This is a technical article, but I’ll attempt to write as simply as I can to explain how easy it is for a telephone spammer to make calls.
Modern telephone systems operate over the Internet.
I can take any computer that you have sitting around your house and install software on it that will turn it into a PBX (Public Branch eXchange). Several years ago PBX’s were prohibitively expensive and mostly based on time tested hardware.
There are currently large numbers of these software based systems connected to the Internet around the world.
Most system administrators know how to configure these systems to prevent them from being hacked but for every competent administrator there are 100’s that have no understanding of what they have setup. It works for them to make telephone calls and provide service to their business that is cheaper than many commercial solutions but they lack the full understanding of security and how to lock down their systems properly. These systems are setup in a default manner or configured with default settings that are outlined in beginner 101 documentation that is freely available online.
Operating a system that hasn’t been properly secured on the Internet it is just a matter of time before it is hacked and compromised by a telephone spammer.
These systems run a telephone protocol called Session Initiated Protocol or SIP services. By default the SIP service runs on a computer port 5060. Spammers and scammers knowing this are constantly scanning every single Internet Protocol or IP address on the Internet testing to see if port 5060 is open. IP addresses are unique numbers that identify a server on the Internet that are between 1.1.1.1 through 255.255.255.255. If you can do the math that is a very large number of potential vulnerable servers. 255x255x255x255 = 4.2 billion
The telephone spammer will write a computer script that starts at a specific IP address, knocks on port 5060 (essentially saying hey 5060 are you open? If it’s open this lets the scammer know there is a telephone server running at that IP address). Then it increments the IP address by 1 and performs the knock again. The telephone spammers script will continue to do this for millions of addresses automatically while it builds a list of IP addresses that are actually running services on SIP port 5060.
Once the telephone spammer has a list of IP addresses that are running services on SIP port 5060 they will run a second script that attempts to log in to the server using every known default username and password combination that would be setup on any systems that use port 5060.
Example: Hey port 5060 I’m user 1000 and my password is 1234 can I log in?
Server Responds: Password incorrect for user 1000.
OR
Server Responds: User 1000 not found.
If the server has responded back that the password is incorrect this lets the telephone spammer know that there is actually an account setup on the server with the username 1000. The spammer will continue to test 1001, 1002, 1003, 1004….9999. Each time it will record the response that it receives and take note if the password is incorrect or if the user is not found.
Once it has a list of every user that has an incorrect password it will then attempt to “brute force” logging into the known users on the server.
Example: Port 5060 I’m user 1000 and my password is 1234
Server: Password incorrect for user 1000.
Example: Port 5060 I’m user 1000 and my password is password
Server: User 1000 authenticated!
Once a server responds back that the telephone spammer has successfully authenticated the spammer will then attempt to place outbound telephone calls to known telephone numbers. Once one of the known telephone numbers receives a phone call from the now compromised/hacked server the telephone spammer can start to send thousands of telephone spam calls out to anyone they want.
The spammer can make as many calls as the hacked server will allow which usually means they can make calls until their SIP providers lock them out due to huge unpaid bills/charges on their accounts. This could be thousands if not millions of calls before the hacked server administrators discover their SIP termination provider has locked their account preventing their authorized legit calls from going out.
By this time spam calls have been going out to anyone the telephone spammer wants to target using someones else’s compromised/hacked server.
This is not an isolated event. If you setup a computer with a public IP address on the Internet it will be less than 48 hours before a “hacker” is scanning your public IP address testing to see if your port 5060 is open to place telephone calls.
The Internet is a war zone.
Leave a Reply