ALUGgers who watched this evening's "Look East" will have seen that dialup phone fraud is in the news again -- people getting phone bills for hundreds of pounds for internet calls to Vanuatu, Chile, etc. on premium rates. Some Linux-users may have seen it too!
What I'd like to ask knowledgeable folk is: how does it in fact work?
I've never seen more than a vague description of it, on the lines that when one is on line "the call is diverted to a premium rate number", apparently through some subversion of Internet Explorer.
Well, just how does that happen? Does it disconnect and then immediately dial out to a new number, unnoiticed by the user? Does it change the dialup settings as originally stored in some system file and use these thereafter? By what mechanisms are these activities mediated?
This is not really a question about IE, though I'm sure that some "feature" of IE has a lot to do with it. I'm also interested in the question of how "generalisable" this mechanism might be: is it a transferrable skill, so that what can be done to IE today could be done to Netscape, Mozilla, Firefox, Opera, ... , tomorrow?
(I find it reassuring that kppp throws up a window during the dialup process in which the dialog with the modem is shown, so that one can actually see what number is being dialled.)
Thanks in advance for informed replies! Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 [NB: New number!] Date: 25-Nov-04 Time: 19:11:57 ------------------------------ XFMail ------------------------------
On Thu, 25 Nov 2004 Ted.Harding@nessie.mcc.ac.uk wrote:
ALUGgers who watched this evening's "Look East" will have seen that dialup phone fraud is in the news again -- people getting phone bills for hundreds of pounds for internet calls to Vanuatu, Chile, etc. on premium rates. Some Linux-users may have seen it too!
What I'd like to ask knowledgeable folk is: how does it in fact work?
It is my understanding that a common way of delivering this attack is through a web page that says something along the lines of:
`Give us your credit card number and we'll show you some scud pics. If you don't want to give us your credit card number, click here for free mucky'
where `here' is a link to an executable that installs a dialer or modifies the registry or does both.
Many Windows users are running with administrative privileges (either because all users are `privileged' as in 95/98/ME, or because the default user type is `Computer Administrator' as in XP), so the above very often works.
Anti-virus software vendors seem to have some details in their virus libraries:
http://vil.nai.com/vil/content/v_99071.htm
for example, which warns of `pictures of scantily clad women, which may appear unexpectedly'. Scantily clad? Unexpectedly? I should coco, I was assuming they'd be naked.
On Thursday 25 November 2004 7:11 pm, Ted Harding wrote:
ALUGgers who watched this evening's "Look East" will have seen that dialup phone fraud is in the news again -- people getting phone bills for hundreds of pounds for internet calls to Vanuatu, Chile, etc. on premium rates. Some Linux-users may have seen it too!
What I'd like to ask knowledgeable folk is: how does it in fact work?
I've never seen more than a vague description of it, on the lines that when one is on line "the call is diverted to a premium rate number", apparently through some subversion of Internet Explorer.
Those are usually known as porn diallers and it is started with a yes to a "you must install application foo to view content blah" This installs a background dialler that then calls the premium rate number.
But something else struck me, that if it isn't happening already could possibly happen.
There is a file extension ".ins" that can kick off the internet connection wizard in a fairly silent mode with defined settings. You can (with a simple plain text .ins file) define every aspect of a dial up and mail (if you want) config including "I think" if it is Explorers default.
The trick is to get it working as a transparent proxy so you actually get a working connection just on a premium number (maybe even get mail relaying to work by intercepting all traffic on 25 and redirecting it to an open relay). Hence unless the user studies the dial up box when IE brings it up they probably wouldn't notice.
Some Mac's with IE installed could also be vulnerable to this, on Mac's I think there is a mime type called application/x-internet-signup that takes the same format of configuration file as the .ins on windows.
Nasty stuff but I don't think it would translate very well into the Linux world. It's another one of those Internet Exploder trying to be too "clever" / Windows desktop users having too higher default privileges things.
At 03:26 PM 11/25/2004, Wayne Stallwood wrote:
On Thursday 25 November 2004 7:11 pm, Ted Harding wrote:
ALUGgers who watched this evening's "Look East" will have seen that dialup phone fraud is in the news again -- people getting phone bills for hundreds of pounds for internet calls to Vanuatu, Chile, etc. on premium rates. Some Linux-users may have seen it too!
What I'd like to ask knowledgeable folk is: how does it in fact work?
I've never seen more than a vague description of it, on the lines that when one is on line "the call is diverted to a premium rate number", apparently through some subversion of Internet Explorer.
Those are usually known as porn diallers and it is started with a yes to a "you must install application foo to view content blah" This installs a background dialler that then calls the premium rate number.
But something else struck me, that if it isn't happening already could possibly happen.
There is a file extension ".ins" that can kick off the internet connection wizard in a fairly silent mode with defined settings.
Yes. And it turns off the speaker so the unwitting used is unaware that the machine is re-dialing.
I had a boss a couple of years ago who was not very bright. He was constantly getting these things on his PC. In addition to re-dialing, the program courteously placed a little icon on the desktop essentially "Click me for your daily Pr0n."
I recall one time I installed a new 9 Gig hard drive on his computer. Then, about a month later he came to me complaining because he had no disk space. I, somewhat shocked, thought that there must be something gravely wrong with his machine because there was no way he could fill up that amount of space. But he had. It was all porn. Tens of thousands of .jpeg's.
I quietly deleted it all and simply told him that his computer was fixed.
A month later he had it all filled up again.
It occurred to me that the amount of time this man spent downloading that stuff must have been virtually every minute of his time on the job.
I have no idea how much the phone was but it must have been astronomical. .
You can (with a simple plain text .ins file) define every aspect of a dial up and mail (if you want) config including "I think" if it is Explorers default.
The trick is to get it working as a transparent proxy so you actually get a working connection just on a premium number (maybe even get mail relaying to work by intercepting all traffic on 25 and redirecting it to an open relay). Hence unless the user studies the dial up box when IE brings it up they probably wouldn't notice.
Some Mac's with IE installed could also be vulnerable to this, on Mac's I think there is a mime type called application/x-internet-signup that takes the same format of configuration file as the .ins on windows.
Nasty stuff but I don't think it would translate very well into the Linux world. It's another one of those Internet Exploder trying to be too "clever" / Windows desktop users having too higher default privileges things.
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
the missus, who works for BT assures me that any BT customers can call 0800800150 and get premium rate number call baring for free, if you want internartional and premium rate call baring itll cost you £5.45 a quarter inc. VAT.
she also said she thinks its well worth it, as Bt is very tough about making people pay their billls, but also donates the profits from these nasty diallers to childline. Still i bet they will still make money from it..from the number of people who will splash out on international barring because of all the horror stories in the news will ensure that.
Rick
>From: George Waring <george@waring.com> >To: main@lists.alug.org.uk >Subject: Re: [ALUG] "Phone fraud" >Date: Sun, 28 Nov 2004 21:15:27 -0600 > >At 03:26 PM 11/25/2004, Wayne Stallwood wrote: > >>On Thursday 25 November 2004 7:11 pm, Ted Harding wrote: >> > ALUGgers who watched this evening's "Look East" will have >> > seen that dialup phone fraud is in the news again -- people >> > getting phone bills for hundreds of pounds for internet >> > calls to Vanuatu, Chile, etc. on premium rates. Some >> > Linux-users may have seen it too! >> > >> > What I'd like to ask knowledgeable folk is: how does it >> > in fact work? >> > >> > I've never seen more than a vague description of it, on >> > the lines that when one is on line "the call is diverted >> > to a premium rate number", apparently through some subversion >> > of Internet Explorer. >> > >> >>Those are usually known as porn diallers and it is started with a >>yes to a >>"you must install application foo to view content blah" This >>installs a >>background dialler that then calls the premium rate number. >> >>But something else struck me, that if it isn't happening already >>could >>possibly happen. >> >>There is a file extension ".ins" that can kick off the internet >>connection >>wizard in a fairly silent mode with defined settings. > >Yes. And it turns off the speaker so the unwitting used is unaware >that the machine is re-dialing. > >I had a boss a couple of years ago who was not very bright. He was >constantly getting these things on his PC. In addition to >re-dialing, the program courteously placed a little icon on the >desktop essentially "Click me for your daily Pr0n." > >I recall one time I installed a new 9 Gig hard drive on his >computer. Then, about a month later he came to me complaining >because he had no disk space. I, somewhat shocked, thought that >there must be something gravely wrong with his machine because there >was no way he could fill up that amount of space. But he had. It was >all porn. Tens of thousands of .jpeg's. > >I quietly deleted it all and simply told him that his computer was >fixed. > >A month later he had it all filled up again. > >It occurred to me that the amount of time this man spent downloading >that stuff must have been virtually every minute of his time on the >job. > >I have no idea how much the phone was but it must have been >astronomical. >. > >> You can (with a simple >>plain text .ins file) define every aspect of a dial up and mail (if >>you want) >>config including "I think" if it is Explorers default. >> >>The trick is to get it working as a transparent proxy so you >>actually get a >>working connection just on a premium number (maybe even get mail >>relaying to >>work by intercepting all traffic on 25 and redirecting it to an >>open relay). >>Hence unless the user studies the dial up box when IE brings it up >>they >>probably wouldn't notice. >> >>Some Mac's with IE installed could also be vulnerable to this, on >>Mac's I >>think there is a mime type called application/x-internet-signup >>that takes >>the same format of configuration file as the .ins on windows. >> >>Nasty stuff but I don't think it would translate very well into the >>Linux >>world. It's another one of those Internet Exploder trying to be too >>"clever" / Windows desktop users having too higher default >>privileges things. > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
On Monday 29 November 2004 8:22 pm, Ricky Bruce wrote:
the missus, who works for BT assures me that any BT customers can call 0800800150 and get premium rate number call baring for free, if you want internartional and premium rate call baring itll cost you �5.45 a quarter inc. VAT.
I can't see why they have to charge for it, particularly an ongoing quarterly rate. This sort of facility should be available either free or for a minimal one time set up fee. It requires no ongoing maintenance on the part of BT so why should they charge each billing period.
Also blanket barring for international or premium rate numbers does not completely solve the problem. One time you may need to call a premium rate number (say for support to a dodgy ISP) or perhaps a relative is travelling abroad and urgently needs your help "can you call me back, I'm low on change" yeh no problem....ooops
What I believe should happen is a chargeback type system where a customer complaint is followed up by the billing authority. It works for credit cards even across national borders why not for telephone calls ?
Anybody not wanting to play by those rules has their premium rate number barred as an outgoing call from the UK. In fact come to think of it I can't think of a legitimate reason to allow calls that terminate at a premium rate number overseas at all.
> >I can't see why they have to charge for it, particularly an ongoing quarterly >rate. This sort of facility should be available either free or for a minimal >one time set up fee. It requires no ongoing maintenance on the part of BT so >why should they charge each billing period.
agreed, just another way to fleece the consumer
> >Anybody not wanting to play by those rules has their premium rate number >barred as an outgoing call from the UK. In fact come to think of it I can't >think of a legitimate reason to allow calls that terminate at a premium rate >number overseas at all.
depends how legitimate an addiction to foriegn dirty party lines is.
other than that i take your point
On Tue, Nov 30, 2004 at 02:18:16AM +0000, Ricky Bruce wrote:
I can't see why they have to charge for it, particularly an ongoing quarterly rate. This sort of facility should be available either free or for a minimal one time set up fee. It requires no ongoing maintenance on the part of BT so why should they charge each billing period.
agreed, just another way to fleece the consumer
Except that the same could be argued for the cost of calls, once your line is installed there is virtually no cost to BT to make connections when you call someone, so calls should be free.
It's a difficult thing to put prices on a telephone system. Realistically the costs are virtually all installation costs with a much smaller maintenance cost. Thus to get a phone line should really cost a huge amount at installation and a small rental to cover maintenace with no call costs but I suspect that many people would object to that approach.
On Thu, 25 Nov 2004 Ted.Harding@nessie.mcc.ac.uk wrote:
What I'd like to ask knowledgeable folk is: how does it in fact work?
I thought these worked by supplying an ICS file (Internet Connection Settings) file to the client. Windows will use these files as a specification of how it should connect to the internet (phone number to dial, PPP settings, username/password, etc.). I imagine one of these settings is 'make this the new default'.
These were intended for ISPs to supply to clients and make the setup of their internet connection easier.
The trick is to execute them on the client somehow - I suppose the holes here are the same as any remote code execution. Windows/IE/OutlookExpress have got better at warning about running things you have downloaded from the internet, but people still pick 'yes' sometimes.
[In a way, I think it has got worse with recent developments - there are now such an enormous number of warnings for executing anything that people just tend to pick 'yes', 'yes', 'ok', 'righto', 'I understand' because otherwise nothing happens.]
I imagine there are some recent wrinkles on all this, but I think the basic principle is the same - there is no magic phone diversion or reconnection going on - I think it's just changing your ISP dial-up settings for a new default.
[Windows does, of course, display information about the number being dialled - but I think you can disable this. And most people have all the username/password settings preset, don't read anything and just press 'Connect'.]
- Bob
What I'd like to ask knowledgeable folk is: how does it in fact work?
Let us not forget virus, trojan and spyware. These little gems sit on your machine and open peer to peer connections via various ports/ What happens next is all manner of ailments start appearing on your machine, such as dialers described in an earlier post.
On Thu, Nov 25, 2004 at 07:28:28PM +0000, Bob Franklin wrote:
On Thu, 25 Nov 2004 Ted.Harding@nessie.mcc.ac.uk wrote:
[In a way, I think it has got worse with recent developments - there are now such an enormous number of warnings for executing anything that people just tend to pick 'yes', 'yes', 'ok', 'righto', 'I understand' because otherwise nothing happens.]
This is exactly the reason that I think aliasing 'rm' to 'rm -i' is such a pointless exercise, in no time at all hitting 'y' is automatic and the warning gives you no protection at all against deleting files by mistake.
On 2004-11-25 19:11:57 +0000 (Ted Harding) Ted.Harding@nessie.mcc.ac.uk wrote:
ALUGgers who watched this evening's "Look East" will have seen that dialup phone fraud is in the news again [...]
The victims connected insecure call-making devices to their phone line. While I think phone companies should set credit limits and bill monthly as a matter of course, the victims surely must have seen some news stories about Microsoft Windows insecurities?
What I'd like to ask knowledgeable folk is: how does it in fact work?
Anything from trojans through ActiveX control exploits and beyond. You don't even need to run code on the victim's machine: just persuade it to change any one of several settings which control dialling out. Usually it's done fairly crudely and all dialup is redirected through the international rate number. That gets the hijacker money until the next phone bill arrives. They use international numbers because there's currently no easy way for the victim's telco to withhold payment in international arbitrage.
If anyone has a legitimate reason to know how to do it, contact the Telecommunications UK Fraud Forum www.tuff.co.uk and ask for a copy of P Ray's article on rogue diallers that appeared in their journal last summer. You will have to tell them why you want it! It might cost a small amount for copying and posting.
Doing it through other browsers on Microsoft Windows is probably possible. As others have mentioned, most users of that OS are running with too much access to system configuration most of the time. I think most of the other browsers have better security records than IE, though.
It is possible but more difficult to do this on GNU/Linux. Mainly, dialup configuration is usually controlled by one program (chat) and that's usually only writeable by root. chat's config file is passed in by whatever program calls it (sometimes pppd, sometimes a frontend), so you need root access *and* to rewrite the right config file. This is why suid root ppp control programs worry me, as then you may only need to overwrite the right config file...
Finally, most people don't read the "dialling" dialogues very much.
On Thu, Nov 25, 2004 at 07:11:57PM -0000, Ted Harding wrote:
What I'd like to ask knowledgeable folk is: how does it in fact work?
I have heard of some people getting dodgy amounts on their bills (possibly some small sea side town in Norfolk, I don't recall) in the middle of the night, some of the residents don't even own a computer, so some of this occurrences are not down to dodgy dialer software at all. I'm not sure quite how this is/was happening, but it appeared that BT wanted to hush it up for obvious reasons.
Most of the other times I have heard of people getting caught with rogue diallers is by remote exploits in IE triggered via visiting a web page (I like the way that when you do a default install of WinXP it gives you a default account with elevated priviledges that allow you to do *anything* to the machine) or by dodgy attachements sent via email to exploit holes in Outlook and Outlook Express. The other way is via popups, I did see one guy on the tele who said that he got lots and lots of popups in his browsing session when he clicked on the wrong link from google or some such "they kept asking me do i want to change my settings yes or no, every time i clicked "no" a new popup box would appear and the only way I could make it go away was to click on the "yes" button."
Personally I doubt that we will see much of this attacking Linux and similar due to most distros not giving all new users root priviledges etc. and that the split of clueful/not clueful who would spot an attempt at some kind of subversion via a webpage etc. is going to be much higher than that of the Windows using masses.
The only way people are going to get better protected against this kind of scam is to either run software that requires less fiddling in a default install to make the system secure (god knows how long it takes to do WinXP, I know I havn't bothered, but then my machine is behind a half decent firewall, has anti-virus, anti-spyware and I browse using firefox in XP as the XP install is for the few games I play that don't have Linux versions) due to the time considerations, most/many home users won't have the knowhow or inclination to fix this, and they probably (and quite rightly the assumption should be made that a default install of any OS should be at least slightly secure imho) assume that a default install of Windows should protect them against most nasties without input on their behalf, but then thats Microsoft for you, who make it "easier" for you to do things on your computer while at the same time making it easier for all the nasty people on the internet too.
On top of that, when broadband/adsl/whatever you want to call it, becomes much cheaper for low end services much more of this problem will hopefully go away as the machines are at least no longer on a dialup modem, and if the people buy a half decent router it will offer a firewall that will be better than what comes with Windows by default.
Adam
-
adam@thebowery.co.uk -
Bob Franklin -
Chris Green -
D.I. Redhouse -
George Waring -
Hyperbit -
MJ Ray -
Ricky Bruce -
Ted.Harding@nessie.mcc.ac.uk -
Wayne Stallwood