DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks

[humble3d]

:wtf: DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks :huh:


As if emergency responders weren’t already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.


“TDos” warning

The alert, a copy of which was obtained by KrebsOnSecurity, warns public safety answering points (PSAPs) and emergency communications centers and personnel about a recent spike in so-called “telephony denial-of-service” (TDoS) attacks:

“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial of Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

According to the alert, these recent TDoS attacks are part of a bizarre extortion scheme that apparently starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from an individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time.


DHS notes that the attacks can prevent both incoming and/or outgoing calls from being completed, and the alert speculates that government offices/emergency services are being “targeted” because of the necessity of functional phone lines. The alert says that the attacks usually follow a person with a heavy accent demanding payment of $5,000 from the company because of default by an employee who either no longer works at the PSAP or never did. The full alert is reposted here (PDF).

A much shorter version of this alert appeared in January 2013 on the Web site of the Internet Crime Complaint Center (IC3), which warned of another twist in these TDoS attacks: “The other tactic the subjects are now using in order to convince the victim that a warrant for their arrest exists is by spoofing a police department’s telephone number when calling the victim. The subject claims there is a warrant issued for the victim’s arrest for failure to pay off the loan. In order to have the police actually respond to the victim’s residence, the subject places repeated, harassing calls to the local police department while spoofing the victim’s telephone number.”

Neither alert specifies how these call floods are being carried out, but KrebsOnSecurity has featured several stories about commercial services in the underground that can be hired to launch TDoS attacks.


According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.

The company says TDoS attacks can be difficult to detect, because the attacker typically changes the caller ID on every call. From their report: “This makes it very difficult even for service providers to detect the attacks. Unless these attacks can be quickly traced back to an originating carrier that typically does not generate many calls to the contact center, they are very difficult to differentiate from legitimate calls. The attacks also typically move through multiple service providers, making them time consuming to trace back to the source.”

SecureLogix said TDoS attacks can employ simple audio content, including white noise or silence (which could be dismissed as a technical problem), foreign language audio (representing a confused user), or repeated DTMF patterns.

“These are simple techniques, with future attacks likely using other types of mutating audio. In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the [target] network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers and potentially impairing brand image.”

_http://krebsonsecurity.com/2013/04/dhs-warns-of-tdos-extortion-attacks-on-public-emergency-networks/ 

Telephony Denial-of-Service Attacks Prompt Federal Attention

The call-center equivalent of network-based denial-of-service attacks, known as telephony denial-of-service (TDoS), have targeted emergency services among other industries, enough to garner attention from the Department of Homeland Security, Federal Bureau of Investigation, Federal Communications Commission and others in an confidential alert memo, Krebs on Security reported.

The DHS and FBI issued a “situational awareness bulletin” in response to a series of attacks targeting the telephone lines of administrative public safety answering points (PSAPs), the call centers responsible for fielding emergency calls for police, ambulance, fire and other emergency services. The alert is addressed to PSAP and emergency communications center personnel. It also notes that criminals have launched similar attacks "targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications."

According to the bulletin there has not yet been a successful attack affecting emergency 911 lines.

The report explains that the TDoS attacks highlighted in the memo are part of an extortion scheme in which attackers impersonate a collections agency representative collecting an outstanding (and fictional) payday loan debt worth $5,000. The callers, according to the bulletin, have strong accents and ask to speak with current and former employees regarding the alleged debt. Once it is clear that the target of the coercion attempt is not going to pay the fee, the attacker launches the TDoS attack that, if successful, inundates the call-center with call traffic and ultimately overwhelms it, potentially making it impossible to complete ingoing and outgoing calls.

The alert does not provide technological details explaining how these types of attacks work.

Krebs said that TDoS attacks are difficult to detect and mitigate because attackers often change their caller identification from call to call, making the malicious phone traffic seem legitimate.

TDoS attacks are not a new phenomenon; Arbor Network started noticing an increase in attacks targeting telephony system infrastructure and released a report detailing the use of TDoS attacks as part of larger attack campaigns in July 2012. They claimed that the method is a relatively cheap option for cybercriminals looking into diversifying their attack vectors.

_http://threatpost.com/en_us/blogs/telephony-denial-service-attacks-prompt-federal-attention-040113?utm