第一集：PBX黑客的奇异世界

在巴基斯坦卡拉奇一个安静的住宅区，二月的清晨，天刚蒙蒙亮。

It's just before dawn in a February morning in a quiet residential neighborhood in Karachi, a city in Pakistan.

巴基斯坦首席情报官员米尔·马扎尔·贾巴尔正走向一名他追踪了两年多的黑客的家。

Pakistani's chief intelligence officer, Mir Mazar Jabbar, is walking towards the home of a hacker who he's been tracking for over two years.

贾巴尔身后跟着一支巴基斯坦警察团队。

Behind Jabbar is a team of Pakistani police officers.

贾巴尔来到前门，敲了敲门。

Jabbar arrives at the front door and knocks.

你可能已经知道，联邦调查局有一份十大通缉要犯名单。

You're probably already aware the FBI has a top 10 most wanted criminals list.

但你可能不知道的是，联邦调查局还发布了一份网络通缉要犯名单，列出了他们最想抓捕的黑客。

But what you may not know is the FBI also puts out a cyber's most wanted list, which is a list of FBI's most wanted hackers.

贾巴尔和他的团队即将突袭一名联邦调查局网络通缉要犯的住所。

Jabbar and his team are about to raid the house of one of FBI's cyber's most wanted.

就在这时，门开了。

Just then, the door opens.

贾巴尔和他的团队强行撞开门，突袭了这所房子。

Jabbar and his team forcefully push the door open and raid the house.

这是《暗网日记》，讲述互联网黑暗面的真实故事。

This is Darknet Diaries, true stories from the dark side of the Internet.

我是杰克·雷德。

I'm Jack Reider.

他们在没人上班的整个周末完成了这一切。

They did the whole thing in a single weekend when nobody was in the office.

这是亚当·芬奇，他是这类攻击的受害者。

That's Adam Finch, a victim to one of these types of attacks.

直到一个月后我们收到账单时，才意识到这件事。

We didn't even know about it until a month later when we got the bill.

他谈论的是他的电话账单。

He's talking about his phone bill.

账单比平时多了24000美元。

The bill was $24,000 more than normal.

为什么这么高？

Why was it so high?

账单上说我们拨打了很多按分钟计费的号码。

The bill said we had called multiple pay per minute numbers.

比如19100的色情和算命热线。

Like one-nine 100 sex and psychic chat

线路？

lines?

没错。

Exactly.

我们试图向电话公司申诉这些费用，告诉他们我们没有拨打这些电话。

We tried to refute the charges with the telephone company, telling them we didn't make these calls.

他们怎么说？

What did they say?

他们基本上说，倒霉吧，赶紧付款。

They basically said, Tough luck, pay up.

我们确实去报了警，但他们似乎并不在意，最终也没有提供任何帮助。

We did go to the police, but they didn't seem to care and ultimately gave us no help.

亚当不希望我透露他工作的公司名称，因为这对公司来说很丢脸。

Adam didn't want me to reveal what company he works for because it's embarrassing for the company.

不过，亚当的公司还是支付了这笔费用，因为别无选择。

Adam's company did pay the charges, though, because there was no other option.

你可能在想，为什么有人会闯入办公室，为别人产生巨额电话账单。

You may be wondering why somebody would break into an office and rack up an enormous phone bill for someone else.

但这就是这次黑客攻击的关键所在。

But here's the crux of the hack.

黑客们拨打的是他们自己拥有的按分钟计费号码。

The hackers were dialing pay per minute numbers that they owned.

通过这种攻击，他们实际上是把别人的电话变成了自动取款机。

With this attack, they literally are turning other people's phones into ATMs.

黑客通常使用两种主要方法来实现这一点。

There are two main methods hackers use to do this.

方法一。

Method one.

黑客会拨打某个随机办公室的座机电话。

The hacker will call a desk phone in a random office.

但当时是晚上7点，又是星期五，所以没人接电话。

But it's 7PM, and it's Friday, so nobody picks up.

电话转到了语音信箱，但有些电话支持远程查看语音信箱。

The call goes to voicemail, but some phones have the ability to check voicemail remotely.

要访问您的语音信箱，请输入您的PIN码，然后按井号键。

To access your voicemail, please enter your PIN followed by the pound key.

黑客首先会尝试电话号码的后四位。

The hacker will first try the last four digits of the phone number.

这通常是语音信箱的默认PIN码。

This is usually the default PIN for a voicemail box.

一旦进入语音信箱，他们就会寻找特定的配置选项。

Once they get into voice mail, they're looking for a specific configuration option.

要启用请勿打扰，请按1。

To activate do not disturb, press 1.

要更改永久转接号码，请按2。

To change a permanent forwarding number, press 2.

bingo。

Bingo.

呼叫转接。

Call forwarding.

黑客将呼叫转接号码设置为他们的按分钟计费线路号码。

The hacker sets the call forwarding number to be the number of their pay per minute line.

现在，下次任何人拨打这个电话时，都会转接到按分钟计费的线路。

Now the next time anyone dials the phone, it will place a new call to the pay per minute line.

方法二。

Method 2.

这种方法稍微复杂一些。

This method is a little bit more involved.

许多公司正在办公室中采用语音互联网协议（VoIP）电话。

Many companies are adopting voice over IP or VoIP phones in their office.

这种电话连接到普通的办公室网络，而不是传统的电话系统。

This is where the phone plugs into the regular office network and not the plain old telephone system.

大多数VoIP电话都是‘傻瓜’型的。

Most of the VoIP phones are dumb.

如果没有其他系统的帮助，它们不知道该做什么。

They don't know what to do without the help of another system.

而这个其他系统被称为专用交换机，或PBX。

And that other system is called a private branch exchange or PBX.

当有人拿起听筒时，电话会惊慌失措地对PBX说：‘帮帮我。’

When someone picks up the handset of a phone, the phone freaks out and says to the PBX, help.

有人刚拿起了听筒。

Someone just picked up the handset.

我该做什么？

What do I do?

PBX非常友好，说：别紧张。

The PBX is very friendly and says, calm down.

只需播放拨号音。

Just play a dial tone.

当用户按下数字时，电话又惊慌失措，再次寻求帮助。

And when the user pushes a number, the phone panics again and asks for help again.

PBX说：别担心。

And the PBX says, don't worry.

只需播放拨号音。

Just play a digit tone.

这个过程会持续下去，直到用户输入足够的数字，PBX才会接通电话。

And this continues until the user pushes enough numbers and the PBX connects the call.

但问题是，PBX有时太热心了。

But the problem is, the PBX is sometimes too helpful.

没人教过它谁可以打电话、谁不可以。

Nobody taught it who can and can't make calls.

它没有得到妥善的安全保护。

It wasn't properly secured.

任何知道不安全PBX IP地址的人都可以使用该办公室的设备拨打电话。

Anyone who knows the IP address of an insecure PBX can make phone calls that originate from that office.

通过这种方法，黑客会寻找PBX的IP地址，并尝试使用该PBX拨打电话。

With this method, hackers find the IP address of PBXs and try to make a call using that PBX.

他们配置自己的电话，拿起听筒，检查是否有拨号音。

They configure their phone, pick up the handset, and check for a dial tone.

这需要黑客极大的耐心，因为他们必须在互联网的黑暗中搜索和试探。

This takes patience by the hacker because they have to hunt and poke into the darkness of the Internet.

但最终，他们会拿起电话并听到拨号音。

But eventually, they pick up the phone and hear a dial tone.

对PBX黑客来说，这就是金钱的声音。

To a PBX hacker, that is the sound of money.

现在，黑客开始拨打按分钟计费的号码。

Now the hacker begins making calls to the pay per minute numbers.

他们使用自动拨号器，每天拨打电话数百次，或在周末拨打电话数千次。

And they use robo dialers, dialing hundreds of times a day or thousands of times in a weekend.

电话被拨打到几内亚、东帝汶、立陶宛。

Calls are made to Guinea, East Timor, Lithuania.

每连接一分钟，黑客就能赚取更多钱。

And for every minute connected results in more money for the hacker.

越来越多的电话被拨打，累积的通话时长越来越多，这种情况会一直持续，直到有人在某个地方注意到这些通话并将其停止。

More and more calls are made, more and more minutes are racked up, and this continues until someone, somewhere notices the calls and stops them.

所以，我想我的第一个问题是，受害者为什么不能去找电话公司要求退还费用？

So I guess my first question is, why can't the victim go to the phone company to refund the charges?

因为电话公司不赔偿间接损失。

Because the phone company doesn't cover consequential losses.

我叫保罗·伯恩。

My name is Paul Byrne.

我为一家名为UC Defense的公司工作，我创立这家公司是为了应对气候锁定问题的威胁，也就是通常所说的PBX黑客攻击。

I work for a company called UC Defense, which I founded to mitigate the threat of the climate hold problem, or otherwise commonly known as PBX hacking.

保罗自2012年以来一直保护公司免受PBX黑客攻击。

Paul has been protecting companies from PBX hackers since 2012.

他说，电话公司有权收取客户产生的任何费用。

He says the phone companies have a legal right to collect any fees their customers accrue.

这一点通常在合同中明确说明。

This is usually spelled out in the contract.

所以，受害者往往会被认定为负有责任。

So yeah, the victim tends to be found liable.

但最重要的是，PBX系统不属于电信公司所有。

But most importantly, the PBX is not property of the telecom.

它归受害者所有。

It's owned by the victim.

正是受害者自身在安全方面的疏忽导致了这次攻击。

It was the victim's own negligence of security that resulted in this attack.

就像ISP给公司提供互联网连接时，如果该公司被黑，ISP并不承担责任。

Just like when an ISP gives a company an internet connection, they aren't liable if that company gets hacked.

PBX黑客每年给人们造成多大的损失？

How much is PBX hacking costing people yearly?

最有力的证据来自通信欺诈控制协会。

The best evidence is from the Communications Fraud Control Association.

他们估计，PBX黑客行为每年给商业界造成的损失超过100亿美元。

They estimate that PBX hacking is costing the business community in excess of $10,000,000,000 per annum.

这个数字——100亿，在过去四年中翻了一番。

That number, 10,000,000,000, has doubled in the last four years.

毫无疑问，欺诈行为正在增加，主要原因在于VoIP的漏洞。

There's absolutely no doubt that fraud is on the rise, and it's primarily due to the vulnerabilities around VoIP.

这些VoIP漏洞 simply 是因为公司没有采取正确措施来保护他们的PBX。

These VoIP vulnerabilities are simply that companies aren't taking the steps to secure their PBX correctly.

通常，企业没有能够配置PBX的人才，因此会将这项工作外包给承包商。

Often a business doesn't have anyone capable of configuring a PBX, so they outsource the job to a contractor.

但他们往往为了省钱而选择最便宜的承包商，结果导致PBX配置不安全或仓促完成。

But they often go with the cheapest contractor to save money, which results in an insecure or hastily configured PBX.

正确地保护PBX并不是一件容易的事。

It's not an easy task to properly secure a PBX.

由于PBX必须连接到互联网以接收来电，因此你不能简单地阻止所有对它的访问。

Since the PBX must be on the Internet to receive incoming calls, you can't simply block all incoming access to it.

更复杂的是，一些办公室有移动员工，他们的办公座机被带到了家里。

To further complicate things, some offices have mobile workers who have their office desk phone at home.

因此，PBX现在需要配置为允许从互联网发起的通话。

So now a PBX needs to be configured to allow calls initiated from the internet.

这需要在允许和禁止之间保持微妙的平衡。

It's a delicate balance between what's allowed and what's not allowed.

受害者的平均账单是多少？

What's the average bill for a victim?

我们看到的情况是，一个拥有约100名用户的公司，在周五晚上被入侵了。

What we're seeing is the company with an average of a 100 users on the phone system, They get compromised on a Friday night.

到了周一早上，他们的电话账单将达到约6万欧元。

On Monday morning, their phone bill will be in the region of €60,000.

警方能帮助这种犯罪的受害者吗？

Are the police able to help victims of this crime?

不能。

No.

因为警方对这种犯罪并不了解。

Because the police aren't aware of this.

他们习惯于处理其他类型的犯罪，并且知道如何调查这些案件。

They're used to other types of crimes that they know how to investigate.

但当这种事件发生时，他们缺乏资源去理解这种犯罪的性质，更不用说如何展开调查了。

But when this incident occurs, they don't have the resources to even understand what the crime means and how they would go about investigating it.

正如保罗所说，警方根本没有能力处理国际犯罪。

As Paul said, the police just aren't equipped to handle international crimes.

这些电话几乎总是打往国外，比如东帝汶、古巴、拉脱维亚，甚至津巴布韦。

Calls are almost always going to foreign countries, such as East Timor, Cuba, Latvia, even Zimbabwe.

许多此类犯罪并未被报告。

Many of these crimes don't get reported.

公司担心如果公开自己被黑，会引发负面舆论。

Companies fear bad publicity if they say they've been hacked.

有时受害者会联系联邦调查局，但联邦调查局通常只关注针对政府或国家的威胁，或造成超过100万美元损失的犯罪。

Sometimes victims contact the FBI, but the FBI is usually only interested in threats against the government or the country, or crimes that were over $1,000,000 in damages.

而大多数这种PBX黑客攻击的损失金额只有数万美元。

And most of this PBX hacking is in the tens of thousands.

联邦调查局确实重视人们报告此类犯罪，因为这有助于他们收集数据以构建案件。

The FBI does appreciate when people report the crime since it helps them collect data to build a case.

2012年，联邦调查局收到了足够多关于PBX黑客攻击的报告，于是开始分析这些数据。

In 2012, the FBI did receive enough reports about PBX hacking that they began looking at the data.

不知怎的，他们成功追踪到了这些电话的拨打者。

And somehow, they were able to track down who was making these phone calls.

在分析数据的过程中，模式逐渐显现，最终将他们引向了两名男子——法汉·阿沙德和努尔·阿齐兹丁。

While looking at the data, patterns began emerging, which eventually led them to two men, Farhan Ashad and Nur Azizuddin.

不知怎的，联邦调查局发现这两人正乘坐航班前往马来西亚的吉隆坡。

Somehow, the FBI found out that the two men were on a flight to Kuala Lumpur in Malaysia.

因此，联邦调查局联系了国际刑警组织，以逮捕这两个人。

So the FBI contacted Interpol to arrest the two men.

这两位黑客抵达吉隆坡后数小时内，国际刑警组织突袭了他们的酒店，并将两人逮捕。

And within hours of the two hackers arriving in Kuala Lumpur, Interpol raided their hotel and arrested both of them.

联邦调查局非常高兴，随即开始向马来西亚提出引渡请求。

The FBI was thrilled and began sending extradition requests to Malaysia.

但在被羁押六十天后，马来西亚总检察长释放了两人。

But after being held for sixty days, the Malaysian attorney general let them both go free.

根据官方报告，马来西亚总检察长表示：马来西亚内政部获得的逮捕令违反了1992年《引渡法》所规定的程序性要求。

According to the official report, the Malaysian Attorney General said: The arrest warrant obtained by Malaysian Home Ministry violated the technicalities involved in the requirements of the Extradition Act of 1992.

马来西亚方面认为，他们非法逮捕了这两个人。

Malaysia believed they had arrested these two men illegally.

法尔汉和乌丁立即逃离了该国，离开马来西亚，返回了巴基斯坦。

Faran and Uddin both immediately fled the country, got out of Malaysia, and went back to Pakistan.

就在下个月，联邦调查局对两人提起公诉，并将他们列入网络犯罪通缉名单，悬赏五万美元征集有关他们任何一人的线索。

The very next month, the FBI indicted both men, and they added them to the cyber's most wanted list and offered a $50,000 bounty for any information leading to the rest of either one of them.

我现在正在查看起诉书，上面列出了这些黑客针对的受害者名单。

I'm looking at the indictment form now, and it shows a list of victims that were targeted by these hackers.

我想和你们分享我在这份名单上看到的三项最高金额的指控。

And I want to share with you the top three highest charges that I see on this list.

位于新泽西州卡尔斯塔德的一家公司声称他们损失了78,000美元。

A company in Carlstad, New Jersey is claiming that they lost $78,000.

位于新泽西州恩格尔伍德的一家公司声称他们损失了83,000美元。

A company in Englewood, New Jersey is claiming they lost $83,000.

但名单上金额最高的是新泽西州帕西潘尼-特洛伊山镇。

But the highest one on the list is the township of Parsippany, Troy Hills in New Jersey.

他们声称这些黑客通过电话产生了395,000美元的账单。

They're claiming these hackers racked up a phone bill of $395,000.

根据起诉报告，FBI称这些人在4,800个被黑的电话号码上拨打了总计一千三百万分钟的电话。

According to the indictment report, the FBI claims these men dialed for thirteen million minutes from 4,800 different hacked phone numbers.

一旦FBI获得了对他们的逮捕令，他们就通知了巴基斯坦——据信这两个人当时就住在那儿。

And once the FBI had a warrant for their arrest, they notified Pakistan, which is where they thought these two men were living.

在巴基斯坦，FIA开始对此展开调查。

And in Pakistan, the FIA began researching it.

FIA是类似于美国CIA的联邦调查机构。

The FIA is the federal investigation agency similar to the CIA in The US.

FIA的首席安全官是米尔·马扎尔·贾巴尔。

The chief security officer of the FIA is Mir Mazar Jabbar.

多年来，FIA一直没有任何线索能抓到这两个人。

And for years, the FIA had no leads towards catching these two individuals.

后来，FIA得到了一条线索。

Then the FIA got a tip.

有人声称知道一个叫‘din’的人的手机号码。

Somebody had claimed they knew the cell phone number of a din.

FIA随后与电信公司合作，追踪该手机号的GPS坐标。

The FIA then worked with the telephone company to track down the GPS coordinates of that cell phone.

正是在那时，贾巴尔突袭了那个‘din’的家。

And that's when Jabbar raided the home of a din.

他不仅抓到了一个din，Arshad也在那所房子里，两人于2015年2月14日被逮捕。

Not only did he catch a din, but Arshad was there in the house too, and both men were arrested on 02/14/2015.

这不是很讽刺吗？

It's ironic, don't you think?

这两个电话黑客之所以落网，是因为他们的电话号码被曝光了。

These two phone hackers were brought down because their phone number became known.

总的来说，FBI声称他们造成的损失达五千万美元。

In total, the FBI claims they cost $50,000,000 in damages.

Uddin拿这些钱做了什么？

What did Uddin do with the money?

他在家乡巴基斯坦卡拉奇附近购买了大约50块土地，还投资了约40万美元用于各种本地商业项目。

He purchased about 50 plots of land around Karachi, his hometown of Pakistan, and was even investing about $400,000 in various local business ventures.

如今两年过去了，两人仍被关押在巴基斯坦的监狱中，等待审判和量刑。

And now, two years later, both men continue to sit in a prison in Pakistan, still awaiting their trial and sentencing.

这两人因PBX黑客行为被捕，但还有成千上万的PBX黑客尚未被抓获。

These two men were arrested for PBX hacking, but there are thousands of other PBX hackers that haven't been caught.

尽管我们不知道他们是谁，也不清楚他们身在何处，但有一件事是确定的。

And even though we don't know who they are or where they are, we do know one thing is for certain.

只要安全措施没有改善，PBX黑客行为就会持续下去。

PBX hacking will continue until security improves.

您正在收听《暗网日记》。

You've been listening to Darknet Diaries.

如需节目笔记和链接，请访问 darknetdiaries.com。

For show notes and links, check out darknetdiaries.com.

音乐由 Ian Alex Mack、Sroh、Haikum Kahidi 和 Pottington Bear 提供。

Music is provided by Ian Alex Mack, Sroh, Haikum Kahidi, and Pottington Bear.