F-Secure’s Chief Research Officer Mikko Hypponen speaks on telephone fraud schemes leading to money theft.
Hi everybody, my name is Mikko Hypponen, and we’ll be spending the next 30 minutes in this turbo talk, talking about ‘You will be billed 90,000 dollars for this call’
So, let me just outline real quick about the company I represent. F-Secure has 850 people in 22 countries. We’ve been around for 22 years, researching viruses. The last 10 of those, one of our focus areas has been focusing on, on mobile malware, mobile attacks of various kinds. So we’ve analyzed viruses on Symbian, on Iphone, on Blackberries, on Android and so on. So that’s one of the things we do, although most of our revenues come from working with ISPs (Internet service providers) to protect traditional Windows computers.
But I really want to start by asking you a question: how many of you had one of these? (See image) Yes, they were great devices, U.S. Robotics. Funny thing, when I tried to find its image, I found it from U.S. Robotics website. U.S. Robotics is still around. They’re still around today. They have 120 employees, which was a bit of a surprise to me, sort of disappeared but…
So, that’s the modem, that’s how we used to get online. In fact, we all used their modems. In fact, some of our computers still do. Fact is my thin pad, which is like 3 years old, still has a modem slot for a telephone line. Of course it’s never connected to a telephone line anymore, there is a modem.
And back then, when everybody used to have a modem and it used to be connected to a telephone line, we had a problem. Particularly a problem what used to be known as Dialers, or more specifically Porn Dialers1. So, Windows Trojans that would infect your computer and then start making phone calls with your modem. And then charge money back to you.
Quite a bit of these were obvious to the user, tailored to the user with the EULA2, that you know, we will show you porn images or porn movies and as we show them to you, we’ll be at the same time making phone calls to a 1-900 number.
And people, of course, ignored that completely because they never read EULAs, especially if they’ve just downloaded an application to look at porn, they’re just gonna ignore that.So, this was a problem, and this actually was something that many antiviruses put quite a lot of effort into detecting. But this problem went away. We are not, we haven’t seen new Dialers using built-in modems to do this in quite a while. Because nobody has modems anymore, we all, today, go online with our wi-fi’s, with our DSL modems, which can’t be used to issue calls to 1-900 numbers and so on.
So, in a nutshell, the point of talk is here (Code snippet 1). That’s a code snippet to make a ping, to send one ping packet. Basically this code snippet right here, which is some Linux source code somewhere, creates a connection between two devices, that’s what it does. Right? Very simple.Let me show you another code snippet (Code snippet 2). This code snippet makes a telephone call. This is actually a code from smartphone system, actually it’s from Symbian system. It makes a telephone call, which is a connection between two devices. Right, you follow me?
So, basically, these two things make the same thing: they create a connection between two devices.
However, there’s one crucial difference. When the code from snippet 1 of sending ping packet is executed, no money is being moved. When the code from snippet 2 is executed, this is actually a money transaction. It actually moves money around, because when you make a phone call, you pay for the call.
Now, imagine if traditional virus writers who write Windows viruses today would have such an easy mechanism today to extract money from infected computers. That would be like their red dream. Of course, they don’t have that. So they have to go through these, frankly, very complex mechanisms of extracting money from infected computers. Like dropping a spambot to the infected computer, then sending spam through the infected machine, try to advertise Viagra, then sell Viagra. You know, it’s pretty complicated. Or to drop a keylogger on an infected Windows box. Then wait for the user to go online to make online purchases, get his credit card number, then use his credit card number to make purchases, get yourself laptops, resell them. Again, very complicated. Yet, this is what they are doing. Although this is complicated, they still do this. If they would have a direct mechanism of just extracting money straight off from infected computers, it would be their dream. But they don’t have that. They used to have it 10 years ago when we had modems, they don’t anymore.
So, there’s another problem with these premium rate numbers. Well, there is quite a bit of difference, worldwide, when we look at these premium rate numbers that we can dial, and which actually cost you extra money. Here in USA, these are the 1-900. You go to other countries, you pretty much have this in every single country around the world. In Finland, where I am based, these are the 0-700 numbers and they can charge you anything from 10 cents a minute to 9 dollars a minute or something like that.
Now, 1-900 numbers have several problems from the point of view of the attackers. First of all, you have to have initial investment to get started, you have to actually pay money to subscribe to one of these services that outsource 1-900 phone lines. Typically around 900, maybe 1000 dollars to get started, which is a barrier.
Second problem is that FTC3, who regulates this in USA, makes a measure that there has to be an audio warning or preamble at the beginning of the call, telling you where you’re calling and who runs it, who owns it, and how much you’re gonna pay.
Even more importantly, if you run fraud, for example if you would have a Dialer today that would automatically issue calls to 1-900 number, and would do it completely illegally, without the user knowing. Users would realize, they would see this, they would complain and this would be shut down before any money is moved to the criminal. This has been designed just to prevent fraud like this. You don’t get the money immediately. There’s a 30 day delay before the number owner gets the money out of the calls, which is pretty neat in the preventing fraud like this.
One thing which was a bit of a surprise to me, and I realize this, is that here in USA you can’t call premium rate numbers from a cell phone. You can’t. They only work from land lines. Of cause land lines are going away. Everywhere else, as far as I know, they do work, like local premium rate numbers anywhere in Europe, anywhere in Asia, do work from cell phones. Of course they do. I don’t actually know why you can’t call a 1-900 number here in USA, but you can’t. Which means, if somebody wants to write a smartphone trojan to call premium rate numbers, they can’t use 1-900 number.
And the last barrier is that these numbers are not international. From USA you can’t call a 0-700 premium rate number, in Finland, it will not work. From Finland if I try to call 1-900 number it won’t work. I actually play you an audio clip, what happens when I try to use my phone in Finland to dial one of your numbers: “The call you are attempting to place is not allowed from this line, please dial 611”. It basically says that you just can’t reach this number. The call is not allowed from your area code, basically you can’t do this international.
1 – Porn Dialers are malware that infect a computer system and use the internet connection to dial a premium-rate telephone number, such as a “1-900 number” in the U.S. and leave the line open that adds up the cost of the call to the user. This is a common way of stealing money from the victim.
2 – EULA (end-user license agreement) is a contract between the licensor and purchaser, establishing the purchaser’s right to use the software.
3 – FTC (Federal Trade Commission) is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act. Its principal mission is the promotion of consumer protection and the elimination and prevention of what regulators perceive to be harmfully anti-competitive business practices, such as coercive monopoly.