Sophos Cloud Optix
TDoS (telephony denial of service) attacks are targeting essential public services such as hospitals, swamping their switchboards so legitimate calls can’t get through.
In the spring of 2013, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a warning about such attacks, which were then zeroing in on emergency call centers.
The emergency call center assaults, which tied up systems and prevented legitimate calls from getting through, were sent by extortionists initially claiming to represent a payday loan collections company.
When the target failed to cough up the demanded money, the attackers launched a TDoS.
More recently, according to an article published on Monday from the New York Times, scammers are posing as debt collectors seeking repayment on loans purportedly taken out by individuals or employees at places such as hospitals.
When they meet resistance, the scammers are again threatening to bring down phone lines, and then they flood the lines with repeated calls sent automatically over the internet, knocking businesses’ and government agencies’ phones offline for legitimate callers.
Besides one hospital, other essential public services such as a sheriff’s office in the US state of Texas and a Coast Guard cutter have been attacked, the NYT reports.
The DHS said in October that there have been over 200 such attacks identified against public sector groups.
The NYT describes a TDoS that happened two years ago to a Texas hospital’s intensive care unit. The CIO for the hospital chain, who requested anonymity so as to protect the hospitals, told the newspaper that the unit’s phone lines were knocked out of commission for about 6 hours because of the TDoS onslaught of robocalls.
Another TDoS was unleashed on the phone lines of several emergency dispatch centers in Tarrant County, Texas, last year.
That attack and others launched against emergency dispatch call centers skipped over 911 lines, but emergency hotlines aren’t always spared in TDoS attacks.
Case in point: UK police in April 2012 arrested two teenage boys following a series of prank calls and TDoS attacks launched against the Anti-Terrorist Hotline.
As the NYT notes, like most internet-enabled fraud, these schemes are tough to track and investigate. The calls, relying on automatic dialing software and internet phone services, enable huge volumes of calls to be placed at very low cost, hidden in layers of anonymity, from anywhere in the world.
Some victims pay the demanded money.
Ralph A. Gagliardi, agent in charge with the Colorado Bureau of Investigation’s identity theft and mortgage fraud units, told the NYT that he traced payments from the victim in one such attack in Colorado to Nigeria via an intermediary in Florida.
Succumbing to extortion is not what law enforcement advise, of course.
At the time of the emergency call centre attacks, the DHS and FBI have offered these recommendations for targeted organisations:
- Don’t pay the blackmail.
- Report all attacks to the FBI by logging onto the website www.ic3.gov. Use the keyword “TDoS” in your report title. If applicable, identify your organisation as a public safety answering point (PSAP) or Public Safety organization.
- List as many details as possible, including:
- Calls logs from the “collection” call and TDoS
- Time, date, originating phone number and traffic characteristics
- Call-back number to the “collections” company or requesting organization
- Method of payment and account number where the “collection” company requests the debt to be paid
- Any information that you can obtain about the caller, or his/her organization
- Contact your telephone service provider; they may be able to assist by blocking portions of the attack.
There are also telephone security technologies out there. That is, in fact, what the hospital chain CIO turned to. He told the NYT that the solution he plugged in has been effective.
If you have more tips about protecting your business, or yourself, against telephony scams, vishing (i.e., phishing for people’s private information over the phone) or your own stories of dealing with robocalls, please share them in the comments section below.
Image of phones courtesy of Shutterstock.
The WEB sure has made committing crimes easy, you used to have to scope out a place break a window and climb in to steal something, now just smoke and mirriors(IP addresses)
This is not a web thing. It rather is some installation and setup shortcoming. Make your vendors protect your voice servers the same way as commercial servers are hopefully protected. Without the installation of such tools, no large E-commerce server would be able to take any orders.
… telephony guys just need to learn how the net works and what tools are used in the rest of the net 😉
so all of the articles ‘victims’ are in the USA… New York and Texas from what I read, with the most recent case referenced as Spring 2013 (almost a year ago…) You then mention a case from April 2012 where those originating the scam (kids) were immediately arrested. What’s the point of this Article other than scaremongery?
The 2nd line of recommended advice is “report to the FBI” – what!? This is clearly a cut & paste job from a US written article.
The UK Telecoms industry would never let this happen and would be certainly quick to shut it down, like how Premium Rate scams are handled.
If you’re going to write on Sophos make it relevant, current & accurate.
It sounds like (and I could be wrong) you’re assuming that Sophos writes exclusively for a UK audience. That’s a rather silly assumption. I used to live in Tarrant County, Texas, and several of my current clients are there currently. This article was both informative and helpful. The time period mentioned is recent enough to still be of concern.
Thank you for the article, Lisa! I always appreciate reading what you post.
Would it be glaringly stating-of-the-obvious to tell you that I, as do most writers, I’m sure, live for feedback like what you just gave me? It brings to mind a recent favorite from The Oatmeal about content creators: http://theoatmeal.com/comics/making_things.
In short, 10 positive comments + 1 negative comment=me wanting to jump off the roof.
I’m so glad you found the article informative and helpful, and thank you for letting me know that. I shall live to post another day. 🙂
Regarding timeliness, the DHS put out a warning a few months ago, in October 2013. The FBI advice was mentioned in my previous article about TDoSes against emergency service centers.
I can only assume that Sophos has readers outside of the UK (unbelievable right?!) and they want to warn those readers of any security threat.
Even though the stated events happened a year or more ago, it would be nice to know what security technologies can be used to mitigate the threats.
I’m so sorry I didn’t spell out which technologies you can use, but if you look at the NYT article, the CIO mentions one such that you might want to evaluate. I shy away from mentioning products, since I wouldn’t want to seem to be endorsing any particular vendor. (Except LastPass! Whooooo hooo!)
If any readers have had good experiences with a particular vendor’s telephone security product, I’d be interested to hear about it.
O, and yes, you got it: Sophos does have many readers outside the UK! Quite a few in the US, I do believe—including yours truly!
There is no such thing as ‘TDoS’ attacks. It is a marketing term dreamed up by vendors and LEAs to acquire funding and attract attention.
This is just a layer-7 DDoS attack which happens to target telephony services. We don’t call DDoS attacks against Web sites ‘WDoS’ attacks, do we? In fact, DDoS attacks originated on the old POTS phone network prior to the invention of the ARPANET, much less the modern Internet.
Agree. There is a small segment of hype around this but we have tested some of these solutions in our lab and they cannot stop callers with random numbers or media no matter what they claim. Try it for yourself.
I’d like to know more about how these calls are blocked. It would seem you’d have to have whoever’s providing your telephone service block junk calls while letting good ones through, but there are so many different layers of telephone companies and long distance providers that it seems more complicated than preventing a regular DDOS. Is it the case where every situation is different? (If every junk call is coming from Skype, for example, you just block Skype temporarily, though you’ll also lose legitimate callers from Skype.)
I treat all phone calls unless I know the caller as a scam. Hopefully they will share details around of phone numbers which are a waste of time, just as they share good ones.
Most unsolicited and scams are quickly evident because of the form of my name that they use. All I need is voice recognition on my landline and whenever they use that form of my name, it could say “scam alert”. Extend this to a blacklist of phrases such as “consumer survey”, “Microsoft support” – the verbal equivalent of “suspected spam”.
Interesting article Ms. Vaas. It seems that maybe we have made it too easy to use these tools made convenient by the internet against us. What happens when Telcom does away with analog switches totally? My provider is hounding me now to go with their digital(VOIP) service. Am I any safer. I’ve been a Tech for over 30 years. I’m fast becoming a Luddite.
Keep up the good work. I enjoy your insights.