Part V: Social Threats

Chapter 14: SPAM over Internet Telephony (SPIT)

Chapter 15: Voice Phishing

Case Study: Tom N. Jerry Sets Up A Spit Generator

Tom N. Jerry sells replicas of fine watches. Tom's watches look pretty good, and from a distance of say, ten feet, and after a few strong alcoholic beverages, resemble the real thing. Tom sells a lot of watches and makes a tidy profit; he makes a good margin on his watches , plus his overhead expenses are very low. All his transactions are over the Internet, and he uses email SPAM as his primary means of marketing. As he is pretty handy with computers, he managed to set up his own SPAM-generation engine, and he now sends out about 100,000 emails a day, mostly overnight. His hit ratio is very low, but considering that the email SPAM doesn't cost him a dime, he is pretty satisfied with the results.

Tom has always wanted to use voice telemarketing as well, and he was disappointed to find out that it would cost a ton of money to install a PBX (at least $15,000), get someone smart to set it up, and connect some T1s from AT&T. The T1s would cost $500 a month if he set up a two-year contract. Worst of all, long distance calls would average 4 cents a minute, meaning the calls would cost $500 to $1000 a day, depending on how many hours he chose to make calls. This was just too expensive.

Then one day Tom reads an article on a new issue called voice SPAM or SPIT. The author warns that it will be a big problem one day. He even goes so far as to provide basic steps for setting up a free SPIT-generation operation. Tom figures this is too good to be true. Free telemarketing? Wow, this could really increase his reach to potential customers. He figures his hit ratio, even if most of the calls go to voicemail, would be much higher than that with email SPAM. Tom also figures that these messages would be much less likely to be discarded by those pesky SPAM filters, which seem to be better and better at dumping his emails.

Tom gets his girlfriend, who has an attractive sounding voice but is actually quite homely, to record a 20-second advertisement, including a description of the watches, the price, and a 1-800 number and website to contact. Tom already has the website and number set up, so there is no additional work needed here.

Next , Tom sets up a PC to run the SPIT-generation software. Luckily, he has an extra PC lying around that is plenty powerful enough for the task. From the www.trixbox.org website, he downloads a single ISO image that he saves to a CD. He then uses the CD to install Linux and a working copy of the Asterisk free PBX. After the install, Tom boots the CD and discovers a PBX with a snazzy graphical user interface. Wowhe has a working PBX up and running in four hours!

Tom uses the GUI and follows some steps from the article to set up a basic configuration and several dialplans. He already has X-Lite (http://www.xten.com) running on a couple of other PCs and is able to use Asterisk quickly and make calls between his two PCs. He also sets it up to have "external" calls go to something called a SIP proxy on the Internet, which is what he correctly figures will allow him to make free calls.

Tom then goes to Google and searches for a company offering free SIP services. He is amazed to find a ton of companies, most of which say they use SIP. A couple of them offer free evaluations and he sets up his Asterisk PBX to connect to them. Tom finds that it is easy to call normal numbers , such as his cell phone and home phone. He is even able to make multiple calls at once, one from each of the X-Lite softphones running on his PCs.

Tom next downloads a SPIT generator from those rascals at www.hackingviop.com. He finds a program called spitter , which he easily compiles on his new Asterisk PC. After reading the documentation, he builds a simple file that causes spitter to create a call file for Asterisk, which in turn causes a call to be made. He puts the advertisement .wav file into the appropriate directory /var/lib/asterisk/sounds/ , and voila, his replica watch advertisement goes to his cell phone. As a test, Tom builds a file that generates a bunch of calls to his house, his cell, his girlfriend, and a couple of other target numbers. After some tweaking, the test is running perfectly .

Tom then talks to several of the companies that offer free VoIP service. Several of the companies offer truly free service, but will only terminate a couple of calls at a time to the PSTN. This is a problem, but Tom figures he will use the free service and then if a complaint comes up, he'll move to another one. He also figures he can use multiple connections from different PCs to the same service, as a way to generate more calls.

Tom decides his best customers will be business people working at large companies. The same folks he irritates with his email SPAM. He uses Google to figure out rough ranges of phone numbers for companies and then inserts those as separate entries in the spitter control file. He programs in some delays, so that he can roughly control the number of simultaneous calls. He sets the file to run at night, figuring that he will start by leaving voicemails and eventually expand to daytime hours.

In the end, Tom has a working SPIT-generation platform that he gets up and running in one day. He can comfortably generate several thousand calls a night, without incurring any costs that he doesn't already have. He has found that while he gets some additional flame messages on his 1-800 number, his hit rate is much higher than with email SPAM. His little operation is so successful that he is planning to set up several more PCs, with separate broadband access, with separate connections to free VoIP services, so he can generate over 10,000 calls a day. After that, he figures the next step will be to extend his calling hours to during the business day.