December 20, 2011

A new service on the cyber criminal underground can be hired to tie up the phone lines of any targeted mobile or land line around the world. The service is marketed as a diversionary tactic to assist e-thieves in robbing commercial customers of banks that routinely call customers to verify large financial transfers.

For just $5 an hour, or $40 per day, you can keep anyone’s phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.

The seller offers discounts for frequent buyers of his service, and promises that each call to the targeted number will appear to come from a unique phone number, thereby foiling any efforts to block the bogus calls by caller ID. The vendor also is offering this service under escrow payment, which many fraud forums use to ensure both parties to a transaction are happy before payment is rendered.

The FBI first warned about these attacks in June 2010, advising that that receiving rapid-fire “dead air” calls could be a sign that your bank account is being emptied. From that advisory:

“Denial-of-service attacks, by themselves, are nothing new—computer hackers use them to take down websites by flooding them with large amounts of traffic.”

“In a recent twist, criminals have transferred this activity to telephones, using automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.”

“Why are they doing it? Turns out the calls are simply a diversionary tactic: while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts and online trading or other money management accounts.”

The easy availability of this criminal offering highlights once again how nearly every aspect of the cyber underground has been converted into a service for hire. Take cyber heists, for instance: Everything about them can now be outsourced to third party services.

You can rent a botnet to send your Trojan-laced emails and steal online banking credentials from thousands who click the booby-trapped attachments. You can purchase Web injects that allow you to change the behavior of targeted bank Web sites as they are displayed in the victim’s browser. If you want help hauling the loot, you can rent access to money mules that are hired by mule recruitment gangs. And if you need a diversion to distract or otherwise occupy your victims while you rob them, you can rent this service.

20 thoughts on “Busy Signal Service Targets Cyberheist Victims

  1. John

    The banks policy should be if we can’t verify the transaction with the customer we don’t send the transaction. This policy would void this type of attempt at fraud.

    I feel all transaction that originate via internet banking should have someone verify them before they are processed. It would stop most of the online banking fraud. I’m afraid this will never happen. Customers want fast quick and easy, and only want safe when their money is stolen. The other problem are banks are not willing to slow down the transaction for review for fear of upsetting the customer for the transaction tacking to long.

    1. george

      And yet one more problem is that banks, when signing in customers for Internet Banking hand them leaflets in which security risks are grossly downplayed and totally outdated by the risks of 2007+ banking trojans. Even when I check now the webpage of my bank “How to do safe Internet Banking” they would only mention very simple threats, such as mail and telephone phishing and nothing about the threats common today that can easily defeat key fobs and one-time passwords.

  2. DavidM

    Just when you thought that you had seen everything…. If these guys put this much effort into legit ideas , maybe they wouldn’t have to steal for a living!

    1. Jayp

      On the contrary, it’s not that easy to make a living, even with hard work and dedication. Illegitimacy is exponentially more profitable with the same amount of creativity and effort into a project…actually it’s probably more work to make a bare minimum living than not.

  3. Rick

    John has an excellent idea. At least make that an option that consumers can “choose”. Surely it would have an impact.

  4. EP

    Sounds like they’re using some sort of application that exploits weak voip service providers. Probably something freely available like Google Voice. I notice google voice provides numbers easily and to any gmail account. Text alerts can easily be spammed using SMTP/POP3 addresses provided by for instance GMAIL. I’m sure both are tied together in some way and can easily be exploited by either a remote or local solution. It’s also possibly it’s sorted further through botnet/rootkit applications to launch the systematic attacks to guarantee the randomly generated phone numbers to prevent “blocks”

    The FCC should regulate how far VOIP providers access is allowed before accepting these type of solutions.

    Magic Jack is frequently used and easily acquired as well.

    1. Neej

      Could just as easily be virtual mobile numbers … kinda hard to say without any information regarding it tbh.

      I’ve seen jobs on minuteworkers that pay for providing these virtual numbers to the creator of the job. Some services offer them for free however AFAIK each one has to be confirmed using SMS to a legitimate mobile number tied to a real SIM. Although God knows this could probably be got around heh.

      1. John

        While you may be right I have a different theory. We all know that smartphones are quickly out selling desktops, and laptops. We all should also know that the bad guys have made malware for your phone. This maleware can block call or even make calls. My guess is someone has set up a bot net using mobile devices. I have no proof just think out loud.

  5. No_One

    Frickin’ russians, they’re always in these kind of frauds, I’m tired of them.

  6. Michael jackson

    This blog in the best step by step guide for cyber crooks even …love in it brian ( with a small b )

    i all so wondering why is he allways exposes Russian gangs sure there is lots more in this World then just poor RUSSIAN students trying to steal 100-200 $ from stupid american usesers who dont even know what AV or FW is … But no , he allways goes for RUSSIAN forums , board , chats and so on ..

    ppl in FSB wont tolerate this for to long brian ..

    And im sure u know whats happening with a ppl like you brian , im sure u do ..ANNA PILITKOVSKAJY and Sergei Magnitsky is a good examples ..

    p.s its just a matter of time

    1. DavidM

      More of Brian’s fan’s are stopping by to say hello. Good to see you here! Hmmm, so you think Brian is picking on your friends huh, well if you have some other cyber crime associates you aren’t really that chummy with you could always send Brian the info on them and who knows, they could be in a story here too!

      So feel free to rat-er- share some info about your criminal friends with Brian and then all you will need to do is stop by and see if they or you make any further headlines.

      Oh by the way don’t forget to order your ” Brian Krebs exposed me and All I got was a cell and this T shirt” I am sure it will look good on ya!

  7. Paul Jones

    This is terrible news. It seems likev these hackers never give up and always trying to cause mayhem. They need to get a life of their own.

  8. FuzzyH

    For 5 bucks for an hour…that would be one cheap practical joke to play on someone.

    1. nkwell

      This was originally why I wrote something like this in 06, to annoy people, and someone was prank calling my sister @ 3AM, so I let it run on her prank caller for an hour. Afterwards I told her she owed me $0.75, since that was all it cost me to run it for that long.

      @ 40.00/day, these guys are making a killing. The provider I was using to perform this was only charging .02/min.

      In my case, it was purely prank/revenge, I had written some answering machine detection routines for another project, so I folded those in, and if it hit your voicemail, it would play yakety-sax until VM disconnected the call. So, in addition to the incessant phonecalls from all over the country, your voicemail would be filled with yakety-sax.

  9. JS

    Unfortunately the scenario I see goes.

    Why are the phones all tied up?
    Hey the bank sent an SMS/Email. They messaged us to inform that $$$$ has been sent to Moosylvania…

    Accountant/CFO now has hand clutching heart…. quick call 911 … hey the phones are still tied up ….

    Would it just easier to enforce public safety laws?

    Methodically tying up the phone system is a life safety issue in that it messes with a callout for emergency or reverse 911.

    IF & When prosecuted that ought to add some weight to the sentence.
    Its an additive charge for inducing public disorder; like pulling the fire alarm to cause a panicked diversion in a robbery/escape.

    1. gravicapa

      russian justice the best thing ever, a lot of money = freedom

  10. Phantox

    This isn’t that new I did something similar at the request of one of my employers. We managed some large blocks of DID’s for prescription fax services for several dozen small doctor offices. A spam fax operation for a timeshare? locked onto our DID block and was continuously spamming our clients. We called them up and requested they remove us from their list, they told us it would take up to two weeks to be removed from their dialing software. Having access to multiple PRI’s and several accounts at multiple ITSP’s I configured one of our phone servers to stack up 100 concurrent calls, play a recorded message (stop spamming us or we’ll shut you down) in a loop for 20 seconds then drop, with a new call starting every .5 seconds. We started the scripts waited a few seconds and tried to call back from a cell and of course couldn’t get through. We let this run for an hour, shut everything down, then called back was instantly transferred to one of the directors and we explained that they could either take us off their list now or we’d shut them down for a week. Less than 5 minutes later all our numbers were removed from the list. Funny how something that would take two weeks was done in 5 minutes and that was him writing down the info, and making a call to their IT group.

    Most people don’t realize that a single PRI is only 23 channels and even 100 person call centers typically don’t have more than 5 circuits, its trivial to shut down an entire business. We all know DDoS attacks were used to blackmail online casino’s years ago, how long until we see criminal organizations use similar tactics to blackmail a company by wiping out their phone infrastructure. Enough hacked sip accounts and a few dedicated boxes and you can shut down the largest call centers in the US without much work.

Comments are closed.