Security experts said today the arrest might be just the tip of the iceberg.
Edwin Andres Pena, 23, a Venezuelan national and U.S. resident, owned two companies that sold more than 10 million minutes of internet connection call time to telecom firms for discounted rates, according to a U.S. Department of Justice statement.
The firms’ calls then were surreptitiously routed through the VoIP networks, including a Newark, N.J.,-based provider, but Pena’s companies billed the providers for the calls, authorities said. Buyers had thought Pena’s companies would legally route their calls for them, then pay the VoIP providers for their services.
Authorities said Pena, who made more than $1 million in the heist, was aided by Robert Moore, 23, of Spokane, Wash. Moore’s role allegedly involved scanning for vulnerable ports within VoIP networks that would not detect bogus routing. He initiated more than six million scans between June and October 2005, the statement said.
He was planning to surrender, authorities said.
"Emerging technologies and the internet represent a sea of opportunity for business but also for sophisticated criminal," said Christopher J. Christie, U.S. attorney for New Jersey, where the criminal charges were filed. "The challenge, which we and the FBI continue to meet with investigations and prosecutions like this one, is to stay ahead of the cyber-criminal and protect legitimate commerce."
Pena was charged with wire fraud and computer hacking, which occurred between November 2004 and May 2006, the statement said. To hide the money he was making from his two companies – Fortes Telecom and Miami Tech & Consulting – Pena bought real estate, cars, a 40-foot motorboat – and placed the merchandise under the name of someone else.
Authorities Wednesday executed nine warrants in New Jersey, Florida, Washington, Illinois, Texas and California. If convicted of the wire fraud charge, Pena faces up to 20 years in prison and a $250,000 fine. The computer hacking charge carries a maximum penalty of five years in prison and a $250,000 fine.
VoIP security experts said today they were not surprised by the news.
"I think it’s just the beginning, I think we’re going to see a lot more of this issue," said Seshu Madhavapeddy, CEO of Sipera Systems. "It’s not like they haven’t been happening, but they’ve been quiet."
He said VoIP is more vulnerable to hijacking success than traditional telephone lines.
"You can do stuff on the internet and it’s much more easy to hack into things," he said. "You can do that without any specialized equipment. You can do it from a PC."