TDoS (telephony denial of service) attacks are targeting essential public services such as hospitals, swamping their switchboards so legitimate calls can’t get through.
In the spring of 2013, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a warning about such attacks, which were then zeroing in on emergency call centers.
The emergency call center assaults, which tied up systems and prevented legitimate calls from getting through, were sent by extortionists initially claiming to represent a payday loan collections company.
When the target failed to cough up the demanded money, the attackers launched a TDoS.
More recently, according to an article published on Monday from the New York Times, scammers are posing as debt collectors seeking repayment on loans purportedly taken out by individuals or employees at places such as hospitals.
When they meet resistance, the scammers are again threatening to bring down phone lines, and then they flood the lines with repeated calls sent automatically over the internet, knocking businesses’ and government agencies’ phones offline for legitimate callers.
Besides one hospital, other essential public services such as a sheriff’s office in the US state of Texas and a Coast Guard cutter have been attacked, the NYT reports.
The DHS said in October that there have been over 200 such attacks identified against public sector groups.
The NYT describes a TDoS that happened two years ago to a Texas hospital’s intensive care unit. The CIO for the hospital chain, who requested anonymity so as to protect the hospitals, told the newspaper that the unit’s phone lines were knocked out of commission for about 6 hours because of the TDoS onslaught of robocalls.
Another TDoS was unleashed on the phone lines of several emergency dispatch centers in Tarrant County, Texas, last year.
That attack and others launched against emergency dispatch call centers skipped over 911 lines, but emergency hotlines aren’t always spared in TDoS attacks.
Case in point: UK police in April 2012 arrested two teenage boys following a series of prank calls and TDoS attacks launched against the Anti-Terrorist Hotline.
As the NYT notes, like most internet-enabled fraud, these schemes are tough to track and investigate. The calls, relying on automatic dialing software and internet phone services, enable huge volumes of calls to be placed at very low cost, hidden in layers of anonymity, from anywhere in the world.
Some victims pay the demanded money.
Ralph A. Gagliardi, agent in charge with the Colorado Bureau of Investigation’s identity theft and mortgage fraud units, told the NYT that he traced payments from the victim in one such attack in Colorado to Nigeria via an intermediary in Florida.
Succumbing to extortion is not what law enforcement advise, of course.
At the time of the emergency call centre attacks, the DHS and FBI have offered these recommendations for targeted organisations:
- Don’t pay the blackmail.
- Report all attacks to the FBI by logging onto the website www.ic3.gov. Use the keyword “TDoS” in your report title. If applicable, identify your organisation as a public safety answering point (PSAP) or Public Safety organization.
- List as many details as possible, including:
- Calls logs from the “collection” call and TDoS
- Time, date, originating phone number and traffic characteristics
- Call-back number to the “collections” company or requesting organization
- Method of payment and account number where the “collection” company requests the debt to be paid
- Any information that you can obtain about the caller, or his/her organization
- Contact your telephone service provider; they may be able to assist by blocking portions of the attack.
There are also telephone security technologies out there. That is, in fact, what the hospital chain CIO turned to. He told the NYT that the solution he plugged in has been effective.
If you have more tips about protecting your business, or yourself, against telephony scams, vishing (i.e., phishing for people’s private information over the phone) or your own stories of dealing with robocalls, please share them in the comments section below.Follow @NakedSecurity