In the early days of the internet, access to websites was conducted by "dial-up" modems. Billions of people worldwide found themselves silently disconnected from a local telephone number to an expensive Premium Rate number, and the call was also bounced around the world. The victims were members of the public who were supposed to be protected by Regulation, but instead were forced to pay huge phone bills. Of course, the law was always late to catch on and most of these early "white collar crimes2 were never prosecuted (at least not in the UK). This presentation was originally put forward at the European Telephone Network Operators Fraud Working Group by its President Luis, who was the only guy with the knowledge and contacts to trace all the way back to the source Lee Jones. No one questions how you made your money so long as you have enough to splash around and today Lee is still in business with his own private investment company(http://www.creditas.com) and telco (see http://www.neutrinonetworks.co.uk), having sold his original businesses Wire9 and Cloud9 back in 2008.

1. 1
Luis-s-Cardoso@telecom.pt
LuisSCardoso@ieee.org
Internet Dumping
&
IRS Fraud
Luis Sousa Cardoso
FIINA President
QSDG/ITU Chairman
WEB
DIALLERS
1

2. 2

3. 3
General Information

4. 4
Definitions
‘Internet dumping’ or ‘modem hijacking’ is
what occurs when the telephone line that
connects your computer to the Internet is
disconnected and then reconnected to a new
telephone number without your full knowledge or
consent. The new number, generally an
international one, has a high call charge rate.
Source: Australian Communications Authority

5. 5

6. 6
DALLAS
1 - CONTACT
WITH WEB
SITE IN
DALLAS
CALL IS
CUT-OFF
WEB SITE: www.sexygirls.com

7. 7
MOLDOVA2 - A PHONE
CALL IS
ESTABLISH TO
MOLDOVA
PHONE NUMBER +373 xxxxxxxx

8. 8
MOLDOVA2 -THEN THE
CALL IS
FORWARDED
TO CANADA
SCARBOROUGH
PHONE NUMBER +373 XXXXXXX
PHONE NUMBER + 1 519 XXXXXXX

9. 9
MOLDOVA2 - AND
RETURNED
TO DALLAS
SCARBOROUGH
DALLAS
PHONE NUMBER +373 XXXXXXX
PHONE NUMBER + 1 519 XXXXXXX
PHONE NUMBER + 1 214 XXXXXXX

10. 10
MOLDOVA5 - AND
DOWNLOAD
STRAT
SCARBOROUGH
DALLAS
DOWNLOAD STARTS VIA TELEPHONE NETWORK
INSTEAD VIA INTERNET

11. 11
USER´S
BILL
USER´S
BILL

12. 12
JESUS CHRIST!!!
HOW TO PAY THIS BILL???
The first victim
of dialers

13. 13
How does it work?
• Internet dumping can occur when you access
certain Internet websites. A very small program
known as a dialer is downloaded onto your
computer from these websites and installed
often using the ActiveX technology.
• Dialers are frequently linked with pornographic
websites, but are sometimes found on gambling,
games and music sites.
• Sometimes in common words the dialer can be
seen like a trojan horse.
Source: Australian Communications Authority

14. 14
Definitions
ActiveX is a Microsoft technology that
allows Internet applications that are more
powerful than simple scripts.
Source: Australian Communications Authority

15. 15
How are dialers installed and run?
• When you click on an icon or button on a web page you
may download a dialer.
• Unscrupulous sites provide little warning that you will
have to pay a higher call charge if you agree to
download the Internet dialer to access the website.
• Some dialers can re-dial and connect your computer at a
high call charge rate automatically, and some even mute
the dialing noises your modem makes through your
computer speakers to hide the fact that the modem is
dialing.
Source: Australian Communications Authority

16. 16
Is it legal?
The provision of pay-per-view content via
a website utilizing dialer software is legal
as long as the site gives adequate warning
that charges may be incurred upon
entering the website, and as long as the
software is configured to ensure that the
premium rate services are disconnected at
the end of the Internet user’s session.
Source: Australian Communications Authority

17. 17
Internet dialers aren’t all bad
Internet dialers also allow you to pay for
certain services over the Internet using
your telephone account rather than a
credit card, for example, downloading ring
tones or call-back services for travelers.
This payment service can be useful
provided it is done with your knowledge
and consent. Some dialers can be used as
a SECURITY ADD ON on dialing-up
access.
Source: Australian Communications Authority

18. 18
‘Good’ and ‘Bad’ dialers
• We consider as ‘good’ dialers those which
warns you that you will dial an
international telephone number with high
charge.
• On the contrary ‘bad’ are the dialers that
don’t provide any warning you will dial an
international telephone call and this dial-up
connection is established automatically.

19. 19
‘Good’ dialers

20. 20
‘Good’ dialers

21. 21
‘Good’ dialers
You must be eighteen (18) years of age or older to use this service. You are acknowledging
that you are eighteen (18) years of age or older if you continue to use this software. BY
USING THIS SOFTWARE, YOU WILL DIAL AN INTERNATIONAL TELEPHONE NUMBER
FOR WHICH INTERNATIONAL LONG DISTANCE CHARGES APPLY (SEE DETAILS
BELOW).
By choosing this Dialer as a payment method for this content, you will download our
proprietary software to your computer's hard drive.
Once connected, you will establish an connection with a remote server outside of your
country. Your modem will disconnect from your Internet Service Provider and dial an
INTERNATIONAL TELEPHONE NUMBER to Cook Island. An INTERNATIONAL LONG
DISTANCE call to Cook Island will appear on your phone bill. Rates are subject to change,
check with your local carrier for exact rates. Your phone bill will reflect charges on a per minute
basis (rounded up to the next whole minute) for the cost of the call. You can terminate our
service by one of the following procedures:
1. You can terminate the connection by selecting the modem symbol located on the lower
right side of Windows 95/98 tool bar, then by clicking on the "Disconnect" button, or Clicking on
the Pay Dial application icon at the lower portion of Windows 95/98 tool bar. When the
message box shows up, click "Yes" to disconnect the service.
2. You can connect to this service for the maximum of thirty (30) minutes. Pay Dial software
will automatically terminate this service after thirty (30) minutes;
You may use this service only if you are the line subscriber or are authorized by the line
subscriber to incur charges on the phone bill.

22. 22
SOME Risky Destinations
Destination Code
Central African Rep. +236
São Tomé and Principe +239
Diego Garcia +246
Comoros +269
Austria +43
Norfolk Island +672
Nauru +674
Papua/N. Guinea +675
Solomon Islands +677
Vanuatu +678
Wallis and Fortuna +681
Cook Island +682
Kiribati +686
Tuvalu +688
French Polynesia +689
Tokelau +690
ALL DESTINATIONS
WITH HIGH
TERMINATION
RATE
(e.g. EMSAT and
ANTARCTICA
NETWORK or IRS on
GSM networks)

23. 23
Technical analysis
of diallers

24. 24
How does a dialer work?
INTERNET
User
Web
Server
File Server
Containing Dialer
Video Server

25. 25
The connection with the ISP has been established

26. 26
The connection with the ISP has been established at
52000bps. ISP tel No is 8962555555

27. 27
The ‘IPCONFIG’
command shows
us the IP that we
got from the ISP
which is
212.205.210.20

28. 28
The ‘TRACEROUTE’
command shows us
the route from our
machine to the ISP
server

29. 29
We visit a site
to download a
password

30. 30
Clicking ‘YES’ is the fatal action

31. 31
The dialer is being downloaded

32. 32
The tel N# that we are connected with, has
changed from 8962555555 to 002395009

33. 33
With the ‘IPCONFIG’ command
we see that the IP has changed to
192.168.0.182
that is an IP of an internal network

34. 34
With the ‘TRACEROUTE’ command
we see that the route has changed.
It is longer and we have been
connected with a company called
VIATEL

35. 35
A shortcut appears on
Network Connections

36. 36
Using the www. ip2location . com we
detect the location of the
company that offers dialers services

37. 37
002395543 or
0023955XX
No existing serie
On STP
numbering
Plan
No outsourced
serie
No routed via
PTC
MISUSE

38. 38
Internet Explorer has encountered a problem
caused by the downloading of the dialer

39. 39
A shortcut appears
automatically on the
desktop

40. 40
We are
connected to
the internal
network
(192.168.0.182)
of a company
in Poland

41. 41
Using the sniffer IRIS v4.07.1
we decode the packets from
and to our machine

42. 42
Technical data useful to our research

43. 43
Using the ‘DECODE’ command,
packets which are in the buffer
start to be decoded

44. 44
A decoded packet
from the web site
www . erotic . pl

45. 45
We receive
useful
information
from the
decoded
packets

46. 46
We receive
useful
information
from the
decoded
packets

47. 47
Our PC tries
to GET the
dialer from
pinkbox.pl

48. 48
Using the
www.samspade.org we
detect the location of
pinkbox.pl

49. 49
The results of our
investigation

50. 50
Using BinText 3.0 as
well as IDA we do
reverse engineering to
the dialer and we
decrypt it discovering
all its secrets.

51. 51
……more secrets

52. 52
ANOTHER CASE to GSM
PTC noted several calls to KPN mobile numbers done
with WEB diallers
+31 620675560
+31 620985172
+31 612203785
+31 622834749
After some discussion with portuguese customers
dialling that numbers, a situation of Internet dumping
was found, and numbers were blocked.
Due to the fast action the numbers of minutes involved
was about 250
This numbers matched with a information reported by
Maltacom

53. 53
Maltacom also reported the Internet dumping
situation to that numbers and to the following
ones:
+31 623 079882
+31 613 269348
+31 613 179137
+31 613 262607
Maltacom also decided to block such numbers. In
these case the numbers of minutes involved were
about 197.47 hours

54. 54
Maltacom and PTC started an investigation based
on the practices presented during previous meetingsc
So the diallers were installed in a test PC
And the results were :

55. 55
192.168.0.1
255.255.255.0
194.54.173.109
255.255.255.255
194.54.173.109

56. 56
Information related to '194.54.172.0 - 194.54.175.255'
organisation: ORG-WA24-RIPE
org-name: Wire9
org-type: NON-REGISTRY
remarks: Wire9.com
address: Hunter House, Hutton Road Shenfiel
daddress: CM15 8NL
address: UK
phone: +44 (0) 8707 469 796
e-mail: lee@wire9.com
person: Lee Jones
address: Wire9 Telecom PLC
address: Hunter House, Hutton Road
address: Shenfield, CM15 8NL, UK
phone: +44 (0) 8707 469 796
fax-no: +44 (0) 8707 469 797

57. 57

58. 58
The starting
WEB site

59. 59
WHOIS information for valuedcontents.com:
Registrant:
Marco Casali (VALUEDCONTENTS-COM-DOM)
via De Gasperi Roma, nn 66023 italy 0670623431
info@7adpower.com
Domain Name: VALUEDCONTENTS.COM
Administrative Contact: Marco Casali info@7adpower.com
via De Gasperi Roma, nn 66023 italy 0670623431
Technical Contact, Zone Contact:
Marco Casali info@7adpower.com
via De Gasperi Roma, nn 66023 italy 0670623431

60. 60
RELATED WEB

61. 61
http://www.solo-adulti.com/en/index.html

62. 62

63. 63
http://www.solo-adulti.com/en/chatcam/delay.htm

64. 64

65. 65

66. 66
http://www.solo-adulti.com/en/index.html

67. 67

68. 68

69. 69
Who can become a victim?
Virtually any household can become
a victim to these malicious dialers.

70. 70
ITU/QSDG
Xi’an Meeting, May 2005
1. Document titled ‘Information concerning the use of 882 13 numbers’
(COM2-D173-E) a Swisscom contribution was presented.
2. It is recommended that operators should prepare their fraud staff to
the new situations as web dialers. This needs to be done involving
CRM staff as well.
3. It was concluded that operators should not do a global block of a
destination when trying to fight web diallers fraud. It if happens then it
should be considered as a commercial decision and not related with fraud
aspect. It is clear that this type of traffic could increase outgoing traffic and
some operators may wish to reduce their out-payments. However such
decisions are not related with fraud. Concerning fraud aspect only
rogue diallers should be blocked.

71. 71
ETNO
It is recommended that concerning fraud aspect only rogue
diallers, mainly those producing Internet dumping and/or
modem hijacking, should be blocked. This requires a proper
investigation to gather proof of the rogue dialler (e.g. the
dialer programme).
It is also recommended that operators should prepare their
fraud staff to the new situations as web diallers and possible
rogue dialers. This needs to be done involving CRM staff as
well.
It is also recommended that clear position be taken within
each organization (operator) in order to allow a common
understanding by all areas of the organization on how to deal
with internet dumping fraud and associated activities.

72. 72
Thank you