BANGOR, Maine — A salesman at a Bangor auto parts business was taken aback when he arrived at work on the morning of Feb. 22 and saw all 11 of the company’s phone lines lit up.
First to arrive and the only one in the building, the salesman at B&L Auto Parts figured something was amiss and called his store manager, who told him to call the company’s phone system provider to report the problem, office manager Lorena Giffard wrote in a letter to federal authorities.
After a laptop was hooked up to the phone system, a diagnostics specialist from Bangor-based Sierra Communications determined that someone had hacked into the phone system, Giffard said this week in a telephone interview. Sierra then put in a program to block any further hacking, she said.
Sierra Communications advised the auto parts company to contact its telecommunications service provider, GWI in Biddeford, to report the problem and find out exactly how long the illegal activity had been going on.
A log of international calls to B&L Auto Parts indicated that the calls were “either coming from or going to somewhere off the coast of Africa,” namely the islands of Sao Tome and Principe, Giffard said.
From 11:36 p.m. Feb. 21, when the phone system was hacked into, through 9:30 a.m. the next day, when the block kicked in, the hackers racked up a whopping $813.40 in long-distance calls.
That total is roughly double the company’s phone and Internet bill for an entire month’s worth of phone service, Giffard said, adding that B&L’s monthly bill runs between $400 and $500.
B&L reported the phone system hacking episode, known as “phreaking,” to Bangor police. The officer who handled the complaint recommended that the company contact the Maine Attorney General’s Office and the Maine Public Utilities Commission, which told Giffard they had no jurisdiction in the matter, as well as the the U.S. Attorney’s Office.
“At this point, we can’t comment on whether or not an investigation is taking place,” Assistant U.S. Attorney Donald Clark of the agency’s Portland office said Thursday in a telephone interview.
Katherine Gulotta, spokeswoman at the Federal Bureau of Investigation’s regional office in Boston, said Thursday that the FBI has been notified of the Bangor phone hacking incident.
“We are aware of the situation and we are reviewing it to see if it does meet the federal criminal threshold,” she said. She cautioned, however, that the review “is not indicative of us conducting an investigation.”
Asked if the FBI has been seeing similar incidents in Maine or elsewhere, Gulotta said the scam was prevalent a few years ago but that such hacking incidents had slowed significantly.
She did, however, provide information about a major international telephone hacking conspiracy that the FBI’s Newark Division in New Jersey cracked in 2009.
The FBI’s investigation, which spanned several years, led to the charges against several people from Italy and the Philippines who allegedly hacked into the telephone systems of large corporations in the United States and abroad and sold information about the compromised telephone systems to Pakistani nationals residing in Italy.
The information was used to transmit more than 12 million minutes of telephone calls valued at more than $55 million over the hacked networks of victim corporations in the United States alone, the FBI said in a news release issued at the time.
The losses were borne by the victim corporations and entities as well as the long-distance carriers that provided the telephone service for the victims.
Giffard said this week that the auto parts company asked GWI to provide a credit for the portion of its bill associated with the illegal calls.
Giffard said GWI initially told her it would not do so but later issued a $325.36 “courtesy credit,” which was reflected on its March bill.
When asked why the entire amount for the hacked calls wasn’t waived, GWI spokesman Tom Janenda said the company had agreed to charge B&L only for GWI’s wholesale cost for the hijacked long-distance minutes.
B&L Auto Parts owner Gerald Doane said this week that he was surprised that his company was on the hook for the calls made by hackers.
“I find the event quite peculiar and possibly quite damaging if we were a much smaller business or if the event wasn’t noticed as soon,” he said in an email to the Bangor Daily News. “As best I can tell any business with a voicemail system is possibly at risk.
“I also can’t imagine what the bill would be if it happened on a Saturday night and went on through Monday morning,” Doane added. “Even though we are a small business I suspect there are others out there that it would cause a real hardship for.”
Janenda said Thursday that GWI’s investigation into the hacking incident concluded that B&L was hacked into through its private branch exchange, or PBX, which is an in-house telephone switching system that interconnects telephone extensions to each other and to the outside telephone network.
The purpose of PBXs is to reduce the total number of telephone lines a business or similar organization needs to lease from the telephone company. Without one, a telephone line would have to be leased for every employee or user.
B&L’s PBX system provider is Sierra Communications, Laurie Bennett of Sierra Communications confirmed Thursday.
TeleDesign Security Inc., a consulting company specializing in telecommunications services for business and government clients, compiled a fact sheet about PBX fraud. On it, the security specialists noted that ultimately companies such as B&L are responsible for all charges incurred on their systems, including those by hackers.
“Recent court decisions and filed tariffs make you, not the carrier, responsible for the security of your CBX/PCX system if you have not taken steps to protect your assets,” the security company said.