June 08, 2006
The Inside Story of A Million-Dollar VoIP Scam
A Miami man allegedly defrauded Internet voice providers to the tune
of $1 million, with a sophisticated hacking scheme. Here's the inside
story of exactly how he did it.
By Preston Gralla Networking Pipeline
The $1 million scheme by a Miami man to allegedly defraud VoIP
providers, and sell long-distance calls surreptitiously through their
networks, was a surprisingly easy technical feat, and should give
pause to providers and enterprises alike about how insecure voice
services have become in a world where all calls will eventually be
routed over IP networks.
Federal prosecutors charge that Edwin Andres Pena of Miami hacked into
the networks of Internet telephone providers and fraudulently sold
more than 10 million minutes of VoIP calls.
Pena allegedly sold $1 million of phone service to his customers at
extremely reduced rates. But rather than buy long-distance minutes
from existing providers to provide the service, he instead hacked into
the networks of VoIP providers, and provided the minutes for free.
Here's how he did it.
Starting with a "Brute Force" Attack
The basic service that Pena provided is not uncommon.
Telecommunications brokers often buy long-distance minutes from
carriers -- especially VoIP carriers -- and then re-sell those minutes
directly to customers. They make money by marking up the services they
buy from carriers.
Pena sold minutes to customers, but rather than buy the minutes, he
instead decided to hack into the Internet phone company networks, and
route calls over those networks surreptitiously, say prosecutors. So
he had to pay virtually no costs for providing phone service.
The first step in the scheme required that Pena find the special
prefixes that Internet phone companies use to identify calls that are
allowed to be routed over their networks. Prosecutors say that Pena
did this with a "brute force" attack, by "slamming" Internet phone
networks with thousands of test calls, using many different variants
of prefixes. When a call was able to get through to one of the
Internet phone service networks, Pena knew that he had the proper
prefix for that network.
Once he had the proper prefixes, he turned to someone else for help
with the scam, say prosecutors. He contacted Robert Moore of Spokane,
Washington, they say, who runs the site moorer-software.com. The site
includes links to hacker sites and to hacker tools.
Moore, say prosecutors, immediately set to looking for vulnerable
ports in "unsuspecting companies and other entities in the United
States and around the world." He wasn't looking for Internet phone
service ports, but instead for open, vulnerable ports and routers in
private companies. When he found vulnerable ports, he would also hack
into the network to get administrator names and passwords.
The scope of the scanning was massive, say prosecutors, who claim that
he performed six million scans of AT&T's worldwide network alone from
June to October of 2005.
Pena allegedly sent the IP addresses of the open ports and routers to
Pena, and also sent the network administrator names and passwords.
Hacking the Routers
With the IP addresses and network administrator names and passwords in
hand, say prosecutors, Pena reprogrammed the routers to allow the
routers to handle VoIP calls, and to disguise the true source of the
Prosecutors say that one of the networks Pena hijacked in this way was
a Rye Brook, NY hedge fund company.
In other instances, say prosecutors, Pena and Moore rented servers
under false names, including "David Hauster" and "Jake Hamilton" and
used those rented servers to handle his customers' voice traffic.
Completing the Scam
The last step of the scam was relatively easy. Pena first routed his
customer's calls to the Rye Book hedge fund company network via the
routers he had hacked, say prosecutors. In other instances, he routed
them through the rented servers, they added
Using his access to the routers, he then sent the calls from the hedge
fund company, or his rented servers, to Internet phone service
providers, according to prosecutors. They say that he routed the calls
to 15 separate Internet phone service providers, including one based
in Newark, NJ. The provider wasn't named in the charges, but
Net2Phone, a large Internet phone service provider, is located in
Pena allegedly appended the access codes to the calls, so that the
Internet phone providers would believe they were legitimate calls. The
calls went through with no problems, and were completed over the
Internet phone provider networks.
The Internet phone service providers, though, have been left holding
the bag, because they had to pay $300,000 for routing the calls to
The scope of the scam was massive. According to prosecutors, in a
single three-week period, 500,000 calls were routed through the Newark
Internet phone service provider, and were made to look as if they came
from the Rye Brook Hedge fund.
The Bottom Line
The bottom line in all this? It should be a wake-up call not just to
Internet phone service providers, but to network administrators as
well. This scam couldn't have been accomplished without there being
enterprise network security holes -- and these holes may get bigger as
voice is increasingly routed over enterprise IP networks.