9-1-1; What Is Your Emergency?

Thursday, February 19, 2015

Combatting 9-1-1 Fraud: Spoofing, Swatting, Denial of Service and Other Cyber Attacks

Taken from Public Safety Communications Magazine, February 2015
Written by Randy Kaminsky, has more than 35 years in public safety and is currently the Communications and 9-1-1 Supervisor for the Bradley (IL) Police Department. He is a member of APCO's Editorial Advisory Committee.

I remember back in the days of the rotary dial telephone and the mischief that a 10-year-old could get into given just the slightest latitude.  Pick a number out of the phone book and call the unsuspecting victim just to ask, "Is your refrigerator running? Better catch it before it runs off!" Or there was always the popular call to place to a cigar shop: "Do you have Prince Albert in a can?"

At that age, I guess it was fun just having the ability to pull one over on an adult.  Little did I know that some 40 years down the road, the prank calls would take a much more serious and sometimes sinister twist.

The 'Bad' Technology
The age of computer technology has brought about many positive innovations that give us the ability to communicate with almost anyone, at any location, via cellular, Internet and satellite services.  But many have manipulated these services to perpetrate a multitude of crimes - from fraud to homicide.  The list of worries posed in the digital age range from identity theft and credit card fraud to hacking secret documents of a corporation or government agency.

In the field of public safety communications, our primary concern is telephone fraud, and that is the focus of this article.

"Spoofing" is the term used to describe the action of impersonating another person, company or agency over the Internet, specifically targeting email or telephone caller ID.  This is accomplished by unverified Voice over Internet Protocol (VoIP) services or through the use of what is known as a "spoof card."  A spoof card, or unregistered VoIP, service allows the user to display any ANI/ALI location information the spoofer chooses.

For example, if you were to use a spoof card to play a practical joke on a friend, you could list the name Barack Obama to be displayed as the caller ID, along with the general White House phone number.  Many spoof cards will also allow you to disguise your voice.

However, spoofing has been frequently used in more serious applications to make false crime-in-progress reports, or as part of extortion schemes.  The deception that seems to be most popular these days is to enter the name of a criminal justice agency to be displayed on caller ID, and then inform the person that he or she has disregarded a notice to report for jury duty and now a warrant has been issued for their arrest.  They tell the victim that they can pay a fine over the phone and avoid arrest by purchasing a pre-paid credit card and providing them with the coded number in the scratch off area on the back of the card.  Generally, the amount of the "fine" is $100-$200.  Recently an elderly gentleman was bilked out of more than $5,000 by someone claiming to be from the IRS.  The caller ID displayed "IRS," so he believed the caller and provided the funds.

Spoofing can also be used to draw police with a false 9-1-1 report to the farthest reaches of their jurisdiction while a major crime is in progress at another location in their town.  And believe it or not, the spoof card industry has a lobbyist on Capitol Hill to fight any efforts to outlaw the cards and/or spoofing technology, claiming that misuse is an "isolated problem."

For this reason, the Truth in Caller ID Act was passed in 2009 and became law Dec. 22, 2010.  It prohibits any acts of fraud or harm in relation to spoofing of caller ID and prescribes severe monetary penalties for any violation.

Denial of Service
The term denial of service (DoS) or distributed denial of service (DDoS) describes the practice of an enterprise (typically criminal in nature) using spoofing technology along with a "robocall" service.  That enterprise will then attempt to extort money from a business or, in bolder cases, a municipal or public safety agency by demanding payment for an unfounded debt.  When refused, the robocall service will then repeatedly call main numbers or administrative lines with recorded messages.  This blocks public access to phone lines and results in your phones "ringing off the hook" - an especially problematic situation when the target is a 9-1-1 center.  Since these calls originate from questionable VoIP providers in most cases, tracking them down can be difficult at best.  Some businesses and public agencies have given in to the demands just to have their phone service restored.

One solution that has been proposed is to block unverified or unregistered VoIP services so that the caller's physical location or IP address couldn't be disguised.  Such regulation would have to apply to all domestic and international VoIP providers, with non-compliant services blocked completely in order to be truly effective.  As of this article's publication, there is no movement toward any regulation.

A phrase first coined by the FBI in 2008, "swatting" is the practice of reporting a serious crime in progress at a business or, often, a private residence.  In most cases, it involves a report of a homicide, bomb or extortion attempt in the form of a ransom demand.  The caller will make threats toward first responders to further dramatize their false report.  Swatting calls can be received over 9-1-1 trunks or 7-digit emergency lines.  With spoofing technology, the ANI/ALI information received would indicate that the call did originate from the address in question, but some swatting calls have been completed through relay services.

The most frequent targets - and perpetrators - of swatting calls are online gamers.  Most such gamers are computer technology savvy, so they find it easy to use spoofing technology.  Those who have been caught have admitted wanting to extract a level of revenge on someone with whom they had argued or who had soundly defeated them on some online game.

Other swatters have victimized celebrities - Ashton Kutcher, Justin Bieber, Miley Cyrus, Simon Cowell, Tom Cruise, Chris Brown, Ryan Seacrest, Charlie Sheen, Clint Eastwood, and even Los Angeles County assistant prosecutor Patrick Frey, have all been targeted by swatting schemes.  The real threat to the victims and to law enforcement officers is the confrontation at the residence or business.  In one recent case, a home owner was at home with his family when he saw someone lurking in the bushes outside his home.  He reached for his handgun and was about to walk outside when the police surrounding the home announced their presence.  The person in the bushes was a SWAT team member attempting to observe and report what was going on inside the home.  One minor action or turn of events and this swatting prank could have had a tragic, deadly outcome.

In January, a homeowner actually shot a police chief who entered his residence after a spoofed report was made that brought police to his address.  Thankfully, the police chief was wearing a body armor vest.  He was struck with three rounds: two in the vest and one in his arm.  He was released after treatment.

One major problem with swatting is that many public safety agencies fail to report incidents to federal authorities such as the FBI or FCC.  Both agencies have the ability to track down those responsible and impose federal charges.  The FBI has the ability to enforce a number of laws that can be used in prosecution, and the FCC can levy monetary fines and forfeiture of property for those who fail to pay.  Reporting spoofing and swatting incidents also gives authorities the statistical data they need to track repeat offenders.

All PSAPs should develop protocols to deal with swatting calls.  Since the caller's real name and phone number are replaced with the victim's information, it is important to make contact with the number provided.  If the person answering the phone has no idea what you're talking about, chances are it's a fraud.  If the victim needs reassurance that you are indeed the local authorities, tell them to hang up and dial 9-1-1 so that they can be transferred to the same operator.  If the police have already arrived at the victim's home or business, possible instructions would be to unlock all doors and proceed outside when instructed to do so, keeping their hands empty and in plain sight.

What to Do
If your agency is the victim of a DDoS, spoofing or swatting attack, use the protocols for handling such an incident (be sure to review these with law enforcement regularly).  Public safety agencies can also take the lead in advising the public of such scams by reaching out to children and elderly through school and senior groups.

Report all DDoS, spoofing and swatting incidents to your local FBI field office and the FCC at 888-TELL-FCC (835-5322).  For DDoS attacks, have extra unlisted phone lines (separate from any hunt groups in place) appearing on critical extensions and have a method in place for disseminating information to the public through local media so that people know to use those lines until the DDoS calls cease.  Have a list prepared for services that contact you on 7-digit lines such as personal emergency response services, alarm companies, utilities, etc., so that you can inform them to use the alternate phone numbers.

Remember: being prepared for a serious event will make it more manageable and usually less stressful to all involved.

No comments:

Post a Comment