Hackers expand their illegal skills to voice mail
Computerized voice-mailbox systems are one of the newest technological conveniences in Corporate America. But when ``gangs'' of computer hackers take over a corporate phone system by capturing its voice mailboxes, the results can be very costly. In Columbus, Ohio, a 15-year-old named Chad Webster was convicted of five felony counts including denying access to a computer, vandalism, unauthorized use of property, and extortion.
Police tape recordings revealed a deep, sinister voice (Chad's) threatening one business - a dial-up electronic-mail message service - saying he would destroy the business if he was not given free access to the voice-mail system and five mailboxes. The extortion, police charged, included threats to cause the company's computer systems to fail and to erase legitimate messages. In one instance, obscene messages were left in 75 customers' voice mailboxes resulting in a $15,000 loss.
Columbus police say Chad, as well as two Indianapolis boys and another Columbus youth, attacked five businesses in three Midwestern states. The victimized companies, in Indianapolis, Columbus, Ohio, and Oklahoma City, sustained damages of $50,000.
Robert Snyder, a detective with the Columbus Police Department's organized crime squad, says voice-mailbox fraud and hacker gang attacks on phone systems ``seem to be the new wave.'' Chad and his friends were part of a much larger nationwide ``gang'' of 20 or more hackers, Mr. Snyder and others say.
``The voice-mail mess is national in scope,'' says Gail Thackeray, assistant attorney general for the state of Arizona. ``We have several identifiable gangs. Hundreds and hundreds of people are involved.''
Hackers traditionally have been interested primarily in invading or toying with other computer systems, usually by phone. Another renegade group of computer users, calling themselves Phone Phreaks, mainly use computer expertise to gain free long-distance service.
Now the two groups seem to be overlapping, in part because voice-mail systems are computer systems with voices recorded digitally and stored in a computer.
Here is how a voice-mail hacker may work: late at night, he will sit at his desk with a personal computer. He hooks the computer, via a phone modem, to his phone line. He then programs the computer to randomly call toll-free 800 numbers.
Occasionally, a computerized voice-mail system will answer and ask for instructions. The hacker then presses the buttons on his touch tone phone in response to the system, which asks, among other things, whether he wants access to a personal voice mailbox. Before entry permission is given, a pass code of as few as two or as many as seven digits is required from the caller.
The hacker will program his computer to randomly input series of numbers until he discovers a voice-mailbox password. Once access is gained, he then proceeds to request a new password be given to the mailbox of his own choosing, thereby taking control of one voice mailbox.
Often voice mail is linked to PBX, or private branch exchange systems used by corporations. A PBX code allows the caller, such as a salesman in a remote location, to dial anywhere in the country or anywhere in the world using the company switchboard. There are an estimated 4,500 PBX systems in the United States.
But such systems are only secure as long as no one knows what is usually a five or seven-digit PBX code. With just two to five digits, voice-mail codes are usually even easier to break. The voice-mail systems often attached to PBX systems offers an anonymous mode of communication to computer and telephone hackers.
The result is an ``enormous problem,'' which Ms. Thackeray says has been intense since this spring but growing for the past two years as voice-mail systems have grown. The first complaint to reach Thackeray was in December last year. By January, she was receiving one or two calls about voice-mail fraud each month. Now, she says, she gets one or two new complaints a week.
Telecommunications fraud is estimated to cost phone companies and corporations $500 million a year, says Rami Abuhamdeh, executive director of the Communications Fraud Control Association in McLean, Virginia. The bulk of the fraud involves illicit use of stolen long distance access codes belonging to MCI, US Sprint, AT&T, and other long distance companies in the US.
So far, only a fraction of it involves voice mail. However, as long distance companies make it harder to steal their access codes through improved security - such as 14-digit codes - regional and local long distance companies, with less secure codes, and corporations with their own PBX codes and voice-mail systems are being hit harder.
``They are going after the smaller carriers that have the 5 or 6 or 7 digit codes,'' says Loren Proctor, a security specialist with US Sprint in Rosemonth, Ill. He also says that companies with PBX systems are being hit because of increased security among big long distance carriers.
``Each company has to make a tough decision, because as you add security, you make it harder for the general public to use your toll-free 800 number phone systems,'' says Paul Flanagan, director of Information Innovators, a small Virginia Beach, Va., company that made one of the first voice-mail security products. Mr. Flanagan says his product offers a technological barrier that might cause an intruder to seek out other, easier prey.
Right now, however, voice-mail systems are selling very rapidly. There are nine major companies, and a recent edition of PC Magazine showed eight software products that turn an ordinary personal computer into a voice-mail system.
With such growth, security is weak across the board, no matter what the size of the company. Thackeray, for example, has had calls from at least 50 corporations this year. They range from Fortune 500 multinationals to mom-and-pop companies. The people hitting their voice-mail systems are frequently not solitary hackers, she says.
These gangs ``are like schools of fish, and it's difficult to investigate because they move from company to company'' as each discovers its problem, Thackeray says.
Detective Snyder, Thackeray, and other law enforcement officials say hackers like Chad, who might have communicated through underground computer bulletin boards before, have begun invading corporate voice-mail systems as well, in order to multiply the ways they can communicate and trade stolen or illegal goods. An advantage to corporate voice mail is that messages can be left anonymously.
The gangs ``have certain identifiers that identify them as part of a gang,'' says Wayne Cerow, an Arizona police officer with 20 years' experience researching computer crime. ``They find a company that's vulnerable, then pass the word that here's an easy target.''
Certified Grocers of California, a grocery wholesaler in Los Angeles, has a computerized voice-mail system that allows customers to call in and leave messages on the company's toll-free 800 lines. After it was installed, the company's toll-free phone bills began to soar.
In the end, some 200 of Certified's 300 voice mailboxes had been commandeered by hackers. Access was then transferred to drug pushers, and even a prostitution ring. New York cocaine prices were among the messages being updated constantly.
Most of the hackers, Snyder says, ``have got a lot of time on their hands. It's a game with them. A lot of these people are addicted to this just like narcotics.'' Mr. Cerow, in Arizona, believes basic ethics is a problem, too. ``They don't feel that defrauding a telephone company or a company is a crime.''
Until companies pay closer attention to telephone security, the problem is expected to grow, aided by the fact that it is not widely understood yet. Even the US Secret Service, which is charged with investigating wire fraud, is only now learning about voice-mail fraud.
``It's not the kind of thing we have a lot of systems in place to handle just yet,'' says Steve Purdy, a secret service agent. ``It's so new we're still developing means of responding to the crime itself.''