Mahmoud Nusier, 40; Paul Kwan, 27 and Nancy Gomez, 24, each were charged with conspiracy to commit wire fraud, possession of unauthorized access devices and two counts each of unauthorized access to computer systems, the U.S. Department of Justice said Friday in a news release. The unsealing of the indictments coincided with Italian police conducting raids that resulted in the arrests of at least five Pakistani financiers who used the hacked networks to offer cheap rates at their call centers to anyone who wanted to use them.
Using the hacked networks of the U.S. companies alone, between October 2005 and December 2008, individuals were able to place more than $55 million in calls lasting 12 million minutes, authorities said. The victims included the companies whose systems were hijacked and long-distance carriers, such as AT&T, who routed the calls.
The hackers were able to break into the telephone networks, known as private branch exchange (PBX) systems, by using brute force attacks that allowed them to guess the default passwords, authorities said. The three Filipino defendants were paid $100 for each system they successfully exploited.
"This was an extensive and well-organized criminal network that worked across continents," Acting U.S. Attorney Ralph Marra Jr. said. "The hackers we've charged enabled their conspirators in Italy and elsewhere to steal large amounts of telecommunications capacity, which could then be used to further or finance just about any sort of nefarious activity here or overseas."
Peter Thermos, CTO of Palindrome Technologies, a technology risk management company, said he expects to see more incidents of telecom fraud in the next few years.
Thermos told SCMagazineUS.com on Monday that many organizations that have implemented PBX systems, which largely are VoIP based, are not properly configured or secured. He said management often is unable to recognize the threats posed to its networks.
"Basically, [this case] confirms earlier sentiments on VoIP security where companies fall victim to fraudsters due to poor security controls," he said.
PBX hacking appears to be a global problem.
In May, the Commission of Communications Regulation (ComReg) in Ireland issued an alert to businesses, warning them to the dangers of PBX hacking. The notice said that often times, businesses are unaware when they have been victimized and can lose thousands of euros as a result.
"These hacking incidents tend to occur predominantly during out-of-office hours where the perpetrators gain remote access to private exchange belonging to the business by hacking through unsecured points within the telephone system," ComReg Chairman John Doherty said in the notice.
If convicted, the defendants in this case face up to 25 years in prison and fines of up to $250,000.