LOS ANGELES - The demand stunned the hospital employee. She had picked up the emergency room’s phone line, expecting to hear a dispatcher or a doctor. But instead, an unfamiliar male greeted her by name and then threatened to paralyze the hospital’s phone service if she didn’t pay him hundreds of dollars.
Soon after the worker hung up on the caller, the ER’s six phone lines went dead. For nearly two days in March, ambulances and patients’ families calling the San Diego hospital heard nothing but busy signals.
The hospital had become a victim of an extortionist who, probably using not much more than a laptop and cheap software, had single-handedly generated enough calls to tie up the lines.
Distributed denial-of-service attacks - taking a website down by forcing thousands of compromised personal computers to simultaneously visit and overwhelm it - has been a favored choice of hackers since the advent of the Internet.
Now, scammers are inundating phone lines using the burgeoning VoIP, or Voice over Internet Protocol, telephone system.
The frequency of such attacks is alarming security experts and law enforcement officials, who say that while the tactic has mainly been the tool of scammers, it could easily be adopted by malicious hackers and terrorists to knock out crucial infrastructure such as hospitals and 911 call centers.
“I haven’t seen this escalated to national-security level yet, but it could if an attack happens during a major disaster or someone expires due to an attack,” said Frank Artes, chief technology architect at information security firm NSS Labs and a cybercrime adviser for federal agencies.
In the traditional phone system, carriers such as AT&T grant phone numbers to customers, creating a layer of accountability that can betraced. On the Web, a phone number isn’t always attached to someone. That’s allowed scammers to place unlimited anonymous calls to any landline or VoIP number.
They create a personal virtual phone network, typically either through hardware that splits up a landline or software that generates online numbers instantly. Some even infect cellphones of unsuspecting consumers with viruses, turning them into robo-dialers without the owners knowing that their devices have been hijacked. In all cases, a scammer has access to multiple U.S. numbers and can tell a computer to use them to dial a specific business.
Authorities say the line-flooding extortion scheme started in 2010 as phone scammers sought to improve on an old trick in which they pretend to be debt collectors. But the emerging bull’s-eye on hospitals and other public safety lines has intensified efforts to track down the callers.
Since mid-February, the Internet Crime Complaint Center, a task force that includes the FBI, has received more than 100 reports about telephony denial-of-service attacks. Victims have paid $500 to $5,000 to bring an end to the attacks.
The hospital attack, confirmed by two independent sources familiar with it, was eventually stopped using a computer firewall filter, and no one died. Typical firewalls, designed to block calls from specific telephone numbers, are less effective against Internet calls because hackers can delete numbers and create new ones constantly.
To thwart phone-based attacks, federal officials recently began working with telecommunications companies to develop a caller identification system for the Web. Their efforts could quell more than just denial-of-service attacks.
They could block other thriving fraud, including the spoofing and swatting calls that have targeted many people, from senior citizens to celebrities such as Justin Bieber. In spoofing, a caller tricks people into picking up the phone when their caller ID shows a familiar number. In swatting, a caller manipulates the caller ID to appear as though a 911 call is coming from a celebrity’s home.
Unclassified law enforcement documents posted online have vaguely identified some victims: a nursing home in Marquette, Wis., last November, a manufacturer in Massachusetts in early 2013, a Louisiana emergency operations center in March, and two Massachusetts hospitals last spring.
Wall Street firms, schools, insurance companies and customer-service call centers have also temporarily lost phone service because of the attacks, according to telecommunications industry officials. Many of the victims want to remain anonymous out of fear of being attacked again or opening themselves up to lawsuits from customers.
For all the money spent on Internet security, companies often overlook protecting their phones, Artes said.
“It’s kind of embarrassing when a website goes down, but when you shut down emergency operations for a county or a city, that has a direct effect on their ability to respond,” he said.
The Federal Communications Commission has begun huddling with the telecommunications industry to discuss ideas that would help stem the attacks. One possibility is attaching certificates, or a secret signature, to calls.
But Jon Peterson, a consultant with network analytics firm Neustar, said such measures raise privacy worries.Some calls, such as one to a whistle-blower hotline, may need to remain anonymous. There won’t be a single fix. But the goal is clear.
“The lack of secure attribution of origins of these calls is one of the key enablers of this attack,” Peterson said. “We have to resolve this question of accountability.”
Front Section, Pages 1 on 07/22/2013