==Phrack Magazine==

 Volume Five, Issue Forty-Five, File 18 of 28

[** NOTE:  The following file is presented for informational and
           entertainment purposes only.  Phrack Magazine takes NO
           responsibility for anyone who attempts the actions
           described within. **]

****************************************************************
*                                                              *
*    FRAUDULENT APPLICATION OF '900' SERVICES                  *
*                                                              *
*    by CO/der DEC/oder, of Dark Side Research                 *
*                                                              *
*    Greetings to Minor Threat, The Conflict and Tristan       *
*    and dedicated to the English Prankster, Phiber Optik,     *
*    Louis Cypher and other hackers who have proved an honor   *
*    to themselves and to our community in not cooperating     *
*    with "law enforcement."                                   *
*                                                              *
****************************************************************
The information presented forthwith is the result of knowledge gained through actual first-hand experience. There is no theoretical aspect to any part of this article, except where explicitly noted. Disclaimer: this file is for outright illegal use. I sincerely hope publication of this file contributes to the delinquency of both minors and adults alike. -- "Codec"

Getting Started

In setting up your own 900 number, you earn a big percentage of the net revenue generated by calls made to that number. You can advertise and promote your number in various and sundry ways in an extremely competitive environment, or--if you so happen to be a hacker--you can simply dial up some PBXes and call the number yourself. Since you'll be earning several dollars per minute, you won't be in any hurry to hang up. In fact, you may find yourself letting the phone stay off the hook while you chat on IRC or read the latest Phrack. Though not a scheme to get rich, this can provide a considerable income or simply an occasional bonus, depending on your h/p resourcefulness and effort exerted.

Before you can start calling your own 900 number and making yourself money, you need to buy into the 900 business. On your next outing for the latest copy of Hustler, grab a USA Today. In the classifieds, (as well as many other business classifieds), under the heading "business opportunities," you'll notice any number of 900 ads. You want to find a "service bureau" and not a simple "reseller," so shop around and call a number of the companies, asking about percentages and whether or not your setup costs (usually ranging from $300 to $1500) are comprehensive for the year or whether you'll have to pay a monthly fee. Avoid these pesky monthly maintenance fees. All sorts of 900 packages exist, but you want an automated service--such as a dateline--that is ready to all as soon as you've paid. This means you'll have no equipment to set up, or 900 trunks terminating at your house, or hookers to hire, etc. The service bureau provides you with the number and the service, so all you have to do is market the number (should you be legit). You can bargain a little on the setup fee. An example of a worthwhile deal would be as follows: an automated dateline number (similar to a voice ail system, only you listen to personal ads and have the option of leaving a response) for $750/year, a per minute rate of $3.99, and a 75% net return (i.e., you make about $3.00/min). AT&T and MCI provide 900 services to the service bureaus. AT&T is preferable, as you receive payment two months after the end of the calling month, as opposed to three months with MCI--so ask about this too. Your continued efforts will reap a monthly check thereafter.

The service bureau actually sends you the check. You'll want it in a personal name to make it easier to cash with your bogus ID. Some bureaus will "factor" your account, meaning that if you've accumulated a lot of credits, they will pay you in advance of their getting paid by the carrier--for a percentage fee. Don't try to scam them on this; your account is scrutinized closely before a premature check is approved. If everything is done properly, both you and the service bureau will be happy. [That's what's so great about this project: everyone wins--you, the service bureau, even AT&T--only the PBX owner loses!]

You will be able to check your credits, or "minutes" as called in the 900 industry, by calling a special number provided by the service bureau. After entering your account codes, an automated response will give you statistics such as daily call reports and total minutes accumulated for the billing month. Be sure to find out about the virtual end-of-month date. The end of each billing period is not necessarily the last day of the month. Accordingly, you will need to plan your attacks with this in mind, as we will discuss next.

Getting A Date

Now that you've set up your dateline, you'll be anxious to start earning the three bucks a minute. The dateline makes it kind of fun, since you get to hear all kinds of ridiculous messages and the typical horny soliloquy. Get a speakerphone if you lack one now.

You don't necessarily need PBXes--any outdials you find that complete a 900 call will suffice. However, the lines targeted must be those of a business, one that is large enough to own a PBX. Calling on residential lines, cell phones, or from small businesses will not work--the owners will get their bill, and simply call the phone company and complain that they didn't make the call. This will attract undesired attention to your line by the LEC and your service bureau, and it will also cost you in that the carrier connect fees, about .25 and .30 per minute, will be deducted from your account. The LD carriers get theirs, whether the party pays or not. This is why the calling method encouraged here is the PBX. If you can manipulate central office switches, do so by these same principles.

PBX owners tend to pay their phone bills--including 900 calls that aren't outrageous. They'll assume that one of their own employees made the call, if they even notice. Instead of attempting to exploit a PBX to some astronomical degree, you're better off running up a mere fifty to sixty dollar charge. Do this every month as part of a schedule. Not only may it go unnoticed, but you are assured that it will go uncontested even if detected. Running up an excessive number of minutes risks unneeded attention and assures either a total "killing" of the PBX, or at minimum, 900 restrictions added by the PBX administrator. Even with a remote admin access, your luck will run out. Remember: YOU WILL ONLY GET PAID IF THE PBX OWNER PAYS THE PHONE BILL!

With this in mind, the most limiting factor is the number of PBXes you can accumulate. The widespread raping of AT&T's System 75/85/Definity in 1992 (as a result of discoveries in 1991) made that year extremely ripe for this 900 scheme. Many of us managed to accumulate large collections of System 75s, including the elusive Super Nigger, who allegedly compiled over 300. (Where the hell were you hiding?) AT&T security memorandums have since killed hundreds of these, but the defaults still work well in some cities. Regardless, PBXes abound, and the more you find, the more minutes you can generate.

Let's look at a sample attack schedule: 

PBX #           M       T       W       Th      F       S       Su
 01             15m
 02             10m
 03              8m
 04                             14m
 05                             16m
 06                             24m
 07                             12m
 08                             13m
 09                                     16m
 10                                             2m,10m
 11                                             13m
 12                                             4m,4m
Twelve PBXes are to be attacked in the sample week, so there are probably fifty PBXes totally to be attacked for the month. Each PBX is to be used only once per billing period. You will get many months of use out of each PBX with this conservative approach, so long as every hacker west of Poland doesn't have access as well. Notice how the number of connection minutes varies, and the calling pattern is quite random looking. The schedule is maintained not only to keep track of PBXes in your harem you've fucked for the month, but to assist you in generating minutes in a pseudo-random pattern. It is acceptable to have your minutes generated in a pattern, albeit a loose one. For instance, if all minutes are generated only on the weekend, a discerning eye will not attribute this to the type of marketing you are using. The sample schedule is only the ideal model. Having to rigid a pattern, however, such as having an exact number of calls each day, is potentially suspicious to your service bureau. Simultaneous calls to your 900 number through different outgoing trunks on the same PBX is also strongly discouraged.

Listening Software

Calling your 900 dateline number is fun, but when you've got over a hundred PBXes to hit each month for an average of fifteen minutes a pop, the novelty tends to wear off. Of course you can have a speakerphone and a time and go about other tasks between calls, but why not write a program that will enable your modem to do all this for you? All the program must do is have the modem call a PBX from a list, pause, and call your 900 (or another PBX and then your 900, for LD PBX attacks). Once connected to your 900, it must stay "listening" until a random timer (10-20 minutes) hangs it up. Depending upon your dateline service, the modem may have to emit a DTMF every once in a while to keep the service convinced you're still there. This is a very worthwhile program to write--it can drastically reduce your total time spent with this operation, leaving you with only the PBX list to maintain (additions and deletions), and the spending of your hard-earned cash (the novelty of this WON'T wear off).

Large Charge-Rate Option

A 900 number can be set up to charge as much as $50 per call. Whether the call lasts less then a minute, or for over ten, the cost for the caller is the same $50. In order to set up such an account, you must qualify as an "Information Provider," or IP. Regulations on 900 numbers state that you must be a provider of information, not tangible goods. With a dateline, the information is included in your deal with the service bureau, so you are considered an IP. The bureau can provide you with your own number that terminates in a voice processing or audio-text system, but now you must provide the actual information. Your idea must be approved by the LD carrier, and they tend to scrutinize your plans the higher your desired rate. Your bureau may even subject your service to a test to make sure it's not a fake.

One idea is to ask for a $25 per-call rate. Make like a writer of shareware programs, and have your 900's announcement ask the caller to leave name and address to be legally registered to use the software, and to receive updated versions. A confirmation notice will be sent to acknowledge the registration. Many bureaus will accept this as qualification for IP status, if properly presented. A sample arrangement like this should not cost more than a grand to set up. Stats on minutes are checked just as with the dateline, only you'll receive any messages left by callers, and you'll receive any messages left by callers, and you'll be able to change the announcements--just like voice mail. [IT's always a thrill to call a 900 number and hear yourself thanking the caller, heh heh.] On a $25 line, you should net about $19 per call.

All the same rules apply using this large charge-rate setup. You can't abuse a PBX any more with this option then with a dateline. It does give you the added flexibility for methods used other than PBXes, such as outdials that will only connect briefly. For instance, message notification on voicemail will not connect to a number for prolonged durations, but long enough to activate a $25 charge. And a typical modem outdial on a mainframe will soon hang up with the absence of an answering carrier, but the linger is long enough for a $25 call. And with CO switching, the arrangements you make are ideally temporary--turned quickly on and off--making a fast $25 hit optimal. Lastly, if you are skilled in accessing corporate phone closets (see "Physical Access and Theft," Phrack 43) or the corresponding outside plant, you can use your test set to call your 900. Obviously a large charge-rate would be better here too, rather than standing for endless periods of time in compromising positions connected to a squawking dateline.

No matter how you access business lines, be sure they belong to a large company. Definitely experiment, but do so in moderation--make any necessary notes (like time and date of call) and wait for your 900 billing statement to see if the call was paid for. [Your billing statement, essentially a call accounting summary, is created for each billing month by the LD carrier and sent to you via the service bureau with your check. It includes the calling phone numbers, time, date, duration, etc. of all calls made to your number.]

A Final Word

It would be hard to get "busted" doing anything mentioned in this article. Even if you're nabbed for misdemeanor PBX abuse, no one will ever imagine--let alone try to prove--that the 900 number you were calling is your own. [Hey, you're just a desperately lonely guy!] However, be wary of pen registers (DNRs) if you've been up to other dark deeds, and set up your calling operations at a safer place. Don't check your minutes using any of the same means that you use to generate them (a record of your calling into your 900 backdoor is probably the most incriminating track you can make). Keep your 900 account anonymous, as with your address, voice mail, and ID/SSN.

Welcome to the dark side--and best of luck.

Sincerely,
CO/der DEC/oder
DSR

[ The Author can be reached, when the system is up, at: codec@crimelab.com ]