talking telephone numbers - a history of telephone fraud - modem dialler fraud 2003-7

1

[email protected]@ieee.org

Internet Dumping &

IRS FraudLuis Sousa Cardoso

FIINA PresidentQSDG/ITU Chairman

WEB DIALLERS

1

3

General Information

4

Definitions

‘Internet dumping’ or ‘modem hijacking’ is what occurs when the telephone line that connects your computer to the Internet is disconnected and then reconnected to a new telephone number without your full knowledge or consent. The new number, generally an international one, has a high call charge rate.

Source: Australian Communications Authority

6

DALLAS1 - CONTACTWITH WEBSITE IN DALLAS

CALL IS CUT-OFF

WEB SITE: www.sexygirls.com

7

MOLDOVA2 - A PHONE CALL IS ESTABLISH TOMOLDOVA

PHONE NUMBER +373 xxxxxxxx

8

MOLDOVA2 -THEN THE CALL ISFORWARDED

TO CANADA

SCARBOROUGH

PHONE NUMBER +373 XXXXXXXPHONE NUMBER + 1 519 XXXXXXX

9

MOLDOVA2 - AND RETURNEDTO DALLAS

SCARBOROUGH

DALLAS

PHONE NUMBER +373 XXXXXXXPHONE NUMBER + 1 519 XXXXXXXPHONE NUMBER + 1 214 XXXXXXX

10

MOLDOVA5 - AND DOWNLOADSTRAT

SCARBOROUGH

DALLAS

DOWNLOAD STARTS VIA TELEPHONE NETWORKINSTEAD VIA INTERNET

11

USER´S BILL

USER´S BILL

12

JESUS CHRIST!!!

HOW TO PAY THIS BILL???

The first victim of dialers

13

How does it work?

• Internet dumping can occur when you access certain Internet websites. A very small program known as a dialer is downloaded onto your computer from these websites and installed often using the ActiveX technology.

• Dialers are frequently linked with pornographic websites, but are sometimes found on gambling, games and music sites.

• Sometimes in common words the dialer can be seen like a trojan horse.


14

Definitions

ActiveX is a Microsoft technology that allows Internet applications that are more powerful than simple scripts.


15

How are dialers installed and run?

• When you click on an icon or button on a web page you may download a dialer.

• Unscrupulous sites provide little warning that you will have to pay a higher call charge if you agree to download the Internet dialer to access the website.

• Some dialers can re-dial and connect your computer at a high call charge rate automatically, and some even mute the dialing noises your modem makes through your computer speakers to hide the fact that the modem is dialing.


16

Is it legal?

The provision of pay-per-view content via a website utilizing dialer software is legal as long as the site gives adequate warning that charges may be incurred upon entering the website, and as long as the software is configured to ensure that the premium rate services are disconnected at the end of the Internet user’s session.


17

Internet dialers aren’t all bad

Internet dialers also allow you to pay for certain services over the Internet using your telephone account rather than a credit card, for example, downloading ring tones or call-back services for travelers. This payment service can be useful provided it is done with your knowledge and consent. Some dialers can be used as a SECURITY ADD ON on dialing-up access.


18

‘Good’ and ‘Bad’ dialers

• We consider as ‘good’ dialers those which warns you that you will dial an international telephone number with high charge.

• On the contrary ‘bad’ are the dialers that don’t provide any warning you will dial an international telephone call and this dial-up connection is established automatically.

19

‘Good’ dialers

20

‘Good’ dialers

21

‘Good’ dialersYou must be eighteen (18) years of age or older to use this service. You are acknowledging

that you are eighteen (18) years of age or older if you continue to use this software. BY USING THIS SOFTWARE, YOU WILL DIAL AN INTERNATIONAL TELEPHONE NUMBER FOR WHICH INTERNATIONAL LONG DISTANCE CHARGES APPLY (SEE DETAILSBELOW).

By choosing this Dialer as a payment method for this content, you will download our proprietary software to your computer's hard drive.

Once connected, you will establish an connection with a remote server outside of your country. Your modem will disconnect from your Internet Service Provider and dial an INTERNATIONAL TELEPHONE NUMBER to Cook Island. An INTERNATIONAL LONG DISTANCE call to Cook Island will appear on your phone bill. Rates are subject to change, check with your local carrier for exact rates. Your phone bill will reflect charges on a per minute basis (rounded up to the next whole minute) for the cost of the call. You can terminate our service by one of the following procedures:1. You can terminate the connection by selecting the modem symbol located on the lower

right side of Windows 95/98 tool bar, then by clicking on the "Disconnect" button, or Clicking on the Pay Dial application icon at the lower portion of Windows 95/98 tool bar. When the message box shows up, click "Yes" to disconnect the service.2. You can connect to this service for the maximum of thirty (30) minutes. Pay Dial software

will automatically terminate this service after thirty (30) minutes;You may use this service only if you are the line subscriber or are authorized by the line subscriber to incur charges on the phone bill.

22

SOME Risky DestinationsDestination Code

Central African Rep. +236São Tomé and Principe +239Diego Garcia +246Comoros +269Austria +43Norfolk Island +672Nauru +674Papua/N. Guinea +675Solomon Islands +677Vanuatu +678Wallis and Fortuna +681Cook Island +682Kiribati +686Tuvalu +688French Polynesia +689Tokelau +690

ALL DESTINATIONS WITH HIGH

TERMINATION RATE

(e.g. EMSAT and ANTARCTICA

NETWORK or IRS on GSM networks)

23

Technical analysisof diallers

24

How does a dialer work?

INTERNET

User

WebServer

File ServerContaining Dialer

Video Server

25

The connection with the ISP has been established

26

The connection with the ISP has been established at 52000bps. ISP tel No is 8962555555

27

The ‘IPCONFIG’command shows us the IP that we got from the ISP

which is 212.205.210.20

28

The ‘TRACEROUTE’command shows us the route from our machine to the ISP

server

29

We visit a site to download a

password

30

Clicking ‘YES’ is the fatal action

31

The dialer is being downloaded

32

The tel N# that we are connected with, has changed from 8962555555 to 002395009

33

With the ‘IPCONFIG’ command we see that the IP has changed to

192.168.0.182 that is an IP of an internal network

34

With the ‘TRACEROUTE’ command we see that the route has changed.

It is longer and we have been connected with a company called

VIATEL

35

A shortcut appears on Network Connections

36

Using the www. ip2location . com we detect the location of the

company that offers dialers services

37

002395543 or0023955XX

No existing serieOn STP numberingPlan

No outsourcedserie

No routed via PTC

MISUSE

38

Internet Explorer has encountered a problem caused by the downloading of the dialer

39

A shortcut appears automatically on the

desktop

40

We are connected to the internal

network (192.168.0.182) of a company

in Poland

41

Using the sniffer IRIS v4.07.1 we decode the packets from

and to our machine

42Technical data useful to our research

43

Using the ‘DECODE’ command, packets which are in the buffer

start to be decoded

44

A decoded packet from the web site www . erotic . pl

45

We receive useful

information from the decoded packets

46

We receive useful

information from the decoded packets

47

Our PC tries to GET the dialer from pinkbox.pl

48

Using the www.samspade.org we detect the location of

pinkbox.pl

49

The results of our investigation

50

Using BinText 3.0 as well as IDA we do

reverse engineering to the dialer and we

decrypt it discovering all its secrets.

51

……more secrets

52

ANOTHER CASE to GSMPTC noted several calls to KPN mobile numbers done

with WEB diallers+31 620675560+31 620985172+31 612203785+31 622834749

After some discussion with portuguese customersdialling that numbers, a situation of Internet dumping

was found, and numbers were blocked.Due to the fast action the numbers of minutes involved

was about 250This numbers matched with a information reported by

Maltacom

53

Maltacom also reported the Internet dumping situation to that numbers and to the following

ones:+31 623 079882+31 613 269348+31 613 179137+31 613 262607

Maltacom also decided to block such numbers. Inthese case the numbers of minutes involved were

about 197.47 hours

54

Maltacom and PTC started an investigation basedon the practices presented during previous meetingsc

So the diallers were installed in a test PC

And the results were :

55

192.168.0.1255.255.255.0

194.54.173.109255.255.255.255194.54.173.109

56

Information related to '194.54.172.0 - 194.54.175.255'

organisation: ORG-WA24-RIPEorg-name: Wire9org-type: NON-REGISTRYremarks: Wire9.comaddress: Hunter House, Hutton Road Shenfieldaddress: CM15 8NLaddress: UKphone: +44 (0) 8707 469 796e-mail: [email protected]: Lee Jonesaddress: Wire9 Telecom PLCaddress: Hunter House, Hutton Roadaddress: Shenfield, CM15 8NL, UKphone: +44 (0) 8707 469 796fax-no: +44 (0) 8707 469 797

58

The startingWEB site

59

WHOIS information for valuedcontents.com:

Registrant:Marco Casali (VALUEDCONTENTS-COM-DOM) via De Gasperi Roma, nn 66023 italy 0670623431 [email protected]

Domain Name: VALUEDCONTENTS.COMAdministrative Contact: Marco Casali [email protected] via De Gasperi Roma, nn 66023 italy 0670623431

Technical Contact, Zone Contact:Marco Casali [email protected] via De Gasperi Roma, nn 66023 italy 0670623431

60

RELATED WEB

61

http://www.solo-adulti.com/en/index.html

63

http://www.solo-adulti.com/en/chatcam/delay.htm

66

http://www.solo-adulti.com/en/index.html

69

Who can become a victim?

Virtually any household can become a victim to these malicious dialers.

70

ITU/QSDGXi’an Meeting, May 2005

1. Document titled ‘Information concerning the use of 882 13 numbers’(COM2-D173-E) a Swisscom contribution was presented.

2. It is recommended that operators should prepare their fraud staff to the new situations as web dialers. This needs to be done involving CRM staff as well.3. It was concluded that operators should not do a global block of a destination when trying to fight web diallers fraud. It if happens then it should be considered as a commercial decision and not related with fraud aspect. It is clear that this type of traffic could increase outgoing traffic and some operators may wish to reduce their out-payments. However such decisions are not related with fraud. Concerning fraud aspect only rogue diallers should be blocked.

71

ETNOIt is recommended that concerning fraud aspect only rogue diallers, mainly those producing Internet dumping and/or modem hijacking, should be blocked. This requires a proper investigation to gather proof of the rogue dialler (e.g. the dialer programme).

It is also recommended that operators should prepare their fraud staff to the new situations as web diallers and possible rogue dialers. This needs to be done involving CRM staff as well.

It is also recommended that clear position be taken within each organization (operator) in order to allow a common understanding by all areas of the organization on how to deal with internet dumping fraud and associated activities.

72

Thank you

talking telephone numbers - a history of telephone fraud - modem dialler fraud 2003-7

Technology