As if emergency responders weren’t already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.
The alert, a copy of which was obtained by KrebsOnSecurity, warns public safety answering points (PSAPs) and emergency communications centers and personnel about a recent spike in so-called “telephony denial-of-service” (TDoS) attacks:
“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial of Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”
According to the alert, these recent TDoS attacks are part of a bizarre extortion scheme that apparently starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from an individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time.
DHS notes that the attacks can prevent both incoming and/or outgoing calls from being completed, and the alert speculates that government offices/emergency services are being “targeted” because of the necessity of functional phone lines. The alert says that the attacks usually follow a person with a heavy accent demanding payment of $5,000 from the company because of default by an employee who either no longer works at the PSAP or never did. The full alert is reposted here (PDF).
A much shorter version of this alert appeared in January 2013 on the Web site of the Internet Crime Complaint Center (IC3), which warned of another twist in these TDoS attacks: “The other tactic the subjects are now using in order to convince the victim that a warrant for their arrest exists is by spoofing a police department’s telephone number when calling the victim. The subject claims there is a warrant issued for the victim’s arrest for failure to pay off the loan. In order to have the police actually respond to the victim’s residence, the subject places repeated, harassing calls to the local police department while spoofing the victim’s telephone number.”
Neither alert specifies how these call floods are being carried out, but KrebsOnSecurity has featured several stories about commercial services in the underground that can be hired to launch TDoS attacks.
According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.
The company says TDoS attacks can be difficult to detect, because the attacker typically changes the caller ID on every call. From their report: “This makes it very difficult even for service providers to detect the attacks. Unless these attacks can be quickly traced back to an originating carrier that typically does not generate many calls to the contact center, they are very difficult to differentiate from legitimate calls. The attacks also typically move through multiple service providers, making them time consuming to trace back to the source.”
SecureLogix said TDoS attacks can employ simple audio content, including white noise or silence (which could be dismissed as a technical problem), foreign language audio (representing a confused user), or repeated DTMF patterns.
“These are simple techniques, with future attacks likely using other types of mutating audio. In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the [target] network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers and potentially impairing brand image.”