DoS for phones: "busy signal service" clobbers the phone-lines of companies while their servers are being plundered

Brian Krebs reports on a new cybercrime service that will max-out a company's switchboard with fake phone calls as a diversionary tactic while their servers are being plundered:

For just $5 an hour, or $40 per day, you can keep anyone’s phone so tied up with incoming junk calls that the number is unable to receive legitimate calls.
The seller offers discounts for frequent buyers of his service, and promises that each call to the targeted number will appear to come from a unique phone number, thereby foiling any efforts to block the bogus calls by caller ID. The vendor also is offering this service under escrow payment, which many fraud forums use to ensure both parties to a transaction are happy before payment is rendered.

Busy Signal Service Targets Cyberheist Victims

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Business • crime • security • web theory

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

http://profiles.google.com/alphaminus Adam Kruckenberg

Can we hire him to DOS congress over SOPA? (THIS IS SATIRE. I AM IN NO WAY ADVOCATING THE USE OF ANY SUCH SERVICE TO DISRUPT THE LEGISLATIVE PROCESS)
- awjt
  
  You must be a Republican. They would NEVER try to stand in the way of government doing its job.
http://grathio.com Steve Hoefer

I know, from watching movies, that server admins sit up late watching log files scroll in to detect unlawful intrusion, so I can see how distracting them with phone calls might distract them from sensing unauthorized access.

It also appears that server admins at most companies also man the phone banks in addition to their other duties.
- That_Anonymous_Coward
  
  Or they are outsourced and need to call in to get physical access to stop the machine. Or they see the intrusion and try to call out and can not get an outside line.
wolfwitch

So- they will tie up my company’s switchboard as a distraction to break into my servers? Seems silly to me, especially since it is two completely different systems and departments. Sure- I’ll get a call about it, but I would just offload it to the phone company to track down and block. I believe disrupting a communications system in this manner is also illegal in most places, possibly even in this joker’s country.
- dragonfrog
  
  I think you’re missing the point. This service comes in when the attacker already has as much control as he figures he’s going to get over your company’s banking, and decides it’s time to pull the trigger. If breaking into your servers was involved in getting that control, it happened last week or six months ago.
  
  Now it’s D-Day. The attacker pays a few bucks to tie up the phone lines for a few days. He pays a few bucks to someone else to knock the email system offline for the same period. He pays a few grand to a money mule service to help him launder your company’s money out of the country.
  
  Then he starts draining the company’s bank accounts. The bank starts sending email confirmations of the transactions, but they don’t get through. At some point, a threshold of unusual transactions is reached and the bank starts phoning the company’s finance department, but they don’t get through.
  
  Two days later, the storm ends as suddenly as it began, the IT team collapses into an exhausted sleep, and that’s when the finance departmen starts to piece together what happened.
  
  And I very much doubt that anyone offering services to enable massive financial fraud is terribly concerned the legalities.
voiceinthedistance

“Cybercrime” and “service”. Two unlikely bedfellows. I hope one of them remembered the condom, or we are in for a lot more of the same.
http://www.nathanhornby.com/ Nathan Hornby

I don’t see this as a hugely useful tool to aid traditional hacking, but it sure is a nasty way to attack a competitor… on any budget.
davidasposted

His primary contact is ICQ …?
- jerwin
  
  ICQ is owned by a Russian company. Whether or not you believe that the purchase obstructs US law enforcement, ICQ is still popular among certain cultures and subcultures.
  - davidasposted
    
    I had no idea the service was still in use. Remember the street cred gained by having a low user ID number? And it sure was useful those first couple of years playing Ultima Online…
  - digi_owl
    
    Ah, i see now. AOL sold it on in 2010. I wonder if my old code still works…
pete_thedevguy

Huh… I wonder what mr. russian icq’s software looks like. Probably something like this:
http://www.voicent.com/devnet/docs/pyapi.htm
slapphappe

I suspect the real scam here is their escrow service provider, not the DoS service. The offer to pay only after you’re a happy customer is too seductive to be real — even from “fellow” criminals. You’re shafted even before you’ve tried their service and then SOL trying to report the loss — by your own criminal intent.
SoItBegins

I’m not entirely sure this would work too well. For starters, there’s ways to get around it, including but not limited to:

• Calling the IT department directly, if everything’s not too overloaded
• Calling the IT persons’ cell phones
• Texting/IMing the IT dept
• Sneakernet message system / public address system (sadly, this only works if everyone’s in the same building)
- dragonfrog
  
  This isn’t about the IT department. They don’t care what the IT department does or knows. It’s all about knocking the accountants offline for a day or so.
digi_owl

DOSing the company switchboard you say?
https://www.youtube.com/watch?v=x3XzPhdBx9g