AT LEAST one of Australia’s top national law firms is among the growing list of organisations falling victim to a form of telecom hacking, which has cost some companies up to $1.7 million in a single attack. The threat, however, is neither new nor particularly difficult to prevent.
‘Phreaking’, as the crime is known, involves gaining access to an organisation’s telephone system and using it to make calls, charge phone cards or commit other forms of larceny.
Media reports of companies falling victim to this crime in Australia date back to 1992 and beyond, but it is the wholesale absence of such reports that has allowed the crime to go largely unnoticed and unchecked, so much so that there could be as many as 50 such attacks every week in Australia.
According to the US-based Communications Fraud Control Association, annual worldwide telecom fraud losses are believed to be in the range of US$35 to US$40 ($48 to $55) billion.
As with most cyber crimes, there is a huge reticence in corporate Australia to report such incidents as the reputation risk attached to admitting inadequate security is considered more important. Therefore, because so few organisationsadmit they have fallen victim to the crime, as far as the rest of corporate Australia is concerned it is not a problem.
This was exactly the tack the prominent national law firm took when it was stung for around $50,000 over the course of one weekend. According to its IT manager, who spoke with Lawyers Weekly on the condition of anonymity, the law firm’s executive decided not only to pay the phone bill, but to keep the security breach from the broader partnership.
In this incident, the law firm’s facility management team was informed on a Monday morning by Telstra that there had been a huge spike in their phoneline usage — mainly ISD calls to Hong Kong. Its Private Automatic Branch eXchange (PABX) system had been hacked via phone. “A classic phreak,” the IT manger said. The phreakers then opened up about a 50-line open circuit and proceeded to run up a bill of around $50,000 over the weekend.
Lawyers Weekly has learned that in another incident, a small regional law firm left on the modem that its PABX maintainer used to access the system without password protection, and it was completely reconfigured by a hacker to forward other calls.
For the few companies that have gone on the record, the losses are frightening. Perpetual Trustees was left with a $600,000 phone bill racked up between 31 October and 15 November 2000. On one day alone, the company was stung to the tune of $80,000 — the result of 5,000 illegal calls.
Among the most recently reported incidents was one involving a private hospital in Canberra, which had its PABX system hijacked on 22 March 2005. In the following 24 hours, John James Hospital had between $4,000 and $5,000 worth of international calls charged against its account.
In another incident, Australia importing business Plastic Plumbing Supplies was stung for an undisclosed amount exceeding $500,000 over a three-month period with all of the illegal calls being made when the office was empty overnight. Commercial manager for the business Peter Krohn told Lawyers Weekly that while he had reached a settlement with his telecommunications provider, which forbade him from outlining the specifics of the settlement, the experience had left him bitter and his business had suffered a very substantial loss. “It was akin to having a very large bad debt,” he said.
Telstra has admitted that up to 20 hacks are perpetrated against its clients every month. Add to that the legion of companies no longer with the soon-to-be fully privatised national carrier and the number could easily double.
Yet a spokesperson for ACT Policing told Lawyers Weekly he was unaware of any more cases being reported to that police force since. In 2004 there were only two reported cases in the ACT. With more than 200 such attacks every year reported to Telstra alone, it is clear that companies are electing to take the hit.
Australian High Tech Crime Centre director, Federal Agent Kevin Zuccato, says it is hard to put a figure on the impact of hacking, but there is no doubt criminals are becoming more astute.
One man who is carving a living out of phreaking is David Stevens. Not by committing crime, but by helping companies avoid being the next victim. His consultancy, Telecom Security, specialises in hacking into companies’ PABX and voicemail systems, then putting in place the necessary security systems to ensure the company is phreaking safe.
Calling his company’s services an audit, Stevens says that his percentile success rate of being able to hijack a company’s phone system is in the very high nineties. Worse news still, is that having secured a company’s system, often within 12 months he’s able to get back into a company’s phone system against his own security measures.