A quartet of hackers based in the Philippines have allegedly bilked AT&T and possibly other telecommunications companies out of millions, which they channeled to their own bank accounts and to accounts associated with a terrorist organization. And apparently, AT&T helped them collect the money.

On November 24, the Philippine National Police's Criminal Investigation and Detection Group and the FBI staged raids in Manila, arresting Macnell Gracilla, Francisco Manalac, Regina Balura, and Paul Michael Kwan. The CIDG said in a statement that the hackers had been financed by Jemaah Islamiyah, a terrorist group that the FBI has said funded the November 2008 attacks in Mumbai. While few details have been offered up by AT&T or law enforcement, at least one of the the four has been involved in previous "phreaking," or phone hacking, of telecom customers' private branch exchanges (PBXs) in the past—and in fact was indicted in the US in 2009 for a similar crime. The arrests are part of an FBI effort to crack down on PBX hacking that dates back to 1999.

Kwan's success both times in turning corporate phone systems into virtual ATM machines for himself and a Pakistani partner were largely because of the horrific state of phone system security at many large organizations. In the 2009 case, Kwan and his cohorts didn't need to try very hard to break into PBX switches, because they still had the default password on them—and it's likely the same was true in this new case.

PBX hacking 101

The first step in turning someone else's phone lines into cash is to collect information about different PBX systems—getting hands on physical or digital copies of their manuals, and learning their dial-pad commands for remote access and default passwords. Kwan and the phreakers he worked with from 2005 to 2008 were able to use default passwords to gain access to many of the PBX systems they exploited.

The next step is to find a vulnerable PBX system. Phreakers can identify target systems either by searching phone directories—either on the Internet, or, as Kwan and company did in their first venture, in printed form—for phone numbers of organizations that use a PBX, or by using a "war dialer" program on a computer that walks through sequences of phone numbers. The phreakers walk through numbers until they find one that gives them a way to access a PBX's commands through a voicemail menu—usually the Direct Inward System Access (DISA) number for the PBX, which allows employees to dial into the system, and then place outbound calls as if they are calling from the phone system itself.

Working from the Philippines during the day, the phreakers would be able to dial through masses of numbers of US businesses after hours, allowing them to attempt to gain access to phone systems through unused extensions on the system, or other extensions with default passwords in place. Using a "brute force" approach—systematically working through phone extensions and pass codes with the aid of dialing software—the phreakers would gain access to extensions, and change their passwords, and then use exploit the extension to make outbound calls using the DISA number.

If the phreakers discover a DISA number, they can brute-force through possible passwords, gaining access to the PBX to place calls to any number they choose. Alternatively, if they manage to take control of an internal extension, they can use the "loop-back" method: placing a call into the extension, and then using the extension to dial out to another number. In both cases, the phreaker has to pay for the cost of the call inbound to the PBX, unless they have exploited a toll-free DISA number or have voice over IP capabilities that allow inbound connections over the Internet.

Turning a profit

While many phreakers may exploit a PBX for the thrill of it and possibly place a call or two, Kwan and his fellow phreakers are alleged to have conducted phone fraud of this sort on an epic level, turning exploited PBXs belonging to AT&T and Sprint customers in the US into their very own long-distance service. From 2005 to 2008, Kwan and a group of other phreakers in the Philippines sold access to compromised PBXs to Muhammed Zamir, a Pakistani and a member of Jemaah Islamiyah, then living in Italy. Zamir and his wife and operated "calling centers" in Brescia and Mascerata, Italy—storefront operations that offered low-cost international calls. Zamir charged customers by the minute for their calls, connecting calls for them through PBX systems connected to AT&T and Sprint long-distance service.

Kwan and his cohorts in the Philippines provided a stream of PBX systems to exploit. Zamir would also sell the extension and passcode information to other calling center operators in Italy and Spain. Altogether, the call centers placed about $55 million worth of phone calls over a three-year period. Kwan and his partners were paid a whopping $1,270 for their work by Western Union money transfers before the FBI and Italian authorities caught up with the operation in 2009, and Zamir and five other Pakistanis were arrested. in 2009, Kwan was indicted in New Jersey on charges of conspiracy.

But that wasn't the end of the game. In 2009, Jemaah Islamiyah came under new management—taken over by an unidentified Saudi national—and went back to Kwan and other Filipino phreakers to carry out a new fund-raising scheme. Instead of operating calling centers and providing a salable service stolen from AT&T and others, the scam shifted to make telcos into unwitting accomplices.

The phreakers used their access to PBX systems to place outbound calls not to customer's overseas relatives, but instead to high-rate international "premium-rate" services—the equivalent of 900 numbers in the US, where customers are assessed a per-minute fee on their phone bill for services ranging from specialized long distance service to "hot singles party chat." Using the trunk lines of exploited PBXs, the ring directed hundreds of calls to these services. At least some of the revenue generated from the calls—a reported $2 million through AT&T alone—was transferred to bank accounts associated with Jamaah Islamiyah, and a percentage was transferred back to the phreakers as payment.

AT&T has absorbed its losses, refunding customers for the fraudulent charges. That's unusual in a PBX-hacking case, Lieberman Software CEO Phil Lieberman said in an interview with Ars Technica—usually the customers get stuck with the bill for their poor PBX security, and the telecommunications providers rarely warn them of strange billing patterns. (Lieberman Software provides security software to a number of companies in the telecommunications business.) "The way these hacks are usually discovered is when you get your bill," Lieberman told us. But he said that if some of the charges were accrued using 900-like services and AT&T delivered payment of them, that was most likely the reason they absorbed the loss.

Unfortunately for Kwan and his co-conspirators, in the end, it was the bank transactions to the phreakers from the Jamaah Islamiyah-linked accounts that allowed the FBI to trace their location to Manila. The four captured in the raid are facing charges in the Philippines; there's no word on whether the US will seek the extradition of Kwan on the outstanding conspiracy indictment.