Thousands lost in rising VoIP attacks

Attacks against Voice over IP (VoIP) systems to steal a victim's communications capabilities are on the increase and still inflicting thousands of dollars in damage.

Attacks against Voice over IP (VoIP) systems to steal a victim's communications capabilities are on the increase and are inflicting thousands of dollars in damage.

Rotary dialler

(Rotary phone image by sagriffin305, CC2.0)

Australian network companies have told of clients receiving phone bills including $100,000 worth of unauthorised calls placed over compromised VoIP servers. Smaller attacks have netted criminals tens of thousands of dollars worth of calls.

A Perth business was hit with a $120,000 bill after hackers exploited its VoIP server to place some 11,000 calls over 46 hours last year.

VoIP networks are a cash cow for criminals who can earn money from unscrupulous telecommunications carriers profiting from calls placed over victim's networks or to ramp up calls to premium numbers.

The genesis of the practise dates back some two decades when phreakers busted into phone companies to make free calls. VoIP attacks are now an established practice but victims are still easy pickings for criminals.

Local network providers and the SANs Institute have reported recent spikes in Session Initiation Protocol (SIP) scanning — a process to identify poorly configured VoIP systems — and brute-force attacks against publicly-accessible SIP systems, notably on UDP port 5060.

Neural Networks noticed two VoIP attacks that left customers with thousand-dollar phone bills over a Sunday night after weak client passwords were exploited. Calls had originated and terminated in three different countries.

SIP scans

Port 5050 traffic, likely brute-force attempts on SIP connections (Credit: SANS Institute)

The company's managing director Richard Stephens said that Neural Networks has hardened security measures and enforced stricter password controls on clients following recent attacks.

"There are several security measures that can be done to mitigate attacks, essentially good security practice, but the softest and most common target is weak or non-existent passwords," Stephens said.

Passwords and prefixes should be enforced so they cannot be easily guessed, Stephens said. Other methods to prevent or reduce damage from VoIP attacks include placing caps on the amount of calls customers can make over a period, preventing calls being made to countries not usually contacted, and implementing systems to detect anomalous behaviour.

Applications including Fail2ban can help prevent repeat bogus rapid VoIP registration attempts and some attacks can be avoided by changing the SIP ports used by clients.

"It is very convenient to run VoIP and pay hundreds rather than tens of thousands of dollars for an 'old school' PABX, but it comes with responsibility to ensure the system is not open," Sophos head of technology Paul Ducklin said.

Federal law enforcement can do little to prosecute perpetrators of an offshore VoIP attack, and are bound by the same jurisdictional problems as other instances of cybercrime.