Channel 4 News has learned that international fraudsters targeting UK businesses with a complex phone-hacking scam, stole £30,000 from one local authority in just two days.
The hackers use widely-available “war-dialling” software, which targets an organisation’s phone exchange. Having found an out-of-use phone extension, the thieves then crack the passcode, giving them access to the phone’s voicemail.
Most phone systems allow users to dial into their voicemail and then make calls from the exchange. It is meant to allow employees to make work calls when they’re out of the office. But it also allows hackers to exploit the system for cash.
Having hacked into the voicemail, the thieves force the phone to dial an international premium rate number (IPRN). That number is operated by the thieves, who usually rent the number from any one of dozens of websites offering IPRNs for hire.
Every time the thieves’ premium rate number is dialled, they make money; and with calls costing anywhere up to £10 a call, it’s a lucrative business.
The fraudsters target organisations that operate a large number of phone lines, so public bodies such as councils are a common target. One typical victim was Hambleton District Council in North Yorkshire.
After a number of undetected preliminary attempts during mid-December last year, which the council suspects were efforts to find a vulnerable exchange, the hackers launched a full-scale attack on Christmas Day.
The target was a centre for start-up businesses operated by the council. Over Christmas Day and Boxing Day, while the council was operating a skeleton staff, the centre’s phone exchange was forced to make hundreds of unauthorised calls to IPRNs.
Councillor Brian Phillips of Hambleton District Council said: “It came completely out of the blue. They were calls to places like Ethiopia, Bosnia and Pakistan. We were hit for £30,000.
“That is public money and has to be paid by the taxpayer. It certainly comes out of the council tax they pay, and might have an effect on other services.”
The council says it is contractually obliged to pay the bill. It has since secured its systems and is warning other councils to do the same.
Local police are investigating, but due to the international nature of the fraud, many such investigations prove fruitless.
Richard Cox, a forensic phone expert, said: “This is conventional cyber crime – it just uses the telephone network instead of the internet. Once they’ve run the fraud if they suspect that law enforcement are onto it they can make their entire tracks disappear very quickly indeed.
“Because of the middle-men phone companies it’s not going to be at all easy to get the information that law enforcement need without getting court orders in multiple countries. Something for which the resources are just not there.”
But it’s not just organisations at risk of premium rate fraud. The hackers are now developing techniques to worm their way into mobile phones.
Malicious apps - how to avoid getting stung
• Look at the publisher of the app (that's the name usually listed alongside the name of the app itself). Make sure it really is the company that makes the app. If you're not sure, search online before downloading.
• Look carefully at the permissions you're granting the app before you download it - look out for permission to use "services which cost you money".
• If the app seems not to install properly, or not to work, uninstall it immediately, and then keep checking your mobile phone statement online (or over the phone with your network operator) for any unauthorised charges.
• If there's anything amiss, speak as soon as possible to your mobile network operator. If that doesn't work, talk to PhonePayPlus
Last year thousands of phone owners were caught out by a highly-organised, pan-European scam targeting mobile apps – the small programs such as games which users can download at the click of a button.
Hackers created malicious code and then packaged it to look like legitimate, popular apps before making them available for download. Once on the phone, the app sent three text messages costing £5 each. So clever was the computer code that it stopped the phone owner from seeing that any messages had been sent, covering its tracks.
In just a few days the fake apps were downloaded 14,000 times across 18 countries. In the UK alone, the app netted £28,000.
PhonePayPlus, the premium rate regulator, has today fined the company which supplied the premium rate text numbers which enabled the scam – and all UK victims have had their money returned.
But the actual designer of the malicious app – believed to be based in Russia – has never been caught. Just like the phone exchange fraudsters, he or she uses the international nature of the modern phone system to escape prosecution.
And with millions of pounds on offer, it’s unlikely the scammers will hang up any time soon.
Geoff White is technology producer for Channel 4 News.