Manila AT&T hackers tied to terrorist attack in Mumbai

FBI logoThe FBI and Philippines police last week arrested four men who allegedly hacked into AT&T’s customers’ PBX systems and then funneled $2 million in profits to a Saudi-based terrorist group blamed for the attacks on Mumbai three years ago.

The Philippines National Police’s Criminal Investigation and Detection Group (CIDG), working with the US Federal Bureau of Investigation (FBI), on Thursday issued a statement about the arrests, saying that they have confiscated computer and telecom equipment believed to have been used to break into customer accounts of multiple US-based telecommunications companies, including AT&T.

CIDG Police Director Samuel D. Pagdilao Jr. said in the statement that the operation was triggered by a complaint from AT&T and the FBI.

The statement identified the arrested suspects as Macnell Gracilla; Francisco Manalac and his live-in partner, Regina Balura; and Paul Michael Kwan, all of whom were arrested in Metro Manila locations.

This wasn’t Mr. Kwan’s first tie to terrorism, according to Philippines Police Senior Superintendent Gilbert Sosa. Mr. Sosa said in the statement that the suspect had previously been arrested in 2007 when the FBI cracked down on suspected terrorist cells involved in financing terrorist activities.

Mr. Sosa also said in the statement that FBI agents who have been investigating “incessant hacking” of telecommunication companies in the US since 1999 have uncovered paper trails of various bank transactions that link the Manila hackers to a Saudi-based cell whose activities include financing terrorist activities.

As it turns out, the same group who financed the Manila telecom hackers funded the 2008 terrorist attack in Mumbai, India.

The FBI in 2007 arrested Pakistani Muhammad Zamir, the suspect whom they later came to believe was tied to funding both the telecom hacking and the Mumbai attack.

Al-Qaeda headlinesZamir is a member of Jemaah Islamiyah, a militant Islamic organization in Southeast Asia that’s dedicated to the establishment of a regional Islamic caliphate incorporating Indonesia, Malaysia, the southern Philippines, Singapore and Brunei. The United Nations in 2005 added Jemaah Islamiyah to its list of terrorist organizations linked to al-Qaeda or the Taliban.

Mr. Sosa said that Zamir’s terrorist group was paying the Manila hackers to break into the PBX accounts.

How do you make money off a PBX? FBI spokeswoman Jenny Shearer told InformationWeek’s Mathew J. Schwartz that rather than break into telecoms’ trunk lines, the hackers actually targeted PBXes used by AT&T customers.

“I’m not sure if other telephone companies’ customers were targeted,” she said in a phone conversation with Mr. Schwartz, noting that the FBI’s investigation is ongoing.

PhoneThe Guardian quoted a source whom they said was familiar with the situation as saying that after the hackers broke into the AT&T customers’ phone systems, they then placed calls to international premium-rate services whose payments they could then divert.

Such scams “are relatively common,” the Guardian noted, “often involving bogus premium-service phone lines set up across Eastern Europe, Africa and Asia.”

After criminals place calls to numbers stolen from hacked business phone systems or mobile phones, they then collect their cash and move on before they can be detected, leaving telecommunications carriers to foot the bill.

Whatever profits the hackers squeezed out of the trunk lines were diverted to the terrorists’ account, while the hackers were paid on a commission basis via local banks.

According to Philippines police, the FBI in March 2011 asked them for help after they found out that the group had targeted AT&T in the US using the group of hackers in Manila.

In reporting on this story, The Register’s John Leyden called out this time lag: it took eight months between the FBI’s call for help and the arrests last week.

As Leyden pointed out, this scam “was almost certainly neither technically complicated nor lucrative.” $2 million worth of calls is a drop in the bucket when it comes to cybercrime.

“There must be some doubt whether the alleged hackers knew they were working for a terrorist funding mastermind or were doing low-paid work [for] whoever bankrolled them on a no-questions-asked basis,”writes Leyden.

419 scammersWe write about cybercriminals all the time, from Nigerian email scams to Facebook worms (and here, in fact, is the Facebook malware du jour, featuring a Trojan posing as a photo of two blonde women).

It’s aggravating to think of being taken in by swindlers.

But it’s horrible to think of the pawns who, perhaps unknowingly, perhaps just trying to earn enough to survive in a Third World country, take part in scams that result in the slaughter of innocents.

At least 166 victims and nine attackers were believed to have been killed in the Mumbai attacks.

Let us remember them.

Let us hope that someday, black-hat hackers everywhere will find an honorable way to earn their daily bread.