Read: You will be billed $90,000 for this call: Mikko Hypponen (F-Secure) on Dialers, telephone fraud, mobile malware
Read: You will be billed $90,000 for this call 2: F-Secure detects trojan malware in mobile game
These fraud phone numbers are built so that they actually fund money back to the person who’s operating the number. And this means, that these numbers will work from anywhere in the world and they will work for cell phones. So if you compare these numbers to the 1-900 numbers here in USA, well, you can call this from USA, you can call from cell phones and they would generate money to the person operating it. They do all the things that you cannot do with 1-900 numbers, and they will work from any country in the world, any phone, anywhere in the world will be able to call these numbers and they will fund money back to the operator.And these are calls, illegal call terminations, are also known as Short Stopping or Long Lining. And the basic idea is actually very simple. Let’s for example, assume that we wanna make a phone call from here in Nevada to Somalia, Eastern Africa. And I would object that minute price from AT&T or Spring it was 2 dollars 55 cents a minute when you make a call like that, which is pretty expensive. But you can understand because Somalia is far away, it’s developing country, all that, you know.
Now, the trick is, when you call one of the fraud numbers, for example the number going to Somalia, it actually won’t go to Somalia. The call gets disconnected, for example in Florida or Canada or Australia or the Netherlands. And they keep the rest of the money. And calling Florida from Nevada costs you a couple of cents, which means they get to keep over 2 dollars a minute of extra.
And this is what’s known as Short Stopping or Long Lining, illegal call terminations, they are terminating the call before it actually reaches the place. So, when your phone was infected by 3D Anti-Terrorist Trojan, when your phone was calling the South Pole, it actually didn’t call the South Pole. But you paid for the call to South Pole, and someone else, the virus writer got the money instead.
So, how do you actually create a number like this? How do you create a number that uses these call terminations or shortstopping? Well, you just go online and you search for this, and you’ll find several operators that are selling numbers exactly like these: international premium rate numbers in Zaire, in Madagascar, in Cameroon, in Niger and elsewhere.
This is World Premium Telecom, they are selling numbers in Latvia, Belarus, Sierra Leone, Lithuania, Kosovo, Myanmar, Georgia, and that’s Georgia the country, not the state. Another one of these operators is selling numbers in, yes, Afghanistan, Albania, again Antarctica.
And these are all based on the same idea that the calls are terminated before they reach their actual destination and the money is funded back. And these provide daily payments or weekly payments. You don’t have to wait for 30 days. Fraud checking that’s being done by these guys, well I don’t really know, but I am guessing it’s not nearly as string as that would be by a real phone operator. And there is no legislation, there is no FTC governance. It’s really hard to actually figure out where these guys operate themselves.
And if you just think about this, here is the list of one of these operators, they are selling, look at this, they are selling numbers in North, God damn, Korea, right there. You can buy a North Korean number, +358 goes to North Korea, which of course never goes to Korea, but can be used for exactly this. And now, I’m sure there is some logical perfectly fine explanation why somebody would like to buy a number like this, which would make sense, which wouldn’t be illegal phishing in anyway. I am sure there is some explanation, but I can’t figure it out. I can’t imagine a non-shady reason why somebody would like to have a phone number in North Korea and get extra money out whenever somebody calls that number.
If you can figure it out you tell me. And these operators, like I said, these are fairly easy to find, again, I am sure there are logical reasons why they keep doing this and why this is not really being regulated.
Some of them seem to be very touchy about this subject. I’ve made a short blog post about this when I was researching background for this talk, mentioning a couple of these operators and I immediately started getting threats from one of these operators. So, they seem to be a bit touchy about the fact that if somebody starts looking at their operations. What I got were just nasty emails, nobody was trying to beat me up.
And there are a lot of problems if you have an international phone number like these, like, for example, numbers used by 3D Anti-Terrorist Trojan, I wasn’t able to figure out who operated those numbers, like which of these companies was running those numbers. There is no way to do that. No way that I am aware of. Which means, there is no way you can actually complain. How do you get such a number shut down if you can’t figure out who is the operator behind?
These are pretty nasty problems. Those numbers, those 8 numbers used by 3D Anti-Terrorist Trojan are now shut down, they don’t work anymore. I don’t know how and who did it, because we sure didn’t do it. We tried, tried to get them down but couldn’t find any party where to report them.
And of course, eventually, virus writers will realize, that it is easier to make money by infecting phones than it is by infecting computers. Because you have this built-in billing mechanism on phones that you do not have in computers. And also, let’s remember that there are more phones on this planet than computers. But of course, this hasn’t happened yet. And my numbers, of what the difference of the amount of malware on Windows side, and what the amount of malware on phone side is nicely illustrated by these figures, showing the difference between the size of Sun and size of Earth.
So, there really is a world of difference right now. Really, not very likely today to get infected by mobile phone attack, not even the kind of stuff that the 3D Anti-Terrorist Trojan has done. Yes, there were global infections but even then the number were polling hundreds more than, or not, maybe in thousands, but not more than that. So, the problem really isn’t there. It could be but it isn’t.