BANGOR, Maine — A salesman at a Bangor auto parts business was taken aback when he arrived at work on the morning of Feb. 22 and saw all 11 of the company’s phone lines lit up.
First to arrive and the only one in the building, the salesman at B&L Auto Parts figured something was amiss and called his store manager, who told him to call the company’s phone system provider to report the problem, office manager Lorena Giffard wrote in a letter to federal authorities.
After a laptop was hooked up to the phone system, a diagnostics specialist from Bangor-based Sierra Communications determined that someone had hacked into the phone system, Giffard said this week in a telephone interview. Sierra then put in a program to block any further hacking, she said.
Sierra Communications advised the auto parts company to contact its telecommunications service provider, GWI in Biddeford, to report the problem and find out exactly how long the illegal activity had been going on.
A log of international calls to B&L Auto Parts indicated that the calls were “either coming from or going to somewhere off the coast of Africa,” namely the islands of Sao Tome and Principe, Giffard said.
From 11:36 p.m. Feb. 21, when the phone system was hacked into, through 9:30 a.m. the next day, when the block kicked in, the hackers racked up a whopping $813.40 in long-distance calls.
That total is roughly double the company’s phone and Internet bill for an entire month’s worth of phone service, Giffard said, adding that B&L’s monthly bill runs between $400 and $500.
B&L reported the phone system hacking episode, known as “phreaking,” to Bangor police. The officer who handled the complaint recommended that the company contact the Maine Attorney General’s Office and the Maine Public Utilities Commission, which told Giffard they had no jurisdiction in the matter, as well as the the U.S. Attorney’s Office.
“At this point, we can’t comment on whether or not an investigation is taking place,” Assistant U.S. Attorney Donald Clark of the agency’s Portland office said Thursday in a telephone interview.
Katherine Gulotta, spokeswoman at the Federal Bureau of Investigation’s regional office in Boston, said Thursday that the FBI has been notified of the Bangor phone hacking incident.
“We are aware of the situation and we are reviewing it to see if it does meet the federal criminal threshold,” she said. She cautioned, however, that the review “is not indicative of us conducting an investigation.”
Asked if the FBI has been seeing similar incidents in Maine or elsewhere, Gulotta said the scam was prevalent a few years ago but that such hacking incidents had slowed significantly.
She did, however, provide information about a major international telephone hacking conspiracy that the FBI’s Newark Division in New Jersey cracked in 2009.
The FBI’s investigation, which spanned several years, led to the charges against several people from Italy and the Philippines who allegedly hacked into the telephone systems of large corporations in the United States and abroad and sold information about the compromised telephone systems to Pakistani nationals residing in Italy.
The information was used to transmit more than 12 million minutes of telephone calls valued at more than $55 million over the hacked networks of victim corporations in the United States alone, the FBI said in a news release issued at the time.
The losses were borne by the victim corporations and entities as well as the long-distance carriers that provided the telephone service for the victims.
Giffard said this week that the auto parts company asked GWI to provide a credit for the portion of its bill associated with the illegal calls.
Giffard said GWI initially told her it would not do so but later issued a $325.36 “courtesy credit,” which was reflected on its March bill.
When asked why the entire amount for the hacked calls wasn’t waived, GWI spokesman Tom Janenda said the company had agreed to charge B&L only for GWI’s wholesale cost for the hijacked long-distance minutes.
B&L Auto Parts owner Gerald Doane said this week that he was surprised that his company was on the hook for the calls made by hackers.
“I find the event quite peculiar and possibly quite damaging if we were a much smaller business or if the event wasn’t noticed as soon,” he said in an email to the Bangor Daily News. “As best I can tell any business with a voicemail system is possibly at risk.
“I also can’t imagine what the bill would be if it happened on a Saturday night and went on through Monday morning,” Doane added. “Even though we are a small business I suspect there are others out there that it would cause a real hardship for.”
Janenda said Thursday that GWI’s investigation into the hacking incident concluded that B&L was hacked into through its private branch exchange, or PBX, which is an in-house telephone switching system that interconnects telephone extensions to each other and to the outside telephone network.
The purpose of PBXs is to reduce the total number of telephone lines a business or similar organization needs to lease from the telephone company. Without one, a telephone line would have to be leased for every employee or user.
B&L’s PBX system provider is Sierra Communications, Laurie Bennett of Sierra Communications confirmed Thursday.
TeleDesign Security Inc., a consulting company specializing in telecommunications services for business and government clients, compiled a fact sheet about PBX fraud. On it, the security specialists noted that ultimately companies such as B&L are responsible for all charges incurred on their systems, including those by hackers.
“Recent court decisions and filed tariffs make you, not the carrier, responsible for the security of your CBX/PCX system if you have not taken steps to protect your assets,” the security company said.
Maybe those hackers were here and almost got run off the road by one of B&L’s trucks. Sorry guys, I don’t feel at all sorry for ya. You must hire x pizza delivery guys.
what does the drivers have to do with someone hacking into the phone system? kinda rude dont ya think? bet that parts come from there for your car too and you dont even know it
stupid comment
Funny I never had a problem with B&L always treated me good . I few places around town Did not . The idea of getting ever would have crosses my mind when I was younger.
Eastern Europeans and Africans have been doing scams and hacks for a while now. This was a practice run on an unsuspecting site, probably just for the customer list and #s.
Welcome to the world Maine! The Cocoon is coming apart.
It is just like when the Old Town Dairy Queen was broken into and the security company said they were not liable for their equipment not working, that it was in the fine print of the contract that they are not liable for any break ins. Why pay a security service? I don’t know, it is a scam.
“Recent court decisions and filed tariffs make you, not the carrier, responsible for the security of your CBX/PCX system if you have not taken steps to protect your assets,” the security company said.”
This is an example of the “corporate person” problem.
Instead of the big corporate provider being responsible the system’s security and
so motivated to monitor actively levels, as is done with a credit card,
it is every man for himself as the international corporate elephants dance among
the small town chickens.
Sierra Communications is the ones at fault here. If the phone system they sold and installed was configured properly, it never would have been hacked into. Buyer beware.
Not fair. The article doesn’t state whether Sierra offers that sort of protection or if B&L declined it. A PBX is just a computer with connections for telephone sets. If you put a computer online and don’t protect it, it’s your liability. And even the common safety software for regular PC”s has a load of fine print that says they are trying their best to keep up with threats, but no guarrantees. Hackers are probing every address on the internet day and night looking for things to exploit. $810 is not chump change for a small business, but they really are fortunate this wasn’t something a whole lot worse.
Nonsense. That’s like saying Best Buy is responsible for an exploit in internet explorer that caused you to get spyware.
Sometimes it’s the customer who breaks the rules a PBX vendor has laid out.
” The officer who handled the complaint recommended that the company contact the Maine Attorney General’s Office and the Maine Public Utilities Commission, which told Giffard they had no jurisdiction in the matter, as well as the the U.S. Attorney’s ”
Why not simply refer them to the Maine potato board?
To be a better public servant, the officer could be honest and say I don’t know who has jurisdiction but I will find out and let you know. Instead these people call other agencies and waste their time too.
You forget where you’re reading this article, and who wrote it.
BDN
All the news in fits.
Don’t worry B&L, all OUR Government agencies that are suppose to protect the public will do a good job for you ………………………….. of passing the buck.
“As best I can tell any business with a voicemail system is possibly at risk.”
And most public schools have them too. Imagine, from Friday night to Monday am the calls that could be racked up. Time to secure all systems.
dont be giving these people any ideas here :)
Several years ago, when I was living in CT, I had two phone lines, one for calls & the other for my dial-up computer. It wasn’t until I received a call from the phone company inquiring about the numerous calls being made on my line. They then put a block on the line. When I received the bill showing several thousand dollars worth of calls I nearly freaked. Luckily the phone company voided them all. These calls were from New York to various countries in the Middle East & europe. Often there were multiple calls during the same time period from one number to four or five other numbers. The phone company said they would investigate these calls. I took action myself, not by calling the local police, which would not achieve anything, but by notifying the F.B.I. & providing them a copy of the phone bill with all the numbers involved. Apparently, a terrorist cell was operating nearby & had tapped into my lines. It doesn’t only happen to businesses with multiple lines, it can happen to individuals as well.
“On it, the security specialists noted that ultimately companies such as
B&L are responsible for all charges incurred on their systems,
including those by hackers.”
Not exactly. Vendors like Sierra can be liable if the stuff they sell has security flaws and/or they fail to instruct the customer on best security practices. However, there are customers who ignore those instructions. A lot of these hacks happen because the customer thinks best practices are too inconvenient to follow.
Really? Is Dell is responsible for selling you a computer that got a virus? New vulnerabilities are discovered every day. Nothing is ever 100% foolproof. The best the vendors can do is fix the holes as soon as they’re discovered, and do their best to prevent any further damage.
This isn’t the same as a PC. I’m not going to post a lot of technical stuff here. If you’re interested in the topic you can search and start reading. If you’re not familiar with the technologies involved, it will be a lot of reading. It can be interesting to some people and boring to others.
I agree, they’re not the same, but they have some similarities. The comparison I’m making is that the vendor can only protect against security issues that are known. New risks come up all the time, for PC’s, and for phone systems. Unfortunately, someone has to be the first to get hacked, or infected before the vulnerability is known about, and able to be protected against.
I won’t get into a p—ing contest. I know a lot about this subject and I also know people here get annoyed by in-depth technical discussions. The cause could be something stupid like allowing DISA during voicemail access. In that case the blame could fall on the vendor or the customer for enabling that “feature” without making some other configuration changes to limit it’s use.