosecutors say that one of the networks Pena hijacked in this way was a Rye Brook, NY hedge fund company. In other instances, say prosecutors, Pena and Moore rented servers under false names, including "David Hauster" and "Jake Hamilton" and used those rented servers to handle his customers' voice traffic. Completing the Scam The last step of the scam was relatively easy. Pena first routed his customer's calls to the Rye Book hedge fund company network via the routers he had hacked, say prosecutors. In other instances, he routed them through the rented servers, they added Using his access to the routers, he then sent the calls from the hedge fund company, or his rented servers, to Internet phone service providers, according to prosecutors. They say that he routed the calls to 15 separate Internet phone service providers, including one based in Newark, NJ. The provider wasn't named in the charges, but Net2Phone, a large Internet phone service provider, is located in Newark. Pena allegedly appended the access codes to the calls, so that the Internet phone providers would believe they were legitimate calls. The calls went through with no problems, and were completed over the Internet phone provider networks. The Internet phone service providers, though, have been left holding the bag, because they had to pay $300,000 for routing the calls to other carriers. The scope of the scam was massive. According to prosecutors, in a single three-week period, 500,000 calls were routed through the Newark Internet phone service provider, and were made to look as if they came from the Rye Brook Hedge fund. The Bottom Line The bottom line in all this? It should be a wake-up call not just to Internet phone service providers, but to network administrators as well. This scam couldn't have been accomplished without there being enterprise network security holes -- and these holes may get bigger as voice is increasingly routed over enterprise IP networks.