Title : Fraudulent Applications of 900 Services
Author : Codec
==Phrack Magazine==
Volume Five, Issue Forty-Five, File 18 of 28
****************************************************************************
[** NOTE: The following file is presented for informational and
entertainment purposes only. Phrack Magazine takes NO
responsibility for anyone who attempts the actions
described within. **]
****************************************************************************
****************************************************************
* *
* FRAUDULENT APPLICATION OF '900' SERVICES *
* *
* by CO/der DEC/oder, of Dark Side Research *
* *
* Greetings to Minor Threat, The Conflict and Tristan *
* and dedicated to the English Prankster, Phiber Optik, *
* Louis Cypher and other hackers who have proved an honor *
* to themselves and to our community in not cooperating *
* with "law enforcement." *
* *
****************************************************************
The information presented forthwith is the result of knowledge gained through
actual first-hand experience. There is no theoretical aspect to any part of
this article, except where explicitly noted. Disclaimer: this file is for
outright illegal use. I sincerely hope publication of this file contributes to
the delinquency of both minors and adults alike. -- "Codec"
Getting Started
In setting up your own 900 number, you earn a big percentage of the net revenue
generated by calls made to that number. You can advertise and promote your
number in various and sundry ways in an extremely competitive environment,
or--if you so happen to be a hacker--you can simply dial up some PBXes and call
the number yourself. Since you'll be earning several dollars per minute, you
won't be in any hurry to hang up. In fact, you may find yourself letting the
phone stay off the hook while you chat on IRC or read the latest Phrack.
Though not a scheme to get rich, this can provide a considerable income or
simply an occasional bonus, depending on your h/p resourcefulness and effort
exerted.
Before you can start calling your own 900 number and making yourself money, you
need to buy into the 900 business. On your next outing for the latest copy of
Hustler, grab a USA Today. In the classifieds, (as well as many other business
classifieds), under the heading "business opportunities," you'll notice any
number of 900 ads. You want to find a "service bureau" and not a simple
"reseller," so shop around and call a number of the companies, asking about
percentages and whether or not your setup costs (usually ranging from $300 to
$1500) are comprehensive for the year or whether you'll have to pay a monthly
fee. Avoid these pesky monthly maintenance fees. All sorts of 900 packages
exist, but you want an automated service--such as a dateline--that is ready to
all as soon as you've paid. This means you'll have no equipment to set up, or
900 trunks terminating at your house, or hookers to hire, etc. The service
bureau provides you with the number and the service, so all you have to do is
market the number (should you be legit). You can bargain a little on the setup
fee. An example of a worthwhile deal would be as follows: an automated
dateline number (similar to a voice ail system, only you listen to personal ads
and have the option of leaving a response) for $750/year, a per minute rate of
$3.99, and a 75% net return (i.e., you make about $3.00/min). AT&T and MCI
provide 900 services to the service bureaus. AT&T is preferable, as you
receive payment two months after the end of the calling month, as opposed to
three months with MCI--so ask about this too. Your continued efforts will reap
a monthly check thereafter.
The service bureau actually sends you the check. You'll want it in a personal
name to make it easier to cash with your bogus ID. Some bureaus will "factor"
your account, meaning that if you've accumulated a lot of credits, they will
pay you in advance of their getting paid by the carrier--for a percentage fee.
Don't try to scam them on this; your account is scrutinized closely before a
premature check is approved. If everything is done properly, both you and the
service bureau will be happy. [That's what's so great about this project:
everyone wins--you, the service bureau, even AT&T--only the PBX owner loses!]
You will be able to check your credits, or "minutes" as called in the 900
industry, by calling a special number provided by the service bureau. After
entering your account codes, an automated response will give you statistics
such as daily call reports and total minutes accumulated for the billing month.
Be sure to find out about the virtual end-of-month date. The end of each
billing period is not necessarily the last day of the month. Accordingly, you
will need to plan your attacks with this in mind, as we will discuss next.
Getting A Date
Now that you've set up your dateline, you'll be anxious to start earning the
three bucks a minute. The dateline makes it kind of fun, since you get to hear
all kinds of ridiculous messages and the typical horny soliloquy. Get a
speakerphone if you lack one now.
You don't necessarily need PBXes--any outdials you find that complete a 900 call
will suffice. However, the lines targeted must be those of a business, one
that is large enough to own a PBX. Calling on residential lines, cell phones,
or from small businesses will not work--the owners will get their bill, and
simply call the phone company and complain that they didn't make the call.
This will attract undesired attention to your line by the LEC and your
service bureau, and it will also cost you in that the carrier connect fees,
about .25 and .30 per minute, will be deducted from your account. The LD
carriers get theirs, whether the party pays or not. This is why the calling
method encouraged here is the PBX. If you can manipulate central office
switches, do so by these same principles.
PBX owners tend to pay their phone bills--including 900 calls that aren't
outrageous. They'll assume that one of their own employees made the call, if
they even notice. Instead of attempting to exploit a PBX to some astronomical
degree, you're better off running up a mere fifty to sixty dollar charge. Do
this every month as part of a schedule. Not only may it go unnoticed, but you
are assured that it will go uncontested even if detected. Running up an
excessive number of minutes risks unneeded attention and assures either a total
"killing" of the PBX, or at minimum, 900 restrictions added by the PBX
administrator. Even with a remote admin access, your luck will run out.
Remember: YOU WILL ONLY GET PAID IF THE PBX OWNER PAYS THE PHONE BILL!
With this in mind, the most limiting factor is the number of PBXes you can
accumulate. The widespread raping of AT&T's System 75/85/Definity in 1992 (as
a result of discoveries in 1991) made that year extremely ripe for this 900
scheme. Many of us managed to accumulate large collections of System 75s,
including the elusive Super Nigger, who allegedly compiled over 300. (Where
the hell were you hiding?) AT&T security memorandums have since killed
hundreds of these, but the defaults still work well in some cities.
Regardless, PBXes abound, and the more you find, the more minutes you can
generate.
Let's look at a sample attack schedule:
PBX # M T W Th F S Su
01 15m
02 10m
03 8m
04 14m
05 16m
06 24m
07 12m
08 13m
09 16m
10 2m,10m
11 13m
12 4m,4m
Twelve PBXes are to be attacked in the sample week, so there are probably fifty
PBXes totally to be attacked for the month. Each PBX is to be used only once per
billing period. You will get many months of use out of each PBX with this
conservative approach, so long as every hacker west of Poland doesn't have
access as well. Notice how the number of connection minutes varies, and the
calling pattern is quite random looking. The schedule is maintained not only
to keep track of PBXes in your harem you've fucked for the month, but to assist
you in generating minutes in a pseudo-random pattern. It is acceptable to have
your minutes generated in a pattern, albeit a loose one. For instance, if all
minutes are generated only on the weekend, a discerning eye will not attribute
this to the type of marketing you are using. The sample schedule is only the
ideal model. Having to rigid a pattern, however, such as having an exact
number of calls each day, is potentially suspicious to your service bureau.
Simultaneous calls to your 900 number through different outgoing trunks on the
same PBX is also strongly discouraged.
Listening Software
Calling your 900 dateline number is fun, but when you've got over a hundred
PBXes to hit each month for an average of fifteen minutes a pop, the novelty
tends to wear off. Of course you can have a speakerphone and a time and go
about other tasks between calls, but why not write a program that will enable
your modem to do all this for you? All the program must do is have the modem
call a PBX from a list, pause, and call your 900 (or another PBX and then your
900, for LD PBX attacks). Once connected to your 900, it must stay "listening"
until a random timer (10-20 minutes) hangs it up. Depending upon your dateline
service, the modem may have to emit a DTMF every once in a while to keep the
service convinced you're still there. This is a very worthwhile program to
write--it can drastically reduce your total time spent with this operation,
leaving you with only the PBX list to maintain (additions and deletions), and
the spending of your hard-earned cash (the novelty of this WON'T wear off).
Large Charge-Rate Option
A 900 number can be set up to charge as much as $50 per call. Whether the call
lasts less then a minute, or for over ten, the cost for the caller is the same
$50. In order to set up such an account, you must qualify as an "Information
Provider," or IP. Regulations on 900 numbers state that you must be a provider
of information, not tangible goods. With a dateline, the information is
included in your deal with the service bureau, so you are considered an IP.
The bureau can provide you with your own number that terminates in a voice
processing or audio-text system, but now you must provide the actual
information. Your idea must be approved by the LD carrier, and they tend to
scrutinize your plans the higher your desired rate. Your bureau may even
subject your service to a test to make sure it's not a fake.
One idea is to ask for a $25 per-call rate. Make like a writer of shareware
programs, and have your 900's announcement ask the caller to leave name and
address to be legally registered to use the software, and to receive updated
versions. A confirmation notice will be sent to acknowledge the registration.
Many bureaus will accept this as qualification for IP status, if properly
presented. A sample arrangement like this should not cost more than a grand to
set up. Stats on minutes are checked just as with the dateline, only you'll
receive any messages left by callers, and you'll receive any messages left by
callers, and you'll be able to change the announcements--just like voice mail.
[IT's always a thrill to call a 900 number and hear yourself thanking the
caller, heh heh.] On a $25 line, you should net about $19 per call.
All the same rules apply using this large charge-rate setup. You can't abuse a
PBX any more with this option then with a dateline. It does give you the added
flexibility for methods used other than PBXes, such as outdials that will only
connect briefly. For instance, message notification on voicemail will not
connect to a number for prolonged durations, but long enough to activate a $25
charge. And a typical modem outdial on a mainframe will soon hang up with the
absence of an answering carrier, but the linger is long enough for a $25 call.
And with CO switching, the arrangements you make are ideally temporary--turned
quickly on and off--making a fast $25 hit optimal. Lastly, if you are skilled
in accessing corporate phone closets (see "Physical Access and Theft," Phrack
43) or the corresponding outside plant, you can use your test set to call your
900. Obviously a large charge-rate would be better here too, rather than
standing for endless periods of time in compromising positions connected to a
squawking dateline.
No matter how you access business lines, be sure they belong to a large
company. Definitely experiment, but do so in moderation--make any necessary
notes (like time and date of call) and wait for your 900 billing statement to
see if the call was paid for. [Your billing statement, essentially a call
accounting summary, is created for each billing month by the LD carrier and
sent to you via the service bureau with your check. It includes the calling
phone numbers, time, date, duration, etc. of all calls made to your number.]
A Final Word
It would be hard to get "busted" doing anything mentioned in this article.
Even if you're nabbed for misdemeanor PBX abuse, no one will ever imagine--let
alone try to prove--that the 900 number you were calling is your own. [Hey,
you're just a desperately lonely guy!] However, be wary of pen registers
(DNRs) if you've been up to other dark deeds, and set up your calling
operations at a safer place. Don't check your minutes using any of the same
means that you use to generate them (a record of your calling into your 900
backdoor is probably the most incriminating track you can make). Keep your 900
account anonymous, as with your address, voice mail, and ID/SSN.
Welcome to the dark side--and best of luck.
Sincerely,
CO/der DEC/oder
DSR
[ The Author can be reached, when the system is up, at:
codec@crimelab.com ]