PBX hacking moves into the professional domain as arrests stack up

An Italian magistrate has taken the unusual step of issuing an international arrest warrant for an Filipino hacker alleged to have cost telephone companies and its customers millions of dollars in lost revenue.

Newswire reports also say that five Pakistani nationals have been arrested in northern Italy in connection with the scams.

Infosecurity understands that the hackers were using highly sophisticated methods to crack the remote access codes on company PBXs. These involved using communication utilities such as Warvox - an application capable of analysing more than 1000 phone lines an hour - to stage brute force attacks on company phone lines.

According to AT&T, one of the telephone companies whose customers were affected by the systematic PBX hacking, firms in the USA, Australia and across Europe were affected by the hackers' exploits.

Where previous PBX hacking incidents have been localised and small-scale, the Italian cracking group are reported to have operated internationally, marketing PBX access codes for $100 a time to third parties.

These third parties are then thought to have arranged to sell the codes and/or international call time to further third parties, usually individuals and small companies.

What makes matters worse, says Italian police, is that the profits from the scams were being sent to finance the activities of Islamist extremists in Pakistan and Afghanistan.

According to police, a 40-year-old manager of a telephone centre in Brescia was the main buyer of the PBX access codes, although newswire reports suggest that the manager sold the codes on to other intermediaries elsewhere in Italy and Spain.

The scale of the PBX hacking is thought to be very large. The US Justice Department has been involved in the investigation and has issued an indictment charging two people living in the Philippines with unauthorised computer access and wire fraud.

As well as arresting the five Pakistani nationals across Italy, police are reported to have raided 10 phone centres in northern and central Italy, as well as raiding a further 16 homes and offices, also in Italy,

The investigation reportedly started in May, 2007, when reports of widescale fraud against company PBXs started coming in to the FBI, which quickly involved enforcement agencies in Italy, Spain and Switzerland, as well as other areas of the world.

Unconfirmed reports suggest PBX hacking scam was the largest in telecommunications history, with AT&T being hit for $56 million and more than 2500 firms worldwide having their PBX's hacked.

What’s Hot on Infosecurity Magazine?