Internet-based attacks hit emergency call centers. What's the damage?

The emergency call centers are administrative ones where 911 calls are routed after having been received. The attacks are part of an extortion scheme, federal authorities say.

Hundreds of emergency call centers nationwide have been hit with Internet-based phone-blocking attacks, part of a criminal extortion scheme that aims to clog the centers used to dispatch emergency services, according to federal law-enforcement authorities and cyber experts.

Since January, more than 200 public-safety answering points (PSAPs) – administrative call centers where 911 calls are routed after having been received – have been bombarded with “telephony denial of service” (TDoS) attacks that last several hours, according to the Department of Homeland Security’s Emergency Management and Response – Information Sharing and Analysis Center (EMR-ISAC).

So far, the 911 lines that directly receive emergency calls have not been hit. Instead, the attacks have prevented incoming and outgoing calls from reaching the PSAP centers, which dispatch emergency services.

“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities,” according to a confidential alert jointly issued by DHS and the Federal Bureau of Investigation in mid-March. “Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls.”

The DHS-FBI alert appeared Monday on the website of cybersecurity blogger Brian Krebs. But a March 23 “InfoGram” from the EMR-ISAC said the attacks had grown, hitting “over 200 Public Safety Answering Points ... around the country.”

Authorities have not yet identified the type of attack. While it’s theoretically possible to organize an all-human calling campaign against the emergency call centers, these attacks appear likely to be computer-generated via Internet-connected voice services, cybersecurity experts say.

The TDoS attacks are part of an extortion scheme, federal authorities say. It begins with a phone call to a call center from an individual claiming to represent a collections company for payday loans. The caller “usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt,” the March alert said. The person with the accent demands payment of $5,000 from the call center because of default by the employee, who either no longer works at the PSAP or never did, authorities say.

If nobody pays the requested $5,000, the person then launches a TDoS attack. Typically, the PSAPs being targeted are then swamped by a continuous stream of calls that goes on for hours, blocking incoming and outgoing calls.

While the phone attack may stop for several hours, it has also resumed. Government offices and emergency services are “targeted” because functional phone lines are a necessity, authorities say.

There are more than 6,000 PSAPs nationwide. Attacks that have delayed or blocked emergency help at the affected PSAPs could cause deaths by blocking medical crews from reaching victims, cybersecurity experts say.

The attacks appear to be part of a three-year trend among cybercriminals that specialize in distributed denial-of-service (DDoS) extortion attacks over the Internet against business websites. These individuals threaten to block customers from reaching the businesses unless the companies pay.

Behind the trend is a confluence of increasing malware sophistication and one-stop shopping for cybercriminal services. Such services, researchers report, are advertised on some black-market Internet forums. They offer to bombard telephone lines for $5 per hour, $20 for 10 hours, or $40 a day.

A big reason for the uptick, researchers say: the availability of botnets (computers that have been infected and linked into a clandestine network) to carry out the attacks.

“What we have seen lately is an increase in people in underground forums selling these services to flood land lines, cellular, and SMS [texting],” says Curt Wilson, a senior researcher at Arbor Networks, an Internet security company in Burlington, Mass. “It seems this service is just another offering in the underground tool kit.”

Technology has made it possible to organize a TDoS attack either for criminal or for legal social-protest purposes, experts who track TDoS say. During the Occupy movement period, it was not uncommon for protesters using Facebook to set up a page with a phone number, urging thousands of followers to call banks, lobbyists, and others – all at the same time, according to a new report by SecureLogix, a San Antonio company that specializes in blocking TDoS attacks. It is not illegal to urge people to call a phone number at a selected time.

After bond ratings were downgraded for several European nations, protesters called en masse, clogging up ratings-agency lines, the SecureLogix report says.

Although social networks such as Twitter have been used to coordinate vast numbers of people taking particular actions, this has since morphed into mass efforts to disable phone systems.

In August 2011, the rapper The Game told his Twitter followers to call the Los Angeles County Sheriff ’s Department at the same time. More than 500,000 people got the message, and the resulting call volume shut down emergency services.

But pranks and social protests are not what’s happening with the TDoS attacks on the emergency call centers – which have all the appearance of an outright extortion attempt, says Rod Wallace, vice president of services for SecureLogix.

“There’s a level of sophistication happening – probing, seeing what works or not to get organizations to pay,” he says. “We’re seeing TDoS attacks on intensive-care units of hospitals, retailers, and public entities like these emergency call centers. What they’re doing is finding out who will pay.”

He adds, “There’s those who just want to make a point – protest – and those that just want to get paid. That’s what this is.”

Like Mr. Wilson, Mr. Wallace traces TDoS extortion back about three years ago. Accelerating the trend has been availability of open-source software so that a personal computer, or a botnet, can easily be rigged to make rapid-fire calls – and at the same time spoof (fake) the caller ID so each call appears to come from a different number.

“Filling up emergency administrative lines with garbage has been technically feasible forever, ever since 911 service was invented,” says James Cavanagh, an emergency-services telecom consultant. “What’s happened is that technology has made it possible to more effectively clog up these lines. What we’ve seen is only going to get worse because there’s an increasing level of cooperation between the bad guys.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.