The Internet security company, McAfee, estimates that the likely annual cost to the global economy from cybercrime is more than $400 billion. The Internet has become the perfect environment for fraud. Not only does it provide the targets, but also the knowledge, the tools and the means for fraudsters and hackers to thrive. As a borderless crime with various authorities ruled by different countries and laws, the prosecution of internet fraud becomes an especially difficult task to accomplish.
Back in 2011, an attacker (or group of attackers) performed an Internet-wide scanning event that was orchestrated by the Sality botnet. Botnets consist of many compromised computers, sometimes in the millions, and are the most widely-used cyber weapon for executing criminal activities, such as fraud, sensitive data leakage, distributed denial-of-service attacks, and spam. In the 2011 attack, the packet sent was a SIP REGISTER request that trying to register a dummy user and expecting to receive a 404 Not Found client failure response. In less than 12 days they were able to query 4,000,000,000 IP addresses, which equated to practically every IPv4 computer on the internet.
The attack had one purpose: identify and classify every SIP server on the internet; but for what purpose? That has never been clear, however with the magnitude of the attack, one can easily imagine the value of this information. Based on the responses provided by each server, additional information could have been gathered and easily correlated, identifying the most exposed systems. A most likely scenario is this information was grouped between defaults / no authentication and less exposed systems. Obviously the first group will stand out and serve as primary source for many of the fraud types we see today, common examples are Toll fraud, TDoS (Telephony denial of service), phishing and traffic/call pumping.
Now we move forward to today, and the concept has evolved and matured. Hackers and fraudsters have all the information they need at their fingertips; organized, tagged, indexed and ranked by popularity. All sorts of tools for finding exploited and compromised systems, regardless of the intent, are now freely available on the internet via specialized ‘hacking’ search engines, where you can run queries like “Routers with default info” or “snom voip phones with no authentication”. The granularity of the results can be further narrowed to target specific cities, countries, latitude/longitude, hostnames, operating systems and IP addresses. The search results can even be run through an API, which can automate tasks and provide notifications in real time, making things even easier for the attackers. And while many hackers and fraudsters take advantage of this information, it can also be used for good - by security administrators who are testing their own systems for weaknesses.
With all of these targets exposed, many of these attacks are on the rise, and while it may seem that a large, savvy infrastructure would be required to pull off some of these high value scams, that is not always the case. A home computer with a limited internet connection is often good enough to create a denial of service attack against most businesses. High bandwidth intensity is only required when a call gets answered and a real-time transport (RTP) stream is opened. If a call is dropped before, or immediately after answering, no RTP packets are involved and bandwidth requirements remain low. This means that you can set up as many calls as you have SIP Invite messages. Considering a typical scenario of a company using T1 or E1 links, a flow of 23 and 30 simultaneous calls, respectively, is enough to knock down all channels and leave a typical company without phone service. This is especially bad news in operations that depend on call centers or toll free lines.
Another good example of an opportunity fraudsters have identified has resulted in SIP toll fraud – SIP stands for Session Initiation Protocol, a standard protocol used today in all VoIP communications. From anywhere in the world, behind several layers of anonymity, anyone can place huge volumes of international calls at very little or no cost.
Many of the threats we have today are easily performed by anyone from anywhere in the world, with very few resources. Being able to identify and access the risks that expose your systems to fraudulent actions is essential to reduce the advantage that fraudsters use to perpetrate their crimes. There is much we can do to disrupt and combat the constantly evolving methods of enterprise fraud, including automated systems that are designed not just to detect the known fraud challenges of yesterday and today - but with the ability to detect outliers and trends that point to suspicious activities or actions before they become the fraud challenges of tomorrow.