from Hacker News

I Dialed a Wrong Number and Stumbled into International Phone Fraud

by nols on 12/2/16, 1:47 PM with 107 comments

  • by Guest98123 on 12/2/16, 3:05 PM

    I have a related story. I was in North America, looking for an apartment in Australia. At the time I'd buy phone cards for long distance calls, and they'd always work fine.

    So, I used the phone card, and tried to call someone about an apartment that looked great. According to the advertisement, it was a woman that owned the apartment and she had an extra bedroom she was renting. I called, and a man answered. It went like this...

    Him: Hello

    Me: Hi, I was calling about your apartment for rent online.

    // Dogs barking in the background fairly loudly.

    Him: Sorry, what was your name?

    Me: John Doe

    Him: It's difficult to hear, could you hold on a moment?

    Me: Sure

    // He puts down the phone, and it sounds like he's taking the dogs outside or to another room. In the background a TV is playing. I'm getting annoyed, but he finally returns 4 or 5 minutes later.

    Him: Are you still there?

    Me: Yes

    // A woman starts talking to him from inside the house.

    Him: Sorry, just give me one more moment.

    // He starts talking and arguing with her. I wait two minutes, then hang up.

    After the call, I was frustrated. The apartment sounded great online, but what a nightmare; dogs barking, people yelling at each other, and they wasted 10 minutes of my time. So, I moved on, and tried calling others. Sometimes I'd get through to the person, sometimes I'd get errors about not being able to reach the number. Fast forward a week, I changed my plans, and started looking at apartments in another Australian city, hundreds of kilometers from the first. I call for an apartment, and guess what I hear? That's right, the same recording from above. Now, I was confused. I didn't even expect it was a recording the first time. But, how was I getting the recording from a completely different number, in a different city? I called back, because I was getting curious at that point. To my surprise, someone answered the second time, and it was actually the person from the advertisement I was trying to call. It became obvious at that moment that someone in the middle was hijacking calls, and trying to keep people on the line as long as possible.

  • by wpietri on 12/2/16, 2:56 PM

    Long ago I did some contract coding for a company that processed donations via credit card. To my amazement, we had to watch out for people trying to donate small amounts to the Red Cross. Why? Because people with a list of possibly-valid credit card numbers would use small donations to brand-name charities as a way of validating credit cards.

    It made me long for some sort of professional association that kept track of naughty uses of technology. It's easy to think only about the happy path. But there are all sorts of unsavory people out there: abusers, mobsters, thieves, authoritarian governments. Once I know how they think, I can defend against them. But keeping up with how they think has always been a challenge for me.

  • by MichaelGG on 12/2/16, 2:59 PM

    A real great scam recording is the following: A "maid"-sounding voice answers, pretends to not understand for a second, then says "oh yeah I'll go get them". In the background there's a TV and people talking. I've had it happen to me twice, and it was effective on keeping me on the line, despite not having a TV or the woman not sounding like anyone I know.

    Margins in telecom can be super thin. Diverting, say, 1% of traffic to fake answering could mean increasing profits by 10%. If the scammer doesn't go overboard, users won't complain. They'll just say "the wires got crossed" and redial.

  • by djsumdog on 12/2/16, 7:44 PM

    The article mentions VoIP being the issue, but comments here show issues with calling cards as well. It's not VoIP, it's trusting your service provider, the destination service provider and everything in-between.

    If you dial via a calling card, everything goes through their proxy before being handed off.

    I've run into problems with services like Telegram not accepting my Google Voice number (my own real US number) and the recent NIST recommendations also state not to use SMS as 2-factor verification (citing VoIP concerns).

    We have TLS/LetsEncrypt/etc to verify we're talking to who we think we're talking to on the Internet, but phone networks come from a previous era.

    I worked for a telcom once in one country where if they no longer held a phone number (it got ported to another network), we just send it to all the other providers. The network that currently held the number would relay it and the others dropped it. I actually wrote the job to actually compare the ported number list and only forward to the right destination. Telecom is janky as shit.

  • by nwilkens on 12/2/16, 5:26 PM

    Last year I recorded a bunch of calls on a hacked pbx.. I wasn't expecting to hear regular calls of folks who didn't even know they were being routed through a hacked pbx system.

    https://www.mnxsolutions.com/security/i-accidentally-recorde...

  • by rm_-rf_slash on 12/2/16, 2:49 PM

    The problem with stopping fraud is that people generally do not fight fraud as hard as fraudsters fight to keep their income.

  • by acveilleux on 12/2/16, 3:28 PM

    The "free" phone conference service work in a somewhat similar way. There's a fee charged for long distance call even in the US/Canada. The fee is low enough that most people now get free long distance.

    The free phone conference services are terminated at tiny little telcos that charge a much higher than normal fee for a north american long distance and the fee is split between the conference service operator and the telco (which may or may not be the same.)

    Some of these services cannot be dialed via some VOIP providers (like Google Talk) for that reason.

  • by z0r on 12/2/16, 8:23 PM

    When i was travelling in italy with a lycamobile sim card, i experienced what i think is something like this - when i tried to call numbers i would often get a busy signal or unavailable phone number message, but repeated attempts after a wait would sometimes go through. It became apparent that not all was on the level when i heard the real versions of those messages and figured out that lycamobile (at least i assume it was them, who else can i blame here?) was part of the time intentionally failing to allow calls to go through and masking that action by making it seem like the telephone number was wrong or unavailable. Often calls that did go through were dropped after 1 - 3 minutes... And that's just the worst part of the experience i had with them (the most charitable interpretation of how far the service fell short of what their website promised would be that they hire solely non-native english writers for all their marketing copy, but i suspect they are actively attempting to deceive prospective customers)

  • by at-fates-hands on 12/2/16, 3:08 PM

    Interesting to note that Phreaking is still very much alive and kicking.

    Most of the hackers I know gave up on Phreaking once hacking became popular in their circles. To me, there will always be something more fascinating about the telephone infrastructure.

  • by ikeboy on 12/2/16, 3:30 PM

    Sounds like the solutions needs to be orders of magnitude larger fines than the amount that would be gained. If each individual user is only losing $1-3, they won't or can't fight it, and the company also won't in many cases. If the minimum payout/fine for such a scam was, say, $100 per occurrence and that was written into all the contracts, there'd be enough incentive at every stage for companies to clean up their act.

  • by telesilla on 12/2/16, 11:27 PM

    A colleague had a $700 telco bill because of a scammer making calls to Cuba via his PBX. He had never changed the default password. Hard lesson to learn.

  • by chrischen on 12/3/16, 12:14 AM

    So is it that easy to establish as a call operator? Considering how much secure stuff we do over the phone, this seems highly insecure.

  • by spraak on 12/2/16, 4:49 PM

    I still don't understand, how do the scammers actually get paid?

  • by OliverJones on 12/2/16, 8:21 PM

    FreeConferenceCall (dot) com has a version of this as their business model.

  • by hipaulshi on 12/2/16, 5:21 PM

    the end of the story just made me smile :)

  • by nashashmi on 12/2/16, 5:04 PM

    tl;dr This summarizes it perfectly.

      My phone call [to a disconnected number] never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates to the previous carrier, which charges the preceding carrier, which charges the preceding carrier, and the costs flow upstream to my telecom carrier. The fraudsters siphoning money from the telecommunications system could be anywhere in the world.

  • by codewiz on 12/2/16, 7:44 PM

    lol: "Global capitalism abhors a vacuum."