(U//FOUO) FBI VoIP Server Intrusions in North Carolina Banks and Businesses

Situational Intelligence Report

  • 5 pages
  • For Official Use Only
  • July 28, 2009


(U//FOUO) This SIR has been produced in an effort to alert federal, state, and local law enforcement agencies of criminal activity with a nexus to North Carolina. The Charlotte Division has observed two similar occurrences of compromised Voice over Internet Protocol (VoIP) servers used to facilitate vishing attacks. Vishing attacks, a deviation from the term phishing attacks, use voice and text messages rather than email in attempts to trick victims into providing personal and financial account information. The following is a summary of the two identified intrusions:

• (U//FOUO) In March 2009, the Charlotte Division was notified of an intrusion into a VoIP server located at an undisclosed corporation in Greenville, South Carolina. It was determined that the intruder, using a Romanian based IP address, first conducted a port scan and determined port 5060 was utilized on the compromised server. Port 5060 is the standard port used for Session Initiation Protocol (SIP). SIP is responsible for the setup, modification, and termination of sessions in an IP-based network and is typically the protocol used for VoIP servers. Then the hacker conducted a brute force attack and was able to crack the passwords to two extensions on the VoIP server due to weak passwords. The logs show several password attempts per second, indicating a script was used by the hacker. The hacker then proceeded to make 1,376 calls from the compromised phone extensions attempting to trick victims into providing their bank account information.

• (U//FOUO) In February 2009, a non-profit organization located in Charlotte, North Carolina, experienced a computer intrusion into their VoIP server. A review of the server logs revealed IP addresses resolving to France and Florida as being responsible for the intrusion. The intrusion took place through port 5060 and compromised SIP on a server running Trixbox Community Edition. After gaining access, the hackers made approximately 1,850 calls from the compromised system. The calls were made to customers of small regional banks soliciting credit card information via touchtone phone. After victims provided their account information, “money mules” across the country made ATM withdraws using the compromised accounts and sent a portion of the proceeds to Romania.

(U//FOUO) In both examples, the compromise of the VoIP servers occurred through port 5060 and they were used in furtherance of vishing schemes. As part of the compromise, intruders set up additional extensions on the compromised VoIP servers. They then notified victims of a problem with their financial accounts through automated phone calls or mass text messages to cell phones. The calls and text messages targeted an area code served by small regional banks, including two banks headquartered in North Carolina. The messages and calls solicited customers of the banks to call a toll free number and provide their credit or debit card information through an automated system. Once the victim provided their financial account information, it made them vulnerable to having money stolen and potentially made them a victim of identity theft.

(U//FOUO) Additional investigation by the Charlotte Division revealed that companies across the United States have recently had similar compromises of their VoIP which were linked to Romanian criminals.

Share this: