VOIP becoming common tool for hackers and pranksters

Since VOIP use has been on the rise many useful things have come from it for the legitimate user but more so for the illicit or mischievous user. In the last 2-3 years since skype and other VOIP tools have became popular hackers and pranksters have taken advantage of the benefits and anonymity it offers.

On the prankster side of things you have things like “swatting” which has been publicized in the news a few times lately where the prankster calls the target victim’s local police department with reports sounding drastic enough to have them assemble a swat team and raid the victim’s home. This is more so popular in the AIM kiddy scene then any other. Since “swatting” has became a way to get revenge or harass people from the internet a few arrests have been made but still remains prevalent.

On the serious hacker side of things VOIP is the perfect tool for social engineering and used in conjunction with a spoof card it is very effective. With social engineering very little actual hacking or technical skills are needed to pull off some major hacks so anyone with good social skills can get in anywhere they want. Most of the social engineering hacks and access some of the hackers I have spoke to rival and in some cases trump anything Keven Mitnick the famous hacker did.

I was able to do an interview with a seasoned hacker and was surprised as how deep they was into big companies and isps like comcast, tmobile, fed-ex, etc; Some have even taken over entire datacenters as such that rent dedicated servers like Server Beach and The Planet. Even domain registrars such as network solutions have been compromised.  Asked why they do this, whether they do it for financial gain or fun, the reply was simply boredom and info harvesting. Sometimes these things are done to obtain information about internet enemies or simple data-mining. All most of them need is a person’s ip address or cell phone number and then the fun begins.

The list goes on of all the big companies and isps that are easily accessed with a phone call. How do these phone calls work and obtain such information and access? It is simple, the average call is the hacker pretending to be some sort of management from a satellite or home office needing a small piece of information needed to perform a maintenance task that needs to be done. Most of the time the hacker knows what internal software is being used and they are able to gain the employee’s trust and confidence quickly. Tthe employee, trying to be as helpful as they can because they think they will be in trouble if they dont.

The average employee is an $8 or $9 an hour kid usually hired from a temp agency, turnover is usually very high for these positions so they are thrown in quickly in order to keep staffed. More so then not the employee is given very little training and even less training about security procedures, they would not imagine a person calling in asking for this information, knowing what software they are using and other internal aspects of the company who was not really management.

In some situations where companies use internal private networks to access admin functions the employee is socialed into down loading and executing malware which the hacker can connect to to and use the employee’s computer as a proxy to access functions on the private network. Some companies have web admin panels to access to private network from a remote location for telecommuting, usualy the login is the same as the employee’s admin login which can be accessed by anyone on the internet.

I investigated everything in this article in the last 3 months and was able to see first hand of the access these hackers have. From seeing screenshots and even listening in on some of the calls I was surprised at how easy it is to be done. You would think most of these companies would be prepared for this and train their employees. And you would also suppose that datacenters and isps would be extra aware as they deal with hackers on a daily basis in one form or another.

VOIP and exclusively skype is the number one tool for these exploits, now more so then ever with VOIP social engineering has reached new frontiers. VOIP communications is not be to totally blamed though, companies will have to prepare for new threats and bolder tactics. As proven time and time again human error will compromise even the most advanced of technologies.