14 DAY TRIAL // Three people were indicted in New Jersey and five were arrested in Italy for participating in an international telecommunications fraud scheme that involved hacked PBX boxes. The Italian authorities noted that part of the illegal gains were being used to finance fundamentalist Islamic groups.
According to the indictment (PDF), posted by Security Fix, Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez, all residing in Manila, Philippines, are accused of hacking into private branch exchange (PBX) systems belonging to customers of AT&T and Sprint and selling the illegally obtained access to a group of Pakistani citizens running a call center business in Italy.
The operation lasted from October 2005 to December 2008 and the PBX systems were being compromised mainly by means of default passwords. The Italian call center operators were paying the hackers around $100 for each hacked PBX.
The call centers were attracting customers by advertising lower international call rates, which they were able to provide by routing the traffic through the compromised PBXs. This was achieved by either a "loopback" or a "passcode" method.
The loopback technique involves connecting to the PBX and serving it their number, then having it call them back. Once this was done, the line was being kept open and another phone call was being made from the PBX to the actual intended destination. Through this method, the entire cost of the call was supported by the company owning the compromised system.
The passcode method is a more direct approach, where the operators were calling the hacked PBX themselves and billed for this call by their provider, but the call to the final destination was being made from the PBX. This allowed them to be charged a lot less than they would have been for calling the destination directly.
The four Pakistani running the call centers were not only using the hacked PBXs for themselves, but also selling the access to third-party call center operators from Spain and other countries. The indictment notes that the abusive calls totaled over 12 million minutes and resulted in phone bills of more than $55 million.
Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez are charged with conspiracy to commit wire fraud, access device fraud and computer hacking, and are facing sentences of 20 years in prison each.