The Inside Story of A Million-Dollar VoIP Scam

to allegedly defraud VoIP providers

Federal prosecutors charge that Edwin Andres Pena of Miami hacked into the networks of Internet telephone providers and fraudulently sold more than 10 million minutes of VoIP calls.

Pena allegedly sold $1 million of phone service to his customers at extremely reduced rates. But rather than buy long-distance minutes from existing providers to provide the service, he instead hacked into the networks of VoIP providers, and provided the minutes for free.

Here's how he did it.

Starting with a "Brute Force" Attack

id
unit-1659132512259
type
Sponsored post

The basic service that Pena provided is not uncommon. Telecommunications brokers often buy long-distance minutes from carriers -- especially VoIP carriers -- and then re-sell those minutes directly to customers. They make money by marking up the services they buy from carriers.

Pena sold minutes to customers, but rather than buy the minutes, he instead decided to hack into the Internet phone company networks, and route calls over those networks surreptitiously, say prosecutors. So he had to pay virtually no costs for providing phone service.

The first step in the scheme required that Pena find the special prefixes that Internet phone companies use to identify calls that are allowed to be routed over their networks. Prosecutors say that Pena did this with a "brute force" attack, by "slamming" Internet phone networks with thousands of test calls, using many different variants of prefixes. When a call was able to get through to one of the Internet phone service networks, Pena knew that he had the proper prefix for that network.Once he had the proper prefixes, he turned to someone else for help with the scam, say prosecutors. He contacted Robert Moore of Spokane, Washington, they say, who runs the site moorer-software.com. The site includes links to hacker sites and to hacker tools.

Moore, say prosecutors, immediately set to looking for vulnerable ports in "unsuspecting companies and other entities in the United States and around the world." He wasn't looking for Internet phone service ports, but instead for open, vulnerable ports and routers in private companies. When he found vulnerable ports, he would also hack into the network to get administrator names and passwords.

The scope of the scanning was massive, say prosecutors, who claim that he performed six million scans of AT&T's worldwide network alone from June to October of 2005.

Pena allegedly sent the IP addresses of the open ports and routers to Pena, and also sent the network administrator names and passwords.

Hacking the Routers

With the IP addresses and network administrator names and passwords in hand, say prosecutors, Pena reprogrammed the routers to allow the routers to handle VoIP calls, and to disguise the true source of the traffic.

Prosecutors say that one of the networks Pena hijacked in this way was a Rye Brook, NY hedge fund company.

In other instances, say prosecutors, Pena and Moore rented servers under false names, including "David Hauster" and "Jake Hamilton" and used those rented servers to handle his customers' voice traffic.

Completing the Scam

The last step of the scam was relatively easy. Pena first routed his customer's calls to the Rye Book hedge fund company network via the routers he had hacked, say prosecutors. In other instances, he routed them through the rented servers, they added

Using his access to the routers, he then sent the calls from the hedge fund company, or his rented servers, to Internet phone service providers, according to prosecutors. They say that he routed the calls to 15 separate Internet phone service providers, including one based in Newark, NJ. The provider wasn't named in the charges, but Net2Phone, a large Internet phone service provider, is located in Newark.

Pena allegedly appended the access codes to the calls, so that the Internet phone providers would believe they were legitimate calls. The calls went through with no problems, and were completed over the Internet phone provider networks.

The Internet phone service providers, though, have been left holding the bag, because they had to pay $300,000 for routing the calls to other carriers.

The scope of the scam was massive. According to prosecutors, in a single three-week period, 500,000 calls were routed through the Newark Internet phone service provider, and were made to look as if they came from the Rye Brook Hedge fund.

The Bottom Line

The bottom line in all this? It should be a wake-up call not just to Internet phone service providers, but to network administrators as well. This scam couldn't have been accomplished without there being enterprise network security holes -- and these holes may get bigger as voice is increasingly routed over enterprise IP networks.