Default Passwords Blamed In $55M PBX Hacks

An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."

That's a spicy meatball!

[RickRussellTX]

I'm just amazed they found somebody willing to pay almost $5 per minute for long distance.

Re:That's a spicy meatball!

[stephanruby]

Hey, they're terrorists! Terrorists get to set their own prices. Also, may be there is some value in having a voice mail number traceable to a legitimate corporation in the United States. Also, the article confirmed something that I always knew deep down in my gut, telemarketers are terrorists. This makes a lot of sense actually.

Which one was it?

[Laser_iCE]

admin or password?

Re:Which one was it?

[infolation]

actually the DoJ papers say the PBX systems were Nortel, Lucent, Bizphone and Panasonic

Telcos suck

12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.

... or a lot less.
$5 per minute?!! Just to route some packets a bit farther?
And then telcos wonder why IP phones are eating their lunch.

Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

Hacking?

[EdIII]

These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.

One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.

Hackers, hacks ??!?

[Alwin+Henseler]

If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?

That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

"Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
"I don't care! Since a computer system was involved, you broke into the place, understood?"

Re:$55 million

[bruce_the_loon]

You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.

Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.

Re:Feh.

[mjwx]

The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks.

Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.

It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.