fraud advice

Home » Asterisk Users » fraud advice
Asterisk Users 14 Comments

Hi,

Embarrassed as I am to write this, I am hoping for some advice. One of
our very first PBX installs, now six years old, was “taken advantage of”
over the past few weeks. A victim of sipvicious, I assume, that managed
to guess one of the SIP passwords. 4000 calls to various middle eastern
destinations have been placed, which ended up being sent over our
customer’s PSTN trunk, and of course there was no warning until the bill
came today. Unfortunately the bill only covered the first few days of
this fiasco, and was only $700. I am afraid the one that is on the way
will be tens of thousands. ONE CALL on the bill that just arrived was
$200 (80 minutes to Sierra Leone).

I’m sure this started out as a single scan. It must have been posted,
because I have at least ten IP addresses now that were placing calls via
the same peer. They are from all over the world.

So what is the accepted procedure? I’m in the US Virgin Islands, so do I
go to the FBI? Police? Is their some telecom fraud body to report such
things to? Does any one ever get any relief from such events?

I’m basically sick to my stomach right now.

j

14 thoughts on - fraud advice

  • As a practical matter, on anything that can generate endless billings, there
    should be a dumb trap that compares current usage to history (last month)
    and if usage exceeds 2/1 or 3/1 for instance then usage is choked or denied
    enough to cause the user to complain or perhaps generate a message to call
    customer support, (or call your cell phone!)

    Then if it is valid, raise last month’s reference enough to let current
    calling continue. If it isn’t valid you have found a problem and saved your
    or your customer’s caboose.

    As to who to complain to, gather all info possible and report to everyone
    you can find. Someone may investigate, but there isn’t likely anyone who
    will absolve the problem. Some will just take the report and … as far as
    you are concerned, do nothing. There isn’t much a local police dept. can do
    about a hacker in Western Slobovia cracking your server.

    Generally the FBI doesn’t take matters of less than $10,000. But it sounds
    like you may meet that test.

    But they could take months or years or never finding the culprit and finding
    the culprit will likely net you nothing financial for you will be 1/10,000
    of the fraud they did.

    This is a problem like spam in email. But this has cash costs to the server
    operator/customer. Passwords need to be un-crack-able, and there should be
    usage alarms, as described above.

    Depending on the situation even a single counter to your upstream billable
    sip server for all usage would likely trip on excessive usage and save your
    bacon.

    Cary Fitch

  • Jeff,

    I suggest talking to your PSTN/VoIP provider. We had a large amount going
    through TATA communications and have not accepted their word for payment
    because they had a duty to not allow traffic if our credit went down to $1k
    while the calls charged were actually more than that.

    Unfortunately, probably there is no one you can complain to. But it also
    sickens me at how badly Asterisk is made to not cope with situations like
    this and worse than that is FreePBX.

    I suggest checking your contract terms with your provider as they might have
    some sort of restrictions. At the very least PSTN providers try to bring the
    price per minute lowered to their buy rate which is usually less than half
    of the original bill.

    Regards,
    Bruce

  • Asterisk is just doing what you tell it to do, process calls. If you
    have no authentication or route blocking how do you expect Asterisk to
    know that there is a problem?

    I was just in a similar situation where someone guessed the username
    and password of my SIP trunk. The provider called me the next day to
    tell me that they detected strange traffic on my line and asked if I was
    making those calls. Now that is good service from a provider.

  • On Fri, Oct 15, 2010 at 10:29 AM, Steve Edwards
    wrote:
    href=”mailto:sedwards@sedwards.com”>sedwards@sedwards.com      Voice: +1-760-468-3867 PST

    This is nothing new. Trunk to trunk transfers and other exploits
    could be used on old school phone systems to do the same thing.

    I would start with getting the current balance, if over $10k call the
    FBI, call them anyways, it couldn’t hurt. You want the Feds to check
    things out before local police if possible.

    Gather as much info as possible, along with police and FBI case
    numbers and then call the carrier and see what can be done.

    A friend of mine took what was supposed to be my one month rotation to
    Iraq. I had too much going on to be in Iraq for a month and a half
    and had taken the last rotation so it wasn’t even my turn.

    The phone bill came for his cell (company provided on Asia Cell) for
    $4k in just a couple weeks. It turns out that he was not using the
    cell and one of the cleaning people stole his SIM.

    After contacting Asia Cell a few times about the matter, they credited
    the whole amount back. So you never know.

    As for security, I assume you need to allow these extensions to
    register from outside the LAN? If not, then only allow them to
    register via a LAN IP, I would do it with iptables, only allow the
    provider IP through.

    I am curious what your user:pass was? something like 1000:1000, I see
    many systems setup like this and am surprised they haven’t been hit
    yet.

    In the future, you could use a scheme that makes it much more secure
    and also pretty easy to maintain.

    The username could be the MAC and the pass could be the serial number
    or asset tags if you use them.

    I know there must be dozens of people reading this that have had the
    same issue but are embarrassed to speak up.

    (BTW Sierra Leone is in West Africa, not the Middle East.)

    Thanks,
    Steve T

  • For future I would highly recommend to have at least fail2ban installed.
    This way sipvicous IPs will be blocked instantly before they could create
    any damage. Also I prefer to limit International calling to only certain
    limit, e.g. only for $10 per account, but this depends upon how your
    business deals with international calls. I get a few IPs blocked everyday by
    fail2ban, though by default no new connections are allowed international
    calls on my system.

    Zeeshan A Zakaria

  • We took a pretty nasty hit one time, a system administrator didnt listen to
    us about changing the passwords. Luckily they took part of the blame in
    that, and we split the 1800$ it cost us in half. We could have changed
    them, and she didnt change them, so we were both at fault.

    Like said previously, fail2ban is a pretty good start. Weak secrets
    definitely dont help.

    An interesting project to look into and i’m working with right now, i’ve got
    a honeypot set up in the wild, but havent gotten anything really worth while
    yet…

    http://www.infiltrated.net/voipabuse/defensive.html

    I’d also suggest, if you dont *have* to have international dialing on the
    trunk. Turn it off, put a pin on it, or just send it to a dummy trunk that
    doesnt do anything or route anywhere.

    I really hope this helps, and best of luck with cleaning up from the
    aftermath. I know ours was a pretty good wake up call to us to really start
    locking things down.

    I know its lame, but from Network Security Hacks.

    Security isn’t a noun, it’s a verb; not a product, but a process

  • Auditing is an important process of any system. Automatic auditing
    against CDRs is not that hard and phone calls that happen at 1am are
    easy to see. I would suggest a CRON job to email all calls that
    happen outside normal business hours to the owner of the phone
    system.

    ~
    Andrew “lathama” Latham

    href=”mailto:lathama@gmail.com”>lathama@gmail.com

    * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software
    * Learn more about Linux http://en.wikipedia.org/wiki/Linux
    * Learn more about Tux http://en.wikipedia.org/wiki/Tux

  • How is password policy an Asterisk issue? The solution to the problem at hand is
    non-numeric usernames, and strong passwords.

    Leif.

  • Thanks Steve – that is the kind of advice I was looking for. I’m
    willing to take my lumps for the weak passwords on those accounts, and
    the lack of any filtering. I do understand the issues and the steps I
    need to take to better secure the switches in service, and just need to
    get off my a$$ and do it.

    Mainly I am hoping to hear from someone who has gone through the
    aftermath – as you mention above. So far I have had a discussion with
    the carrier who is “opening an investigation”. I’ll contact the FBI
    today as well. I’ll send an update when this is all over for posterity.

    True 😉 Most of the calls were Iraq, UAE, Lebanon… Found another one
    today that was 2.5 DAYS long to Chile. Bizarre.

    j

  • Not bizarre at all. You being in the Virgin Islands should know what
    that is probably about.

    http://www.snopes.com/fraud/telephone/809.asp

    I have a general questionnaire prior to planning the installation.
    One question is about international calls and using a PIN
    (Authenticate(1234356)), totally blocking, having a few phones in a
    separate context that can dial international.

    Usually, I will explain the nature of an IP PBX and the dangers of
    fraud, then go over what they “NEED”. If you do this along with
    locking things down, hopefully you won’t run into any more fraud, but
    as you have seen first hand, there is big money to be made, so assume
    you are defending against an international crime ring with lots of
    time and knowledge.

    Once you do your bit and cover your bases, then if there is fraud, you
    save face and provide guidance rather than damage control.

    http://www.infiltrated.net/asterisk-ips.html found that link while
    looking googling for Nufone. It appears there is may be more to the
    story than I knew. I know JerJer claimed to have received a bill for
    $500k due to fraud. I am not sure what happened after that but I am
    seeing information about charges against him for mail fraud.

    Thanks,
    Steve T

  • Kind of like blaming the gun manufacturer instead of the criminal with
    their finger on the trigger?

    Is there some gaping hole in Asterisk security or are you just asleep at
    the wheel?

  • We were hit several times in our early days with PRS fraud that ended up
    costing us DEARLY. We contacted the FBI, but they were completely
    unhelpful. The origin of the caller was Egypt (using a network in Egypt
    that has long been a front for criminal activity, so the networking
    people on that end were less than useless), and the Egyptian cyber fraud
    division is two guys with a yahoo email address. The FBI contacted them,
    but they were neither equipped nor entirely willing to be of any real
    help in tracking down the perpetrator. It doesn’t hurt to contact the
    FBI, though. They may already have an open investigation into the
    individual or group responsible and need the information for their case.
    But do not expect them to be able to do much.

    Eventually, some of our debt was quashed by the provider who had
    violated their own policies in charging us for unlisted premium rate
    services, but it changed the entire way we do business.

    Unfortunately, it’s now MUCH more difficult to pay us money than it used
    to be, and that’s turned a lot of customers off, but we’ve had no
    problems with PRS fraud since.

    N.