Episode 1 - The Phreaky World of PBX Hacking

🎧 Episode Information

• Podcast: Darknet Diaries
• Host: Jack Rhysider
• Release Date: September 1, 2017
• Duration: 14 minutes
• Link: episode 1, Transcript
• Embedded Player:

📝 The Gist:

• Definition of PBX Hacking:

  • Hackers exploit business phone systems to make unauthorized long-distance calls, often to adult services or international destinations.
  • Victims receive inflated phone bills due to these fraudulent activities.

• Case Study – Adam Finch:

  • Adam’s company was charged an additional $24,000 for calls to pay-per-minute numbers.
  • Despite disputing the charges, the company had to pay, as phone providers typically hold businesses accountable for such frauds.

• Methods of Exploitation:

  • Hackers often use default voicemail passwords or insecure PBX configurations to gain unauthorized access.
  • Once inside, they reroute calls to premium-rate numbers they control, generating revenue from unsuspecting victims.

• FBI’s Pursuit – Farhan Arshad & Noor Aziz Uddin:

  • The duo was responsible for defrauding companies across multiple countries, leading to their placement on the FBI’s Cyber’s Most Wanted list.
  • They were arrested in Kuala Lumpur, Malaysia, but were released due to technicalities in the extradition process.
  • Subsequently, they fled to Pakistan.
  • In February 2015, Pakistani authorities, acting on a tip, arrested both individuals.

• Financial Impact:

  • The FBI estimated their activities resulted in over $50 million in damages.
  • Victims included municipalities and businesses in New Jersey, with one township incurring a $395,000 bill.

• Preventative Measures:

  • Experts like Paul Byrne emphasize securing PBX systems by changing default passwords, monitoring call patterns, and restricting international call capabilities.
  • Businesses are encouraged to regularly audit their phone systems to detect and prevent unauthorized access.

🧠 Technical Terms Explained

1. 📞 Private Branch Exchange (PBX) Systems: is a private telephone network used within an organization. It enables internal communication among employees and connects to external telephone networks for outbound calls. The PBX systems offer features like call forwarding, voicemail, and automated attendants, enhancing communication efficiency within organizations. PBX systems can be categorized into: [Forbes]

   • Traditional PBX: Utilizes analog lines and hardware installed on-premises.[Informa TechTarget]
   • IP-PBX: Operates over the internet, supporting Voice over IP (VoIP) calls.[Lifewire]
   • Hosted PBX: Cloud-based solutions managed by third-party providers.
2. 🛡️ PBX Hacking and Dial-Through Fraud: involves unauthorized access to a PBX system, allowing attackers to make fraudulent calls at the organization’s expense. This is often achieved by exploiting weak security measures, such as default passwords or unpatched vulnerabilities. The attackers typically route calls to premium-rate numbers they control, generating significant charges for the victim. [abhandshake.com]
3. 🧌 Troll Fraud: refers to a type of fraud where attackers manipulate PBX systems to make unauthorized calls, often to premium-rate numbers. These calls are typically brief but frequent, leading to substantial charges accumulating over time.
4. 🔐 How PBX Hacking Works: PBX hacking generally follows these steps:
   1. Scanning for Vulnerabilities and Gaining Access: Attackers scan for PBX systems with weak security, such as default passwords, could use brute-force attacks to gain unauthorized access, exploit unpatched/outdated softwares with security flaws, or impersonate legitimate personnel to gain access.
   2. Making Fraudulent Calls: With access to the PBX, attackers route calls to premium-rate numbers, incurring charges that are billed to the compromised organization.
   3. Covering Tracks: To avoid detection, attackers may erase logs or use techniques to mask the origin of the calls.
5. 🛡️ Protecting Your PBX System: To safeguard against PBX hacking:
   • Change Default Passwords: Immediately change default passwords to strong, unique ones.
   • Regularly Update Software: Keep the PBX software up to date with the latest security patches.
   • Implement Call Restrictions: Limit outbound calls to necessary numbers and set up alerts for unusual call patterns.
   • Monitor System Logs: Regularly review PBX logs for any unauthorized access attempts.
   • Educate Staff: Train employees on security best practices and the risks of social engineering attacks.

🛠️ Possible Projects

• Develop a monitoring tool to detect unusual call patterns in PBX systems.

• Create educational materials to raise awareness about PBX vulnerabilities.

📚 Further Resources

• Understanding PBX Systems
• The Inside Story Of How Pakistan Took Down The FBI’s Most-Wanted Cybercriminal
• FBI Cyber’s most wanted list