==Phrack Magazine==



                 Volume Five, Issue Forty-Five, File 18 of 28



****************************************************************************



[** NOTE:  The following file is presented for informational and

           entertainment purposes only.  Phrack Magazine takes NO

           responsibility for anyone who attempts the actions

           described within. **]



****************************************************************************



****************************************************************

*                                                              *

*    FRAUDULENT APPLICATION OF '900' SERVICES                  *

*                                                              *

*    by CO/der DEC/oder, of Dark Side Research                 *

*                                                              *

*    Greetings to Minor Threat, The Conflict and Tristan       *

*    and dedicated to the English Prankster, Phiber Optik,     *

*    Louis Cypher and other hackers who have proved an honor   *

*    to themselves and to our community in not cooperating     *

*    with "law enforcement."                                   *

*                                                              *

****************************************************************



The information presented forthwith is the result of knowledge gained through

actual first-hand experience.  There is no theoretical aspect to any part of

this article, except where explicitly noted.  Disclaimer:  this file is for

outright illegal use.  I sincerely hope publication of this file contributes to

the delinquency of both minors and adults alike. -- "Codec"



Getting Started



In setting up your own 900 number, you earn a big percentage of the net revenue

generated by calls made to that number.  You can advertise and promote your

number in various and sundry ways in an extremely competitive environment,

or--if you so happen to be a hacker--you can simply dial up some PBXes and call

the number yourself.  Since you'll be earning several dollars per minute, you

won't be in any hurry to hang up.  In fact, you may find yourself letting the

phone stay off the hook while you chat on IRC or read the latest Phrack.

Though not a scheme to get rich, this can provide a considerable income or

simply an occasional bonus, depending on your h/p resourcefulness and effort

exerted.



Before you can start calling your own 900 number and making yourself money, you

need to buy into the 900 business.  On your next outing for the latest copy of

Hustler, grab a USA Today.  In the classifieds, (as well as many other business

classifieds), under the heading "business opportunities," you'll notice any

number of 900 ads.  You want to find a "service bureau" and not a simple

"reseller," so shop around and call a number of the companies, asking about

percentages and whether or not your setup costs (usually ranging from $300 to

$1500) are comprehensive for the year or whether you'll have to pay a monthly

fee.  Avoid these pesky monthly maintenance fees.  All sorts of 900 packages

exist, but you want an automated service--such as a dateline--that is ready to

all as soon as you've paid.  This means you'll have no equipment to set up, or

900 trunks terminating at your house, or hookers to hire, etc.  The service

bureau provides you with the number and the service, so all you have to do is

market the number (should you be legit).  You can bargain a little on the setup

fee.  An example of a worthwhile deal would be as follows:  an automated

dateline number (similar to a voice ail system, only you listen to personal ads

and have the option of leaving a response) for $750/year, a per minute rate of

$3.99, and a 75% net return (i.e., you make about $3.00/min).  AT&T and MCI

provide 900 services to the service bureaus.  AT&T is preferable, as you

receive payment two months after the end of the calling month, as opposed to

three months with MCI--so ask about this too.  Your continued efforts will reap

a monthly check thereafter.



The service bureau actually sends you the check.  You'll want it in a personal

name to make it easier to cash with your bogus ID.  Some bureaus will "factor"

your account, meaning that if you've accumulated a lot of credits, they will

pay you in advance of their getting paid by the carrier--for a percentage fee.

Don't try to scam them on this; your account is scrutinized closely before a

premature check is approved.  If everything is done properly, both you and the

service bureau will be happy.  [That's what's so great about this project:

everyone wins--you, the service bureau, even AT&T--only the PBX owner loses!]



You will be able to check your credits, or "minutes" as called in the 900

industry, by calling a special number provided by the service bureau.  After

entering your account codes, an automated response will give you statistics

such as daily call reports and total minutes accumulated for the billing month.

Be sure to find out about the virtual end-of-month date.  The end of each

billing period is not necessarily the last day of the month.  Accordingly, you

will need to plan your attacks with this in mind, as we will discuss next.



Getting A Date



Now that you've set up your dateline, you'll be anxious to start earning the

three bucks a minute.  The dateline makes it kind of fun, since you get to hear

all kinds of ridiculous messages and the typical horny soliloquy.  Get a

speakerphone if you lack one now.



You don't necessarily need PBXes--any outdials you find that complete a 900 call

will suffice.  However, the lines targeted must be those of a business, one

that is large enough to own a PBX.  Calling on residential lines, cell phones,

or from small businesses will not work--the owners will get their bill, and

simply call the phone company and complain that they didn't make the call.

This will attract undesired attention to your line by the LEC and your

service bureau, and it will also cost you in that the carrier connect fees,

about .25 and .30 per minute, will be deducted from your account.  The LD

carriers get theirs, whether the party pays or not.  This is why the calling

method encouraged here is the PBX.  If you can manipulate central office

switches, do so by these same principles.



PBX owners tend to pay their phone bills--including 900 calls that aren't

outrageous.  They'll assume that one of their own employees made the call, if

they even notice.  Instead of attempting to exploit a PBX to some astronomical

degree, you're better off running up a mere fifty to sixty dollar charge.  Do

this every month as part of a schedule.  Not only may it go unnoticed, but you

are assured that it will go uncontested even if detected.  Running up an

excessive number of minutes risks unneeded attention and assures either a total

"killing" of the PBX, or at minimum, 900 restrictions added by the PBX

administrator.  Even with a remote admin access, your luck will run out.

Remember:  YOU WILL ONLY GET PAID IF THE PBX OWNER PAYS THE PHONE BILL!



With this in mind, the most limiting factor is the number of PBXes you can

accumulate.  The widespread raping of AT&T's System 75/85/Definity in 1992 (as

a result of discoveries in 1991) made that year extremely ripe for this 900

scheme.  Many of us managed to accumulate large collections of System 75s,

including the elusive Super Nigger, who allegedly compiled over 300.  (Where

the hell were you hiding?)  AT&T security memorandums have since killed

hundreds of these, but the defaults still work well in some cities.

Regardless, PBXes abound, and the more you find, the more minutes you can

generate.



Let's look at a sample attack schedule:



PBX #           M       T       W       Th      F       S       Su

 01             15m

 02             10m

 03              8m

 04                             14m

 05                             16m

 06                             24m

 07                             12m

 08                             13m

 09                                     16m

 10                                             2m,10m

 11                                             13m

 12                                             4m,4m



Twelve PBXes are to be attacked in the sample week, so there are probably fifty

PBXes totally to be attacked for the month.  Each PBX is to be used only once per

billing period.  You will  get many months of use out of each PBX with this

conservative approach, so long as every hacker west of Poland doesn't have

access as well.  Notice how the number of connection minutes varies, and the

calling pattern is quite random looking.  The schedule is maintained not only

to keep track of PBXes in your harem you've fucked for the month, but to assist

you in generating minutes in a pseudo-random pattern.  It is acceptable to have

your minutes generated in a pattern, albeit a loose one.  For instance, if all

minutes are generated only on the weekend, a discerning eye will not attribute

this to the type of marketing you are using.  The sample schedule is only the

ideal model.  Having to rigid a pattern, however, such as having an exact

number of calls each day, is potentially suspicious to your service bureau.

Simultaneous calls to your 900 number through different outgoing trunks on the

same PBX is also strongly discouraged.



Listening Software



Calling your 900 dateline number is fun, but when you've got over a hundred

PBXes to hit each month for an average of fifteen minutes a pop, the novelty

tends to wear off.  Of course you can have a speakerphone and a time and go

about other tasks between calls, but why not write a program that will enable

your modem to do all this for you?  All the program must do is have the modem

call a PBX from a list, pause, and call your 900 (or another PBX and then your

900, for LD PBX attacks).  Once connected to your 900, it must stay "listening"

until a random timer (10-20 minutes) hangs it up.  Depending upon your dateline

service, the modem may have to emit a DTMF every once in a while to keep the

service convinced you're still there.  This is a very worthwhile program to

write--it can drastically reduce your total time spent with this operation,

leaving you with only the PBX list to maintain (additions and deletions), and

the spending of your hard-earned cash (the novelty of this WON'T wear off).



Large Charge-Rate Option



A 900 number can be set up to charge as much as $50 per call.  Whether the call

lasts less then a minute, or for over ten, the cost for the caller is the same

$50.  In order to set up such an account, you must qualify as an "Information

Provider," or IP.  Regulations on 900 numbers state that you must be a provider

of information, not tangible goods.  With a dateline, the information is

included in your deal with the service bureau, so you are considered an IP.

The bureau can provide you with your own number that terminates in a voice

processing or audio-text system, but now you must provide the actual

information.  Your idea must be approved by the LD carrier, and they tend to

scrutinize your plans the higher your desired rate.  Your bureau may even

subject your service to a test to make sure it's not a fake.



One idea is to ask for a $25 per-call rate.  Make like a writer of shareware

programs, and have your 900's announcement ask the caller to leave name and

address to be legally registered to use the software, and to receive updated

versions.  A confirmation notice will be sent to acknowledge the registration.

Many bureaus will accept this as qualification for IP status, if properly

presented.  A sample arrangement like this should not cost more than a grand to

set up.  Stats on minutes are checked just as with the dateline, only you'll

receive any messages left by callers, and you'll receive any messages left by

callers, and you'll be able to change the announcements--just like voice mail.

[IT's always a thrill to call a 900 number and hear yourself thanking the

caller, heh heh.]  On a $25 line, you should net about $19 per call.



All the same rules apply using this large charge-rate setup.  You can't abuse a

PBX any more with this option then with a dateline.  It does give you the added

flexibility for methods used other than PBXes, such as outdials that will only

connect briefly.  For instance, message notification on voicemail will not

connect to a number for prolonged durations, but long enough to activate a $25

charge.  And a typical modem outdial on a mainframe will soon hang up with the

absence of an answering carrier, but the linger is long enough for a $25 call.

And with CO switching, the arrangements you make are ideally temporary--turned

quickly on and off--making a fast $25 hit optimal.  Lastly, if you are skilled

in accessing corporate phone closets (see "Physical Access and Theft," Phrack

43) or the corresponding outside plant, you can use your test set to call your

900.  Obviously a large charge-rate would be better here too, rather than

standing for endless periods of time in compromising positions connected to a

squawking dateline.



No matter how you access business lines, be sure they belong to a large

company.  Definitely experiment, but do so in moderation--make any necessary

notes (like time and date of call) and wait for your 900 billing statement to

see if the call was paid for.  [Your billing statement, essentially a call

accounting summary, is created for each billing month by the LD carrier and

sent to you via the service bureau with your check.  It includes the calling

phone numbers, time, date, duration, etc. of all calls made to your number.]



A Final Word



It would be hard to get "busted" doing anything mentioned in this article.

Even if you're nabbed for misdemeanor PBX abuse, no one will ever imagine--let

alone try to prove--that the 900 number you were calling is your own.  [Hey,

you're just a desperately lonely guy!]  However, be wary of pen registers

(DNRs) if you've been up to other dark deeds, and set up your calling

operations at a safer place.  Don't check your minutes using any of the same

means that you use to generate them (a record of your calling into your 900

backdoor is probably the most incriminating track you can make).  Keep your 900

account anonymous, as with your address, voice mail, and ID/SSN.



Welcome to the dark side--and best of luck.



                        Sincerely,



                        CO/der DEC/oder

                        DSR



[ The Author can be reached, when the system is up, at:

  codec@crimelab.com ]