[VOIPSEC] NY Times, ABC News reporting on fraud scheme using hacked VoIP service providers

dan_york at Mitel.com dan_york at Mitel.com
Thu Jun 8 10:02:27 CDT 2006 

VOIPSEC readers,

Dave Endler wrote about this on the VOIPSA blog last night ( 
http://voipsa.org/blog/2006/06/07/hacker-cracks-net-phone-providers-for-gain/ 
) but list member Craig Bowser also dropped me a note today pointing out 
that this item was being discussed by ABC News (Thanks, Craig!).  If you 
haven't followed the story, this summary is from the US Dept of Justice 
press release yesterday:

NEWARK, N.J. ? A Miami man who purported to be a legitimate wholesaler of 
Internet-based phone services was arrested today for allegedly running a 
sophisticated fraud, by secretly hacking into the computer networks of 
unsuspecting Voice Over Internet Protocol (VOIP) telephone service 
providers, including one Newark-based company, to route his customers' 
calls, U.S. Attorney Christopher J. Christie announced.
Through his scheme, defendant Edwin Andres Pena, is alleged to have sold 
more than 10 million minutes of Internet phone service to telecom 
businesses at deeply discounted rates. The victimized Newark-based 
company, which transmits VOIP services for other telecom businesses, was 
billed for more than 500,000 unauthorized telephone calls routed through 
its calling network that were "sold" to the defendant's unwitting 
customers at those deeply discounted rates

More links here:

  DOJ press release: 
http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pena0607_r.htm
  NY Times: 
http://news.com.com/Hacker+cracked+Net+phone+networks+for+gain,+feds+say/2100-7348_3-6081014.html
  ABC News: http://abcnews.go.com/Technology/wireStory?id=2051976&page=1

Interestingly, it seems the defendant paid a hacker $20,000 to break into 
the VoIP service providers and set this up.

The NY Times article quoted a Verisign rep who pointed out that a large 
part of the issue is that many consumer VoIP vendors primarily send their 
traffic over the Internet un-encrypted.  Of course, one would expect 
Verisign to say this, given their business... but I do agree with them on 
this point. While encryption is not a cure-all, it certainly would have 
make a fraud like this very difficult to do.

Regards,
Dan

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication

More information about the Voipsec mailing list