Internet-based attacks hit emergency call centers. What's the damage?
Hundreds of emergency call centers nationwide have been hit with Internet-based phone-blocking attacks, part of a criminal extortion scheme that aims to clog the centers used to dispatch emergency services, according to federal law-enforcement authorities and cyber experts.
Since January, more than 200 public-safety answering points (PSAPs) – administrative call centers where 911 calls are routed after having been received – have been bombarded with “telephony denial of service” (TDoS) attacks that last several hours, according to the Department of Homeland Security’s Emergency Management and Response – Information Sharing and Analysis Center (EMR-ISAC).
So far, the 911 lines that directly receive emergency calls have not been hit. Instead, the attacks have prevented incoming and outgoing calls from reaching the PSAP centers, which dispatch emergency services.
“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities,” according to a confidential alert jointly issued by DHS and the Federal Bureau of Investigation in mid-March. “Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls.”
The DHS-FBI alert appeared Monday on the website of cybersecurity blogger Brian Krebs. But a March 23 “InfoGram” from the EMR-ISAC said the attacks had grown, hitting “over 200 Public Safety Answering Points ... around the country.”
Authorities have not yet identified the type of attack. While it’s theoretically possible to organize an all-human calling campaign against the emergency call centers, these attacks appear likely to be computer-generated via Internet-connected voice services, cybersecurity experts say.
The TDoS attacks are part of an extortion scheme, federal authorities say. It begins with a phone call to a call center from an individual claiming to represent a collections company for payday loans. The caller “usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt,” the March alert said. The person with the accent demands payment of $5,000 from the call center because of default by the employee, who either no longer works at the PSAP or never did, authorities say.
If nobody pays the requested $5,000, the person then launches a TDoS attack. Typically, the PSAPs being targeted are then swamped by a continuous stream of calls that goes on for hours, blocking incoming and outgoing calls.
While the phone attack may stop for several hours, it has also resumed. Government offices and emergency services are “targeted” because functional phone lines are a necessity, authorities say.
There are more than 6,000 PSAPs nationwide. Attacks that have delayed or blocked emergency help at the affected PSAPs could cause deaths by blocking medical crews from reaching victims, cybersecurity experts say.
The attacks appear to be part of a three-year trend among cybercriminals that specialize in distributed denial-of-service (DDoS) extortion attacks over the Internet against business websites. These individuals threaten to block customers from reaching the businesses unless the companies pay.
Behind the trend is a confluence of increasing malware sophistication and one-stop shopping for cybercriminal services. Such services, researchers report, are advertised on some black-market Internet forums. They offer to bombard telephone lines for $5 per hour, $20 for 10 hours, or $40 a day.
A big reason for the uptick, researchers say: the availability of botnets (computers that have been infected and linked into a clandestine network) to carry out the attacks.
“What we have seen lately is an increase in people in underground forums selling these services to flood land lines, cellular, and SMS [texting],” says Curt Wilson, a senior researcher at Arbor Networks, an Internet security company in Burlington, Mass. “It seems this service is just another offering in the underground tool kit.”
Technology has made it possible to organize a TDoS attack either for criminal or for legal social-protest purposes, experts who track TDoS say. During the Occupy movement period, it was not uncommon for protesters using Facebook to set up a page with a phone number, urging thousands of followers to call banks, lobbyists, and others – all at the same time, according to a new report by SecureLogix, a San Antonio company that specializes in blocking TDoS attacks. It is not illegal to urge people to call a phone number at a selected time.
After bond ratings were downgraded for several European nations, protesters called en masse, clogging up ratings-agency lines, the SecureLogix report says.
Although social networks such as Twitter have been used to coordinate vast numbers of people taking particular actions, this has since morphed into mass efforts to disable phone systems.
In August 2011, the rapper The Game told his Twitter followers to call the Los Angeles County Sheriff ’s Department at the same time. More than 500,000 people got the message, and the resulting call volume shut down emergency services.
But pranks and social protests are not what’s happening with the TDoS attacks on the emergency call centers – which have all the appearance of an outright extortion attempt, says Rod Wallace, vice president of services for SecureLogix.
“There’s a level of sophistication happening – probing, seeing what works or not to get organizations to pay,” he says. “We’re seeing TDoS attacks on intensive-care units of hospitals, retailers, and public entities like these emergency call centers. What they’re doing is finding out who will pay.”
He adds, “There’s those who just want to make a point – protest – and those that just want to get paid. That’s what this is.”
Like Mr. Wilson, Mr. Wallace traces TDoS extortion back about three years ago. Accelerating the trend has been availability of open-source software so that a personal computer, or a botnet, can easily be rigged to make rapid-fire calls – and at the same time spoof (fake) the caller ID so each call appears to come from a different number.
“Filling up emergency administrative lines with garbage has been technically feasible forever, ever since 911 service was invented,” says James Cavanagh, an emergency-services telecom consultant. “What’s happened is that technology has made it possible to more effectively clog up these lines. What we’ve seen is only going to get worse because there’s an increasing level of cooperation between the bad guys.”