talking telephone numbers - a history of telephone fraud - modem dialler fraud 2003-7
DESCRIPTION
In the early days of the internet, access to websites was conducted by "dial-up" modems. Billions of people worldwide found themselves silently disconnected from a local telephone number to an expensive Premium Rate number, and the call was also bounced around the world. The victims were members of the public who were supposed to be protected by Regulation, but instead were forced to pay huge phone bills. Of course, the law was always late to catch on and most of these early "white collar crimes2 were never prosecuted (at least not in the UK). This presentation was originally put forward at the European Telephone Network Operators Fraud Working Group by its President Luis, who was the only guy with the knowledge and contacts to trace all the way back to the source Lee Jones. No one questions how you made your money so long as you have enough to splash around and today Lee is still in business with his own private investment company(http://www.creditas.com) and telco (see http://www.neutrinonetworks.co.uk), having sold his original businesses Wire9 and Cloud9 back in 2008.TRANSCRIPT
1
[email protected]@ieee.org
Internet Dumping &
IRS FraudLuis Sousa Cardoso
FIINA PresidentQSDG/ITU Chairman
WEB DIALLERS
1
2
3
General Information
4
Definitions
‘Internet dumping’ or ‘modem hijacking’ is what occurs when the telephone line that connects your computer to the Internet is disconnected and then reconnected to a new telephone number without your full knowledge or consent. The new number, generally an international one, has a high call charge rate.
Source: Australian Communications Authority
5
6
DALLAS1 - CONTACTWITH WEBSITE IN DALLAS
CALL IS CUT-OFF
WEB SITE: www.sexygirls.com
7
MOLDOVA2 - A PHONE CALL IS ESTABLISH TOMOLDOVA
PHONE NUMBER +373 xxxxxxxx
8
MOLDOVA2 -THEN THE CALL ISFORWARDED
TO CANADA
SCARBOROUGH
PHONE NUMBER +373 XXXXXXXPHONE NUMBER + 1 519 XXXXXXX
9
MOLDOVA2 - AND RETURNEDTO DALLAS
SCARBOROUGH
DALLAS
PHONE NUMBER +373 XXXXXXXPHONE NUMBER + 1 519 XXXXXXXPHONE NUMBER + 1 214 XXXXXXX
10
MOLDOVA5 - AND DOWNLOADSTRAT
SCARBOROUGH
DALLAS
DOWNLOAD STARTS VIA TELEPHONE NETWORKINSTEAD VIA INTERNET
11
USER´S BILL
USER´S BILL
12
JESUS CHRIST!!!
HOW TO PAY THIS BILL???
The first victim of dialers
13
How does it work?
• Internet dumping can occur when you access certain Internet websites. A very small program known as a dialer is downloaded onto your computer from these websites and installed often using the ActiveX technology.
• Dialers are frequently linked with pornographic websites, but are sometimes found on gambling, games and music sites.
• Sometimes in common words the dialer can be seen like a trojan horse.
Source: Australian Communications Authority
14
Definitions
ActiveX is a Microsoft technology that allows Internet applications that are more powerful than simple scripts.
Source: Australian Communications Authority
15
How are dialers installed and run?
• When you click on an icon or button on a web page you may download a dialer.
• Unscrupulous sites provide little warning that you will have to pay a higher call charge if you agree to download the Internet dialer to access the website.
• Some dialers can re-dial and connect your computer at a high call charge rate automatically, and some even mute the dialing noises your modem makes through your computer speakers to hide the fact that the modem is dialing.
Source: Australian Communications Authority
16
Is it legal?
The provision of pay-per-view content via a website utilizing dialer software is legal as long as the site gives adequate warning that charges may be incurred upon entering the website, and as long as the software is configured to ensure that the premium rate services are disconnected at the end of the Internet user’s session.
Source: Australian Communications Authority
17
Internet dialers aren’t all bad
Internet dialers also allow you to pay for certain services over the Internet using your telephone account rather than a credit card, for example, downloading ring tones or call-back services for travelers. This payment service can be useful provided it is done with your knowledge and consent. Some dialers can be used as a SECURITY ADD ON on dialing-up access.
Source: Australian Communications Authority
18
‘Good’ and ‘Bad’ dialers
• We consider as ‘good’ dialers those which warns you that you will dial an international telephone number with high charge.
• On the contrary ‘bad’ are the dialers that don’t provide any warning you will dial an international telephone call and this dial-up connection is established automatically.
19
‘Good’ dialers
20
‘Good’ dialers
21
‘Good’ dialersYou must be eighteen (18) years of age or older to use this service. You are acknowledging
that you are eighteen (18) years of age or older if you continue to use this software. BY USING THIS SOFTWARE, YOU WILL DIAL AN INTERNATIONAL TELEPHONE NUMBER FOR WHICH INTERNATIONAL LONG DISTANCE CHARGES APPLY (SEE DETAILSBELOW).
By choosing this Dialer as a payment method for this content, you will download our proprietary software to your computer's hard drive.
Once connected, you will establish an connection with a remote server outside of your country. Your modem will disconnect from your Internet Service Provider and dial an INTERNATIONAL TELEPHONE NUMBER to Cook Island. An INTERNATIONAL LONG DISTANCE call to Cook Island will appear on your phone bill. Rates are subject to change, check with your local carrier for exact rates. Your phone bill will reflect charges on a per minute basis (rounded up to the next whole minute) for the cost of the call. You can terminate our service by one of the following procedures:1. You can terminate the connection by selecting the modem symbol located on the lower
right side of Windows 95/98 tool bar, then by clicking on the "Disconnect" button, or Clicking on the Pay Dial application icon at the lower portion of Windows 95/98 tool bar. When the message box shows up, click "Yes" to disconnect the service.2. You can connect to this service for the maximum of thirty (30) minutes. Pay Dial software
will automatically terminate this service after thirty (30) minutes;You may use this service only if you are the line subscriber or are authorized by the line subscriber to incur charges on the phone bill.
22
SOME Risky DestinationsDestination Code
Central African Rep. +236São Tomé and Principe +239Diego Garcia +246Comoros +269Austria +43Norfolk Island +672Nauru +674Papua/N. Guinea +675Solomon Islands +677Vanuatu +678Wallis and Fortuna +681Cook Island +682Kiribati +686Tuvalu +688French Polynesia +689Tokelau +690
ALL DESTINATIONS WITH HIGH
TERMINATION RATE
(e.g. EMSAT and ANTARCTICA
NETWORK or IRS on GSM networks)
23
Technical analysisof diallers
24
How does a dialer work?
INTERNET
User
WebServer
File ServerContaining Dialer
Video Server
25
The connection with the ISP has been established
26
The connection with the ISP has been established at 52000bps. ISP tel No is 8962555555
27
The ‘IPCONFIG’command shows us the IP that we got from the ISP
which is 212.205.210.20
28
The ‘TRACEROUTE’command shows us the route from our machine to the ISP
server
29
We visit a site to download a
password
30
Clicking ‘YES’ is the fatal action
31
The dialer is being downloaded
32
The tel N# that we are connected with, has changed from 8962555555 to 002395009
33
With the ‘IPCONFIG’ command we see that the IP has changed to
192.168.0.182 that is an IP of an internal network
34
With the ‘TRACEROUTE’ command we see that the route has changed.
It is longer and we have been connected with a company called
VIATEL
35
A shortcut appears on Network Connections
36
Using the www. ip2location . com we detect the location of the
company that offers dialers services
37
002395543 or0023955XX
No existing serieOn STP numberingPlan
No outsourcedserie
No routed via PTC
MISUSE
38
Internet Explorer has encountered a problem caused by the downloading of the dialer
39
A shortcut appears automatically on the
desktop
40
We are connected to the internal
network (192.168.0.182) of a company
in Poland
41
Using the sniffer IRIS v4.07.1 we decode the packets from
and to our machine
42Technical data useful to our research
43
Using the ‘DECODE’ command, packets which are in the buffer
start to be decoded
44
A decoded packet from the web site www . erotic . pl
45
We receive useful
information from the decoded packets
46
We receive useful
information from the decoded packets
47
Our PC tries to GET the dialer from pinkbox.pl
48
Using the www.samspade.org we detect the location of
pinkbox.pl
49
The results of our investigation
50
Using BinText 3.0 as well as IDA we do
reverse engineering to the dialer and we
decrypt it discovering all its secrets.
51
……more secrets
52
ANOTHER CASE to GSMPTC noted several calls to KPN mobile numbers done
with WEB diallers+31 620675560+31 620985172+31 612203785+31 622834749
After some discussion with portuguese customersdialling that numbers, a situation of Internet dumping
was found, and numbers were blocked.Due to the fast action the numbers of minutes involved
was about 250This numbers matched with a information reported by
Maltacom
53
Maltacom also reported the Internet dumping situation to that numbers and to the following
ones:+31 623 079882+31 613 269348+31 613 179137+31 613 262607
Maltacom also decided to block such numbers. Inthese case the numbers of minutes involved were
about 197.47 hours
54
Maltacom and PTC started an investigation basedon the practices presented during previous meetingsc
So the diallers were installed in a test PC
And the results were :
55
192.168.0.1255.255.255.0
194.54.173.109255.255.255.255194.54.173.109
56
Information related to '194.54.172.0 - 194.54.175.255'
organisation: ORG-WA24-RIPEorg-name: Wire9org-type: NON-REGISTRYremarks: Wire9.comaddress: Hunter House, Hutton Road Shenfieldaddress: CM15 8NLaddress: UKphone: +44 (0) 8707 469 796e-mail: [email protected]: Lee Jonesaddress: Wire9 Telecom PLCaddress: Hunter House, Hutton Roadaddress: Shenfield, CM15 8NL, UKphone: +44 (0) 8707 469 796fax-no: +44 (0) 8707 469 797
57
58
The startingWEB site
59
WHOIS information for valuedcontents.com:
Registrant:Marco Casali (VALUEDCONTENTS-COM-DOM) via De Gasperi Roma, nn 66023 italy 0670623431 [email protected]
Domain Name: VALUEDCONTENTS.COMAdministrative Contact: Marco Casali [email protected] via De Gasperi Roma, nn 66023 italy 0670623431
Technical Contact, Zone Contact:Marco Casali [email protected] via De Gasperi Roma, nn 66023 italy 0670623431
60
RELATED WEB
61
http://www.solo-adulti.com/en/index.html
62
63
http://www.solo-adulti.com/en/chatcam/delay.htm
64
65
66
http://www.solo-adulti.com/en/index.html
67
68
69
Who can become a victim?
Virtually any household can become a victim to these malicious dialers.
70
ITU/QSDGXi’an Meeting, May 2005
1. Document titled ‘Information concerning the use of 882 13 numbers’(COM2-D173-E) a Swisscom contribution was presented.
2. It is recommended that operators should prepare their fraud staff to the new situations as web dialers. This needs to be done involving CRM staff as well.3. It was concluded that operators should not do a global block of a destination when trying to fight web diallers fraud. It if happens then it should be considered as a commercial decision and not related with fraud aspect. It is clear that this type of traffic could increase outgoing traffic and some operators may wish to reduce their out-payments. However such decisions are not related with fraud. Concerning fraud aspect only rogue diallers should be blocked.
71
ETNOIt is recommended that concerning fraud aspect only rogue diallers, mainly those producing Internet dumping and/or modem hijacking, should be blocked. This requires a proper investigation to gather proof of the rogue dialler (e.g. the dialer programme).
It is also recommended that operators should prepare their fraud staff to the new situations as web diallers and possible rogue dialers. This needs to be done involving CRM staff as well.
It is also recommended that clear position be taken within each organization (operator) in order to allow a common understanding by all areas of the organization on how to deal with internet dumping fraud and associated activities.
72
Thank you