April 1, 2013

As if emergency responders weren’t already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.

"TDos" warning

“TDos” warning

The alert, a copy of which was obtained by KrebsOnSecurity, warns public safety answering points (PSAPs) and emergency communications centers and personnel about a recent spike in so-called “telephony denial-of-service” (TDoS) attacks:

“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial of Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

According to the alert, these recent TDoS attacks are part of a bizarre extortion scheme that apparently starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from an individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time.

DHS notes that the attacks can prevent both incoming and/or outgoing calls from being completed, and the alert speculates that government offices/emergency services are being “targeted” because of the necessity of functional phone lines. The alert says that the attacks usually follow a person with a heavy accent demanding payment of $5,000 from the company because of default by an employee who either no longer works at the PSAP or never did. The full alert is reposted here (PDF).

A much shorter version of this alert appeared in January 2013 on the Web site of the Internet Crime Complaint Center (IC3), which warned of another twist in these TDoS attacks: “The other tactic the subjects are now using in order to convince the victim that a warrant for their arrest exists is by spoofing a police department’s telephone number when calling the victim. The subject claims there is a warrant issued for the victim’s arrest for failure to pay off the loan. In order to have the police actually respond to the victim’s residence, the subject places repeated, harassing calls to the local police department while spoofing the victim’s telephone number.”

Neither alert specifies how these call floods are being carried out, but KrebsOnSecurity has featured several stories about commercial services in the underground that can be hired to launch TDoS attacks.

Image: SecureLogix

Image: SecureLogix

According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.

The company says TDoS attacks can be  difficult to detect, because the attacker typically changes the caller ID on every call.  From their report: “This makes it very difficult even for service providers to detect the attacks. Unless these attacks can be quickly traced back to an originating carrier that typically does not generate many calls to the contact center, they are very difficult to differentiate from legitimate calls. The attacks also typically move through multiple service  providers, making them time consuming to trace back to the source.”

SecureLogix said TDoS attacks can employ simple audio content, including white noise or silence (which could be dismissed as a technical problem), foreign language audio (representing a confused user), or repeated DTMF patterns.

“These are simple techniques, with future attacks likely using other types of mutating audio. In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the [target] network, many more calls can be generated, resulting in a very expensive attack or one which  degrades the performance of a contact center, rendering access unavailable to legitimate callers and potentially impairing brand image.”


37 thoughts on “DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks

  1. John

    This seems like a twist on the attacks made to consumers indicating that their PC was infected and they had to buy a security product to fix it. I think we all should realize that this is just people who don’t have the means to earn a living honestly so now they have technology that can do these types of extortion attacks. What worries me is that the more we embrace technology in so many aspects of our lives. The more we risk a total breakdown when they are attacked.

    1. Charlie Griffith

      Many years ago when the company I worked for was starting to install a computerized inventory system I tried to have inserted a “program” adapted to to my needs which had overlapping effects.
      Not possible.
      So I had to adapt my procedures to those of a young “programmer”.
      Lesson: “Computers Rule.” …or Programmers rule.
      Now that Banking, Water and Sewage, Emergency Responders, and elevators in skyscrapers are vulnerable to clever criminals, the cat and mouse game has made all of us vulnerable.
      We’ve gained incredible processing speed…..and also evolving newer and increasingly very sophisticated vulnerabilities.
      We must weigh the former against the latter to judge if we’re “hoist on our own petard”.

      1. saucymugwump

        “So I had to adapt my procedures to those of a young ‘programmer’.”

        Why didn’t your company hire older, experienced software engineers? Did your HR department base its hiring decisions solely on price, i.e. did they practice the Walmart school of management?

        1. Infosec Geek

          @saucymugwump, back in the days when some of us started doing this, and applications like Charlie describes were being computerized for the first time, there simply weren’t enough older experienced programmers. Just getting software written and running on a 360/125 was a challenge, getting custom features included was not always practical, even though almost everything was custom coded.

          In those days security wasn’t a concern, the computers lived in glass houses and only talked to card readers, or maybe in cutting edge environments to a few green screen terminals over hard-wired lines using bisync. And that started us down the road to off shoring and today’s set of challenges.

          1. saucymugwump

            My first computer was an IBM 1130 and I don’t mean one in a museum.

            What got me started was his “So I had to adapt my procedures to those of a young ‘programmer’.”

            I have worked for many incompetent managers who would ask for a major change near the end of a development cycle. When we told them the cost they always would go ballistic. They clearly did not understand how software is built.

            An article I wish I had kept compared building software with building a skyscraper. Many of the proposed software changes were equivalent to someone asking the crew to move the locations of the lavatories after the elevators, floors, and structure was erected; sure, it could be done, but at a huge cost. Not to mention Brook’s Mythical Man Month.

  2. Paul Lubic Jr

    Brian,
    Great article! The TDOS attacks might also be a practice or intelligence run to see how our first responders react. I see them being used as a collateral attack to a larger, perhaps non-electronic terrorist event in the future.
    Best,
    Paul

  3. saucymugwump

    “The caller usually has a strong accent of some sort”

    Let me guess … Russian?

    Isn’t our anonymous Internet just grand?

    We need two Internets.

    The first is completely tied-down, with all traffic carrying trusted origin data. Russia, China, North Korea, and a few other countries will be excluded. Of course, this will require new routers, NIC cards, etc, and they will need to be built in the USA, Europe, or other trusted countries, but I consider that a bonus, job-wise.

    The second is the current one where perverts, song/movie thieves, Russian and Chinese criminals, and other losers can communicate.

    We could have both running on the current backbone if all category 1 traffic were encrypted in some manner, perhaps even in a VPN scheme between trusted nodes. Sure, it will slow things down a bit, but haven’t things gone far enough?

    1. SeymourB

      If perverts are going to be excluded from a “Secure Internet” then you’ll have to exclude a large swathe of Japan. Birthplace of tentacle porn.

      1. saucymugwump

        I am not a porn connoisseur, so I am not familiar with tentacle porn. I was mainly referring to child porn. I am not a prude who cares what people view on their computer as long as everyone is 18+. Porn is fine with me, but we need to eliminate sites where malware resides alongside virtual flesh. But I suspect some porn vendors might balk at losing all anonymity.

      2. Nick P

        It’s bigger in Japan, but America is guilty too: two Corman films and Evil Dead have scenes that fit the genre.

    2. bob

      Sounds great! I’m in with the “losers”! Just think, an internet free of sanctimonious wankers!

  4. john senchak

    We already had TDoS attacks for years , they are called legitimate collection agencies that call day after day, non stop and harass

    1. meh

      Good point, the culture banks and law enforcement have created leads to abuse easily – they fought higher taxes, regulations, and laid off most of their workers, now the system is ripe to be overwhelmed and shut down.

  5. zim

    Proxy the calls and filter with audio captcha.

  6. Callmelateforsupper

    The PDF “smells funny”. It contains some unprofessional language and at least one run-on sentence. I didn’t think to check for spelling errors before closing my PDF reader, but I think I will have a look later…. just for grins.

    The document is clearly marked with the classification LEO/FOUO (Law Enforcement Only / For Official Use Only), so, Brian,…… What’s up with posting it on the web?

    1. Neej

      Presumably you aren’t a fan of a free press, Wikileaks or transparency then.

    2. TaskForce717

      He obtained it ! Bet you what a map of how ?

  7. Mark Collier

    Brian thanks for the references in your post. In addition to the attacks against emergency services, we are also seeing attacks against financial contact centers. Also, some attackers doing traffic pumping for revenue generation are getting greedy and sloppy and they end up creating TDoS conditions.

    See my blog for more info http://www.voipecurityblog.com

  8. qka

    How are these extortionists expecting payment? That seems to be the weak link to me. Law enforcement has a long history of tracking money movement.

    1. nonegiven

      Typically, Green Dot cards or Western Union

  9. WhyWeimerii

    I have a more basic question and concern. Why is the Caller ID system so broken? Can’t it be hardened so spoofing isn’t childs’ play? Why isn’t DHS demanding that the telcos address this obvious vulnerability?

    1. Nic

      Imagine a call coming from another country. How can your telephone operator verify the claimed caller ID on the inbound call? It can’t. Thus the problem.

      Traditional telephony is being outmoded for reasons such as this. In 50 years, nobody in industrialized countries will make traditional telephone calls.

      1. saucymugwump

        ” How can your telephone operator verify the claimed caller ID on the inbound call? It can’t.”

        Absolutely correct. However, DHS should mandate that uncertain data, i.e. Caller ID data which was sent into the system from an outside source, be reflected as such. In Brian’s case, the Caller ID display at E911 should have displayed something like:

        UNVERIFIED #
        123-456-7890

        And then law enforcement policy should be that officers do not automatically assume the worst.

      2. meh

        You bring up a good point, already android and other phone OS have ways to block unknown calls or with primitive firewall type filters, soon they will support better filtering meaning this kind of crap will have a harder time making it through the defense.

  10. Mark Collier

    TDoS is a tough issue. You absolutely can’t trust calling number/caller ID and you will never get all the service providers to change that. SIP trunks, Asterisk, call generators – it is easy to generate attacks. They are tough to mitigate. Play CAPTCHAs to someone calling in an emergency – not likely. Drop the wrong call – thats unacceptable. Plus most 911 centers are still old-school TDM. Some are IP, but not as many as you might think.

  11. saucymugwump

    Everyone interested in the Caller ID spoofing issue should read today’s Reuters blog “The ‘next generation’ of American talk” by Rick Boucher, the former U.S. Representative for Virginia’s 9th congressional district. He waxes on about converting our telephone system in a 100% Internet-based one. Nowhere in the entire article does he mention the problem of spoofing. People here should send him polite emails and comment on the article explaining the problem.

    http://blogs.reuters.com/great-debate/2013/04/01/the-next-generation-of-american-talk/

    1. PBXeng

      If you look at Boucher’s bio on the right of his page, you’ll see he’s a spokesperson for an industry trade group and an attorney at a firm that represents Big Telecoms. In other words a shill.

      Attempting to persuade him politely will fail. What he needs is a visit from a couple of cybersecurity experts at FBI, to sit him down and tell him exactly what kind of nightmares will occur if his chirpy exhortations to destroy the PSTN succeed.

      The telephone is not a toy or an entertainment device. Above and beyond all else, it’s something you count on to save lives in emergencies. Boucher and his ilk need to understand that in no uncertain terms.

      As for what the rest of us can do: go to war against Boucher et. al. on the battlefield of public opinion. Don’t waste time trying to persuade him. Instead, deluge our elected officials with email on these subjects, write LTEs to local media, cover the subject matter on our own blogs and with our own clients, and enlist our clients in the opinion war.

      Also: Vote with our dollars. Don’t use services that erode the security of the PSTN. Insist on TDM, circuit-switched landlines: for yourself, and for your local public safety agencies.

      The telephone network, as with the internet, should be bifurcated: One network for idiots who put entertainment first, and one for anyone who wants service that’s robust, resilient, and reliable. At that point if idiots choose to play Darwin Roulette, they won’t be dragging the rest of us along for the ride.

  12. Jacek Materna

    Good discussion. The problem with regulation it its true intent is overshadowed by its typically tactical implementation. For example, a specific use case or medium is deemed as “bad” and regulation is put into place to “stop it”. More often than not, it compounds the issue further since entities are forced to meet X and Y when they are actually getting hit with Z. Case and point Caller ID. Does DHS even know enough about the Caller ID use-case to mandate a complete Caller ID regulation? No. They barely have a grasp on the “modern communications” market in general. What we all can agree on is that TDoS presents a real problem to enterprises today and will continue to be a problem as communications modalities increase (SIP, WebRTC, etc.). I don’t doubt that DHS intent is to fight TDoS but they need to leverage private enterprise/SP’s and work bi-directionally to raise awareness and protection nationally and even internationally. Will they do it? Is it too little too late? We will have to see how TDoS plays out in the next couple of quarters. Regulation (as is typically implemented) alone won’t solve this issue.

  13. Rehnquest

    It would be nice to include in your article the recommendations that were made in the alert/pdf, about how organizations/people should react and what kind of data they should collect if they wish to report the incident, and how to report it.

    Even The Register included that information.

  14. Rowan

    Hard to see how this will impact on the key emergency responders who already possess access to the Wireless Priority Service???

  15. atm skimmers

    Have you ever considered creating an e-book or guest authoring on other websites?
    I have a blog based on the same subjects you discuss and would really like to have you share some stories/information.
    I know my viewers would appreciate your work.
    If you are even remotely interested, feel free
    to send me an e-mail.

  16. msbpodcast

    The worst perpetrator of TDoS that I have encountered is Verizon.

    I cut the cord when it was useless and I’d given up trying to get any service from them.

Comments are closed.