PBX Hacked: Why Hundred Of Calls To The Same Number ?

Home » Asterisk Users » PBX Hacked: Why Hundred Of Calls To The Same Number ?
Asterisk Users 15 Comments

Hi,

Someone reported me that from a PBX on which someone gained fraudulent access, he could observe hundreds of calls to the same destination number.

For curiosity’s sake, I’m wondering why would this happen (dialing the same number over and over) ?

Some special numbers generate here and there revenues for callees (and not for callers). Beside sharing interests with the callee that get those revenues, why a hacker would like to dial the same numbers over and over ?
In other words, in this case, is looking at callee number a promising path to find hackers ?

Regards

15 thoughts on - PBX Hacked: Why Hundred Of Calls To The Same Number ?

  • Am 01.10.2014 11:40, schrieb Olivier:

    Not just some, but ALL numbers generate revenue for the receiving telecom. (Ok ok, a few exceptions, in the US for example)

    This is how telecoms have been earning money, ever have been and will for a while longer until interconnection fees for incoming traffic will be dropped completely, it’s a work in progress, especially in the EU.
    (Unfortunately)

    There are 2 schemes:

    1) Not so popular, but it’s on the rise in the last 1-2 years: get landline numbers in country xyz, strike a deal with the telco that owns these numbers so that they’ll pass a bit of their revenue on to you, and find a way to call yourself for free or at a lower rate than these numbers pay (= abuse your unlimited subscriber plan). The revenue is usually in the area of 0.00x or even 0.000x per minute, depending on the country.

    2) Just google International Premium Numbers, or short, IPRN. It’s a whole world of its own. Revenue is much higher. These are not “real”
    numbers and they never have full worldwide connectivity. So the fraudster has 2 tasks: 1) find a carrier through which he can reach these numbers and 2) find a way to call these numbers at a lower rate than they pay out. 2) is usually accomplished by hacking PBXes (= free calls), fraudulent apps etc. There are tons of stories of abuse regarding IPRN out on the web, just research a bit (quite interesting actually). Some technical background information on 1) How does it work?
    Where does the revenue come from you might wonder? First to be said, it can never work without a fraudulent telecom operator that is part of the scheme. Imagine you are calling from France to Latvia. Let’s say the call passes France, Switzerland, Czech Republic and then goes to Latvia. Each carrier on the path passes the call on to the next carrier. Now, let’s say the carrier in the Czech Republic is the evil one. The call comes in, and they simply say: well, this Latvian number that you just called belongs to us, we terminate the call here and pick it up. Billing time starts. Now, they charge the Swiss telco for the incoming call to Latvia, of course. And the Swiss telco charges the French telecom. The French telecom charges their subscriber (e.g. hacked PBX). The call never makes it to Latvia! Now, the Czech Republic telco works together with an IPRN provider (or they run an evil IPRN service by themselves kind of anonymously). They pass a bit of the money they get from the Swiss telecom on to the IPRN “owner” (the fraudster) and keep the remaining money for themselves. Easy money! This is why IPRNs don’t have worldwide connectivity and can usually never get called from within a country (path is too short, no fraudulent telecom in between). They can even be real numbers that belong to someone, in this case, in Latvia, it doesn’t matter. All you need to be is an evil telco where calls transit through and you have it. How much do you pay to your normal landline telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25
    EUR per minute. Thats what the subscriber pays, the Swiss telecom gets
    0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an example – margins are always high with IPRNs. Now you can simply do the same not with Latvia but with faaar away countries, islands (!) where calling to is even more expensive and your margins will go waaay up.

    Just to be clear: it’s totally legit to earn money on incoming calls, this is the main income source for telcos all over the world. But abusing your unlimited plan and running IPRNs is not “that” legit I’d say. 🙂

    I don’t see another reason.

    Not in my experience. Since the fraudulent telcos work together with the IPRN “owners” you won’t succeed. Must be a large-scale fraud scheme with millions of EURs lost for some authority to investigate properly. Plus, the IPRN owners even can get paid via Western Union etc. from the IPRN
    service, so all they need is a stolen/fake passport… so you are not left with much except maybe their IP address which, of course, if they are not totally dumb, isn’t theirs. Gotta get in touch with some law enforcement agency and then catch them when they pick up the money at the Western Union counter.

    I should write a book about that. 😛

    Cheers Markus

  • Am 01.10.2014 um 18:19 schrieb Markus:
    Is the destination Number like Country Code +972?

    +972 59 xxxxxx(x) mobile – Jawall [moving to 7-digit subscriber numbers]

    source – http://www.wtng.info/wtng-972-il.html

    My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go to the Country code +972 xxxxxxxxxxx

    This is my log from this morning.:
    Oct 2 07:32:15 server /sbin/kamailio[29866]: NOTICE:

  • Am 01.10.2014 um 15:48 schrieb Gokan Atmaca:
    I have one SIP Proxy without any outbound trunks/routing and this Proxy is just collecting bad source IPs and bad destination numbers for the database blacklist table and I use this blacklist table in my productive System.

  • That page is slightly dated. +972 59 XXXXXXX are all the numbers in the Palestinian Authority (there are several providers besides Jawall).

    As a resident of +972 (+972-4), I’ll just note that those hack attempts are typically related to PA numbers (+972-59) as rates there are higher.

  • I’ve seen that a very high percentage of the “SIP probing” my Asterisk system has seen over the past few years, consist of attempts to phone numbers in +972 (or, more generally, the West Bank and/or Gaza).

    It’s consistent enough that I’ve set up a Fail2Ban rule which slaps a semi-permanent block on any IP address which tries this, even once.

    Since the last time I did a firewall-reset, the resulting iptables rules have blocked over 2000 call attempts (one attacker at 142.54.180.50 has tried over 1200 times).

    These attempts seem to come from all over the world… I’d guess that the majority are being sent through ‘botted systems.

  • Am 02.10.2014 um 15:40 schrieb Tzafrir Cohen:
    Hi Tzafrir,

    ok, the page http://www.wtng.info is not really up to date.

    here some logs to see the variations of the attempt to dial over my proxy

    Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE:

  • the attacking server changed the destination Number at 18:53 CEST and he is still blocked … LOL

    972597438354

    Oct 3 18:53:17 server /sbin/kamailio[3977]: NOTICE:

  • We set up our servers to allowguest=yes and autocreatepeer=yes and use a global context setting to point any of those calls to an IVR jail. Attempts stop reasonably quickly.

    An empty “room” with an unlocked “door” is far less interesting than a room with the door locked.

    From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] Is the destination Number like Country Code +972?

    +972 59 xxxxxx(x) mobile – Jawall [moving to 7-digit subscriber numbers]

    source – http://www.wtng.info/wtng-972-il.html

    That page is slightly dated. +972 59 XXXXXXX are all the numbers in the

    Palestinian Authority (there are several providers besides Jawall).

    My SIP Proxy logs all the unauth. INVITEs and I found the a lot

    calls go to the Country code +972 xxxxxxxxxxx

    As a resident of +972 (+972-4), I’ll just note that those hack attempts

    are typically related to PA numbers (+972-59) as rates there are higher.

    Hi Tzafrir,

    ok, the page http://www.wtng.info<http://www.wtng.info> is not really up to date.

    here some logs to see the variations of the attempt to dial over my proxy

    Oct 3 11:23:06 server /sbin/kamailio[7217]: NOTICE:

  • It’s pretty much an everyday occurrence for any internet-connected SIP
    system these days…

    Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP
    server(s) themselves.

    For example, the sipcli scans you listed above can be blocked fairly easily with:
    iptables -A INPUT -p udp –dport 5060 -m string –algo bm –string
    “sipcli” -j DROP

    (obviously there are overheads to string searching UDP/5060 packets that you’ll want to consider, and the above won’t work if you’re using sipcli legitimately anywhere on your network)

    Kind regards,

    Chris

  • Hi Eric

    I like your approach. I think about stateless redirect the bad boy to the NSA- or Pentagon-IVR
    LOL

    Am 03.10.2014 um 20:01 schrieb Eric Wieling:

  • Hi Chris,

    yes … it is boring … I stop posting …
    😉

    Am 03.10.2014 um 20:11 schrieb Chris Bagnall:

  • just one more 😉

    the source IP just changed to

    142.0.41.179

    OrgName: VolumeDrive OrgId: VOLUM-2
    Address: 1143 Northern Blvd City: Clarks Summit StateProv: PA
    PostalCode: 18411
    Country: US

    and the destination Number to

    972595632276

    Oct 3 20:26:37 server /sbin/kamailio[3977]: NOTICE:

  • There are lots of ways to solve this, and NOT to solve this. Don’t start adding lots of rules to iptables (or deep per packet inspection requirements) as this will hurt capacity…and it doesn’t really solve the problem

    Take a look at

    http://www.voip-info.org/wiki/view/Asterisk+security

    If you are running a small system I recommend trying the free version of SecAst. If you’re running a larger PBX, the SecAst GeoIP blocking (deny/allow by country/city/etc) will remove 99% of the attacks.

    Take a good look at the page above for options…free/paid, software/hardware

    Michelle

    *All opinions are my own, and do not represent my employer. Since I’m employed by GenerationD, you can

    bet that my opinions are biased 🙂