A Miami man this week admitted hacking into the networks of several VoIP providers between 2004 and 2006 and then reselling millions of stolen minutes.
Edwin Pena, 27, of Miami, yesterday pleaded guilty in a Newark, N.J. federal court to one count of conspiracy to commit computer hacking and wire fraud, and one count of wire fraud.
Pena, who was returned to the U.S. last fall after being a fugitive for three years, is scheduled to be sentenced by U.S. District Judge Susan D. Wigenton on May 14.
Pena, who faces up to 25 years in federal prison, continues to be held without bond.
“Anytime we bring a fugitive to justice, it’s great,” said Assistant U.S. Attorney Erez Liebermann, who prosecuted the case. “This was a sophisticated and very profitable operation.
This case sends a clear message to perpetrators that they can be caught and prosecuted, and to companies that there are steps they should be taking to secure their networks.”
Between November 2004 to May 2006 Pena and a cohort — Robert Moore, 24, of Spokane, Wash. — hacked into the computer networks of multiple VoIP service providers and routed calls made by customers of Pena’s VoIP service through them.
At his plea hearing this week, Pena, who had posed as a legitimate wholesaler of VoIP services as part of the scheme, admitted that he was able to offer cut-rate prices because he was routing them through hacked VoIP networks.
According to court records, Pena sold more than 10 million minutes of VoIP service that had been stolen from 15 telecommunications providers. Prosecutors valued the lost minutes at $1.4 million.
Prosecutors contend that Pena was the mastermind behind the scheme and that Moore hacked the systems.
In the fall of 2007, Moore pleaded guilty to conspiracy to commit computer fraud and began serving a two-year prison sentence.
“We need to expose these new crimes and make companies aware of them,” said Liebermann. “A number of companies reached out to me because they’d read about the case. They said it was a great lesson and they’ve since implemented security measures so he couldn’t do the same thing to them.”
Pena was first arrested in Florida on June 7, 2006. On June 29, 2006, he made a court appearance and was released on bail. While out on bail, he fled the country and was the focus of a three-year manhunt before being was arrested in Mexico on Feb. 6, 2009. Pena was returned to the U.S. last October.
Voice-over-IP systems route telephone calls over the Internet or other IP-based networks.
While Pena and his cohort stole services from VoIP providers, other cybercrooks have targeted the VoIP phone systems of small and medium-sized businesses and used them as launching pads for their scams.
Early last year, for instance, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.
The victims had typically banked with smaller regional institutions, with fewer resources to detect scams.
Scammers hacked into phone systems and then called victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity.
If the worried customer entered their account number and ATM password, the bad guys used that information to make fake debit cards and empty their victim’s bank accounts.
Hackers made headlines for breaking into phone company systems more than 20 years ago — a practice that was known as phreaking — but as the traditional telephone system has become integrated with the Internet, it’s creating new opportunities for fraud that are only just beginning to be understood.
VoIP (voice over Internet Protocol) hacking is “a new frontier in the crossover world of telecom and cyber [crime],” said Erez Liebermann, assistant U.S. attorney for the district of New Jersey. “It is an ongoing threat and a serious threat that companies need to be worried about.”
Attacks on one of the most popular VoIP systems, called Asterisk, are now “endemic,” said John Todd, who works for the product’s creator, Digium, as open-source community director. “It’s like stealing a baseball bat to break into a car. The first step is to break into Asterisk.”
Asterisk hacking began evolving from a fairly “low-level problem” into a much more serious issue around September of 2008, when easy-to-use tools were first published, Todd said. “There are now people doing videos on it and there are blogs and podcasts,” he said. “The information is out there.”
With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office’s local area network to a network provider such as AT&T, which connects the calls to the rest of the world.
The hacker tries to guess the VoIP system’s passwords, making thousands of guesses. While an Internet program such as Gmail will block visitors after a handful of failed password guesses, VoIP systems are often not configured this way and will often let any computer connect to them.
So hackers pound away at them, trying to guess working phone extensions. Once they find an extension, they run their dictionary attack software. If the password is easy to guess, they’re in the network and can phone out for free.
That’s what happened to Innovative Technologies, based in Wheeling, West Virginia. It was hacked in early October, apparently by Romanian cyber criminals who used its VoIP system to make telephone-based phishing calls to customers of Liberty Bank, a small regional bank with offices in California.
“They had scanned a whole bunch of IP addresses on the Internet in order to find [VoIP] servers,” said Terry Lewis, CEO of Innovative Technologies.
Once the VoIP system is hacked, the criminals use it to perform phone-based phishing attacks, sometimes called vishing. Vishing attacks have been around for a few years now, but they’ve largely flown under the radar, because they often target smaller regional banks rather than high-profile national institutions. The scammers move from bank to bank each week after completing their campaigns.
According to Liberty Bank, other regional institutions had also been hit with vishing attacks from hacked VoIP systems in recent weeks.
Liberty Bank First Vice President Jill Hitchman believes that the scammers who targeted her bank probably hit between 30 and 35 businesses and were making between 20,000 and 30,000 phone calls per day.
“I don’t think these companies realize they’re probably going to be getting charges,” Hitchman said. “The bigger issue is, how are these phone systems being accessed and why can’t we stop it?”
Only a few Liberty customers fell for the scam, Hitchman said, but the attackers knew what they were doing. First they would sign up for AOL accounts, to test that the card numbers worked. Because AOL offers free trial memberships, these charges do not show up for months. By that time, the scammers have put the information on fake ATM cards and emptied the bank accounts.
Businesses could prevent a lot of these attacks by changing the port they use for Session Initiation Protocol (SIP) connections on their VoIP systems, by blocking connections after a certain number of failures, and by simply using better passwords on their voice systems, security experts say.
Once the VoIP system is hacked, the criminals use it to perform phone-based phishing attacks, sometimes called vishing.
Vishing attacks have been around for a few years now, but they’ve largely flown under the radar, because they often target smaller regional banks rather than high-profile national institutions. The scammers move from bank to bank each week after completing their campaigns.