According to a confidential alert jointly issued by the US Department of Homeland Security and the FBI and obtained by KrebsOnSecurity, these telephony denial-of-service (TDoS) attacks are being carried out by would-be extortionists. A perpetrator claiming to be from a collections agency for payday loans first calls up to ask about a supposedly outstanding debt and demanding a $5,000 payment. If the individual or organization refuses to pay, the TDoS attack begins, and is sustained.
In other words, it’s a ransomware scheme of sorts. With emergency phone lines occupying a “critical infrastructure” role, it is likely that the criminals are banking on these centers’ willingness to submit to the scam in order to get things back up and running.
The alert reads:
“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial of Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”
Krebs pointed out that these types of attacks were flagged by the Internet Crime Complaint Center (IC3) earlier in the year. In the IC3 alert, it added another prong to the social engineering aspect of the scam: “The other tactic the subjects are now using in order to convince the victim that a warrant for their arrest exists is by spoofing a police department's telephone number when calling the victim. The subject claims there is a warrant issued for the victim's arrest for failure to pay off the loan. In order to have the police actually respond to the victim's residence, the subject places repeated, harassing calls to the local police department while spoofing the victim's telephone number.”
While the exact mechanism for carrying out a TDoS attack was not laid out by either the FBI, DHS or IC3, Krebs refers to a SecureLogix report, which said that simple audio mutation technology could be used.
“These are simple techniques, with future attacks likely using other types of mutating audio,” the report reads. “In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the [target] network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers and potentially impairing brand image.”