WEBVTT

00:00:00.000 --> 00:00:00.030
[BIRDS CHIRPING]

00:00:00.030 --> 00:00:05.340
JACK: It’s just before dawn in a February morning in a quiet residential neighborhood in Karachi,

00:00:05.340 --> 00:00:11.970
a city in Pakistan. Pakistani’s Chief Intelligence Office, Mir Mazhar Jabbar, is walking towards the

00:00:11.970 --> 00:00:17.250
home of a hacker who he’s been tracking for over two years. Behind Jabbar is a team of Pakistani

00:00:17.250 --> 00:00:23.670
police officers. Jabbar arrives at the front door and knocks. [KNOCKING] You’re probably already

00:00:23.670 --> 00:00:29.310
aware the FBI has a Top 10 Most Wanted Criminals list, but what you may not know is the FBI also

00:00:29.310 --> 00:00:36.210
puts out a Cyber’s Most Wanted list which is a list of FBI’s most-wanted hackers. Jabbar and his

00:00:36.210 --> 00:00:42.270
team are about to raid the house of one of FBI’s Cyber’s Most Wanted. Just then the door opens.

00:00:42.270 --> 00:00:54.690
Jabbar and his team forcefully push the door open and raid the house. [SHOUTING AND BANGING]

00:00:54.690 --> 00:01:01.560
JACK: This is Darknet Diaries, true stories from the dark side of the internet. I’m Jack Rhysider.

00:01:01.560 --> 00:01:11.690
ADAM: They did the whole thing in a single weekend when nobody was in the office.

00:01:11.690 --> 00:01:14.480
JACK: That’s Adam Finch, a victim to one of these types of attacks.

00:01:14.480 --> 00:01:18.260
ADAM: We didn’t even know about it until a month later when we got the bill.

00:01:18.260 --> 00:01:19.970
JACK: He’s talking about his phone bill.

00:01:19.970 --> 00:01:23.480
ADAM: The bill was $24,000 more than normal.

00:01:23.480 --> 00:01:25.430
JACK: Why was it so high?

00:01:25.430 --> 00:01:29.090
ADAM: The bill said we had called multiple pay-per-minute numbers.

00:01:29.090 --> 00:01:32.360
JACK: Like 1-900-SEX and psychic chat lines?

00:01:32.360 --> 00:01:38.220
ADAM: Exactly. We tried to refute the charges with the telephone company,

00:01:38.220 --> 00:01:41.190
telling them we didn’t make these calls.

00:01:41.190 --> 00:01:43.140
JACK: What did they say?

00:01:43.140 --> 00:01:45.240
ADAM: They basically said tough luck,

00:01:45.240 --> 00:01:55.920
pay up. We did go to the police but they didn’t seem to care and ultimately gave us no help.

00:01:55.920 --> 00:02:01.410
JACK: Adam didn’t want me to reveal what company he worked for because it’s embarrassing for the

00:02:01.410 --> 00:02:11.580
company. Adam’s company did pay the charges though, because there was no other option.

00:02:11.580 --> 00:02:16.620
You may be wondering why somebody would break into an office and rack up an enormous phone bill for

00:02:16.620 --> 00:02:22.740
someone else. But here’s the crux of the hack; the hackers were dialing pay-per-minute numbers that

00:02:22.740 --> 00:02:31.650
they owned. With this attack they literally are turning other people’s phones into ATMs.

00:02:31.650 --> 00:02:38.190
There are two main methods hackers use to do this. Method one - the hacker will call a desk

00:02:38.190 --> 00:02:44.790
phone in a random office. [PHONE RINGING] But it’s 7:00p.m.and it’s Friday so nobody picks

00:02:44.790 --> 00:02:51.209
up. The call goes to voicemail but some phones have the ability to check voicemail remotely.

00:02:51.209 --> 00:02:51.294
VOICEMAIL: To access your voicemail, please enter your pin followed by the pound key.

00:02:51.294 --> 00:02:58.740
JACK: The hacker will first try the last four digits of the phone

00:02:58.740 --> 00:03:03.930
number. [DIALING] This is usually the default pin for a voicemail box. Once

00:03:03.930 --> 00:03:07.244
they get into voicemail they’re looking for a specific configuration option.

00:03:07.244 --> 00:03:07.344
VOICEMAIL: To activate do not disturb, press 1. To change your permanent forwarding number, press 2.

00:03:07.344 --> 00:03:18.690
JACK: Bingo. Call forwarding. The hacker sets the call forwarding number to be the number of

00:03:18.690 --> 00:03:25.020
their pay-per-minute line. Now the next time anyone dials a phone it will place a new call

00:03:25.020 --> 00:03:32.830
to the pay-per-minute line. [RINGING, HANGS UP] Method two - this method is a little bit more

00:03:32.830 --> 00:03:39.160
involved. Many companies are adopting voice-over IP or VOIP phones in their office. This is where

00:03:39.160 --> 00:03:45.130
the phone plugs into the regular office network and not the plain old telephone system. Most of

00:03:45.130 --> 00:03:51.700
the VOIP phones are dumb. They don’t know what to do without the help of another system. That other

00:03:51.700 --> 00:03:58.750
system is called a Private Branch Exchange, or PBX. When someone picks up the handset of a phone,

00:03:58.750 --> 00:04:03.490
the phone freaks out and says to the PBX, help! Someone just picked up the handset. What do I do?

00:04:03.490 --> 00:04:10.750
The PBX is very friendly and says calm down. Just play a dial tone. [DIAL TONE] When the

00:04:10.750 --> 00:04:16.240
user pushes a number, the phone panics again and asks for help again. The PBX says don’t worry,

00:04:16.240 --> 00:04:21.130
just play a digit tone. [DIGIT TONE] This continues until the user pushes enough numbers

00:04:21.130 --> 00:04:29.290
and the PBX connects the call. [RING TONE] But the problem is the PBX is sometimes too helpful.

00:04:29.290 --> 00:04:37.360
Nobody taught it who can and can’t make calls. It wasn’t properly secured. Anyone who knows

00:04:37.360 --> 00:04:45.810
the IP address of an insecure PBX can make phone calls that originate from that office. With this

00:04:45.810 --> 00:04:52.890
method hackers find the IP address of PBXs and try to make a call using that PBX. They configure

00:04:52.890 --> 00:04:56.220
their phone [TYPING], pick up the handset [HANDSET NOISE], and check for a dial tone. [HANDSET NOISE]

00:04:56.220 --> 00:05:01.530
This takes patience by the hacker because they have to hunt and poke into the darkness of the

00:05:01.530 --> 00:05:10.080
internet, but eventually they pick up the phone and hear a dial tone. [DIAL TONE] To a PBX hacker

00:05:10.080 --> 00:05:16.890
that is the sound of money. [DIALING] Now the hacker begins making calls to the pay-per-minute

00:05:16.890 --> 00:05:23.190
numbers. [DIALING] They use robo-dialers, dialing hundreds of times a day or thousands of times in

00:05:23.190 --> 00:05:30.450
a weekend. Calls are made to Guinea, East Timor, Lithuania. For every minute connected results in

00:05:30.450 --> 00:05:36.690
more money for the hacker. More and more calls are made. More and more minutes are racked up and this

00:05:36.690 --> 00:05:44.420
continues until someone somewhere notices the calls and stops them. [PHONE HANGS UP]

00:05:44.420 --> 00:05:50.150
I guess my question is why can’t the victim go to the phone company to refund the charges?

00:05:50.150 --> 00:05:55.160
PAUL: Because the phone company doesn’t cover consequence and losses. My name is Paul Byrne,

00:05:55.160 --> 00:05:59.870
I work for a company called UC Defence which I founded to mitigate

00:05:59.870 --> 00:06:04.310
the threat of the crime of toll fraud or otherwise commonly known as PBX hacking.

00:06:04.310 --> 00:06:07.610
JACK: Paul has been protecting companies from PBX hackers since

00:06:07.610 --> 00:06:11.690
2012. He says the phone companies have a legal right to collect any

00:06:11.690 --> 00:06:15.440
fees their customers accrue. This is usually spelled out in the contract.

00:06:15.440 --> 00:06:18.170
PAUL: Yeah, the victim tends to be found liable.

00:06:18.170 --> 00:06:24.050
JACK: But most importantly, the PBX is not property of the telecom. It’s owned by the

00:06:24.050 --> 00:06:28.730
victim. It was the victim’s own negligence of security that resulted in this attack.

00:06:28.730 --> 00:06:33.530
Just like when an ISP gives a company an internet connection they aren’t liable

00:06:33.530 --> 00:06:38.810
if that company gets hacked. How much is PBX hacking costing people yearly?

00:06:38.810 --> 00:06:45.680
PAUL: The best evidence is from the Communications Fraud Control Association. They estimate that PBX

00:06:45.680 --> 00:06:51.470
hacking is costing the business community in excess of ten billion dollars per annum.

00:06:51.470 --> 00:06:55.250
JACK: That number, ten billion, has doubled in the last four years.

00:06:55.250 --> 00:06:58.400
PAUL: There’s absolutely no doubt that fraud is on

00:06:58.400 --> 00:07:02.120
the rise and it’s primarily due to the vulnerabilities around VOIPs.

00:07:02.120 --> 00:07:06.410
JACK: These VOIP vulnerabilities are simply that companies aren’t taking the steps to

00:07:06.410 --> 00:07:11.390
secure their PBX correctly. Often a business doesn’t have anyone capable of configuring a

00:07:11.390 --> 00:07:16.790
PBX so they outsource the job to a contractor. But they often go with the cheapest contractor

00:07:16.790 --> 00:07:24.020
to save money which results in an insecure or hastily-configured PBX. It’s not an easy task

00:07:24.020 --> 00:07:29.510
to properly secure a PBX. Since the PBX must be on the internet to receive incoming calls,

00:07:29.510 --> 00:07:34.280
you can’t simply block all incoming access to it. To further complicate things,

00:07:34.280 --> 00:07:40.850
some offices have mobile workers who have their office desk phone at home. Now a PBX needs to

00:07:40.850 --> 00:07:46.730
be configured to allow calls initiated from the internet. It’s a delicate balance between

00:07:46.730 --> 00:07:51.650
what’s allowed and what’s not allowed. What’s the average bill for a victim?

00:07:51.650 --> 00:07:56.780
PAUL: What we’re seeing is a company with an average of a hundred users on the phone system;

00:07:56.780 --> 00:07:59.780
they get compromised on a Friday night. On Monday

00:07:59.780 --> 00:08:03.560
morning their phone bill will be in the region of 60,000 Euros.

00:08:03.560 --> 00:08:06.560
JACK: Are the police able to help victims of this crime?

00:08:06.560 --> 00:08:12.140
PAUL: No, because the police aren’t aware of this. They’re used to other types of crimes

00:08:12.140 --> 00:08:17.600
that they know how to investigate but when this incident occurs, they don’t have the resources

00:08:17.600 --> 00:08:22.520
to even understand what the crime means and how they would go about investigating it.

00:08:22.520 --> 00:08:27.680
JACK: As Paul said, the police just aren’t equipped to handle international crimes. Calls

00:08:27.680 --> 00:08:37.910
are almost always going to foreign countries such as East Timor, Cuba, Latvia, even Zimbabwe. Many

00:08:37.910 --> 00:08:43.100
of these crimes don’t get reported. Companies fear bad publicity if they say they’ve been

00:08:43.100 --> 00:08:52.670
hacked. Sometimes victims contact the FBI but the FBI is usually only interested in threats against

00:08:52.670 --> 00:08:59.390
the government or the country or crimes that were over one million dollars in damages. Most of this

00:08:59.390 --> 00:09:05.960
PBX hacking is in the tens of thousands. The FBI does appreciate when people report the crime,

00:09:05.960 --> 00:09:14.450
since it helps them collect data to build a case. In 2012 the FBI did receive enough reports about

00:09:14.450 --> 00:09:20.900
PBX hacking that they began looking at the data. Somehow they were able to track down who was

00:09:20.900 --> 00:09:26.450
making these phone calls. While looking at the data, patterns began emerging which eventually

00:09:26.450 --> 00:09:35.770
led them to two men. [ELECTRONIC MUSIC] Farhan Arshad and Noor Aziz Uddin. Somehow the FBI found

00:09:35.770 --> 00:09:42.430
out that the two men were on a flight to Kuala Lumpur in Malaysia. The FBI contacted Interpol

00:09:42.430 --> 00:09:49.810
to arrest the two men. Within hours of the two hackers arriving in Kuala Lumpur, Interpol raided

00:09:49.810 --> 00:09:55.900
their hotel and arrested both of them. The FBI was thrilled and began sending extradition requests to

00:09:55.900 --> 00:10:05.710
Malaysia. But after being held for sixty days, the Malaysian Attorney General let them both go

00:10:05.710 --> 00:10:13.840
free. [MUSIC ENDS] According to the official report the Malaysian Attorney General said,

00:10:13.840 --> 00:10:19.360
“The arrest warrant obtained by Malaysian Home Ministry violated the technicalities involved in

00:10:19.360 --> 00:10:25.900
the requirements of the Extradition Act of 1992.” Malaysia believed they had arrested these two men

00:10:25.900 --> 00:10:32.110
illegally. Farhan and Uddin both immediately fled the country, got out of Malaysia, and went back

00:10:32.110 --> 00:10:42.226
to Pakistan. The very next month the FBI indicted both men and they added them to the Cyber’s Most

00:10:42.226 --> 00:10:48.220
Wanted list and offered a $50,000 bounty for any information leading to the arrest of either one of

00:10:48.220 --> 00:10:55.180
them. I’m looking at the indictment form now and it shows a list of victims that were targeted by

00:10:55.180 --> 00:11:00.430
these hackers. I want to share with you the top three highest charges that I see on this list.

00:11:00.430 --> 00:11:08.350
A company in Carlstadt, New Jersey is claiming that they lost $78,000. A company in Englewood,

00:11:08.350 --> 00:11:15.830
New Jersey is claiming they lost $83,000. But the highest one on the list is the township

00:11:15.830 --> 00:11:22.010
of Parsippany-Troy Hills in New Jersey. They’re claiming these hackers racked up a phone bill of

00:11:22.010 --> 00:11:33.650
$395,000. According to the indictment report the FBI claims these men dialed for thirteen million

00:11:33.650 --> 00:11:41.270
minutes from 4,800 different hacked phone numbers. Once the FBI had a warrant for their arrest they

00:11:41.270 --> 00:11:46.700
notified Pakistan, which is where they thought these two men were living. In Pakistan the FIA

00:11:46.700 --> 00:11:52.400
began researching it. The FIA is the Federal Investigation Agency, similar to the CIA in the

00:11:52.400 --> 00:12:01.400
US. The Chief Security Officer of the FIA is Mir Mazhar Jabbar and for years the FIA had no leads

00:12:01.400 --> 00:12:07.520
towards catching these two individuals. Then the FIA got a tip. Somebody had claimed they knew the

00:12:07.520 --> 00:12:13.550
cellphone number of Uddin. The FIA then worked with the telephone company to track down the GPS

00:12:13.550 --> 00:12:21.950
coordinates of that cell phone. That’s when Jabbar raided the home of Uddin. Not only did he catch

00:12:21.950 --> 00:12:30.500
Uddin but Arshad was there in the house too, and both men were arrested on February 14, 2015. It’s

00:12:30.500 --> 00:12:34.820
ironic, don’t you think? These two phone hackers were brought down because their phone number

00:12:34.820 --> 00:12:42.170
became known? In total the FBI claims they cost fifty million dollars in damages. What did Uddin

00:12:42.170 --> 00:12:47.360
do with the money? He purchased about fifty plots of land around Karachi, his home town in Pakistan,

00:12:47.360 --> 00:12:55.940
and was even investing about $400,000 in various local business ventures. Now, two years later,

00:12:55.940 --> 00:13:03.890
both men continue to sit in a prison in Pakistan, still awaiting their trial and sentencing. These

00:13:03.890 --> 00:13:09.500
two men were arrested for PBX hacking but there are thousands of other PBX hackers that haven’t

00:13:09.500 --> 00:13:15.200
been caught. Even though we don’t know who they are or where they are, we do know one

00:13:15.200 --> 00:13:23.661
thing is for certain; PBX hacking will continue until security improves. [DIALING] [BUSY TONE]

00:13:23.661 --> 00:13:23.674
[OUTRO MUSIC]

00:13:23.674 --> 00:13:40.180
JACK: You’ve been listening to Darknet Diaries. For show notes and links, check

00:13:40.180 --> 00:13:47.530
out darknetdiaries.com. Music is provided by Ian Alex Mac, Sro, Hicham Chahidi, and Podington Bear.

00:13:47.530 --> 00:14:00.490
[OUTRO MUSIC ENDS]

00:14:00.490 --> 00:14:01.570
[END OF RECORDING]