Toll Free Calls Fraud on Internet

Unanswered Question
Aug 3rd, 2007
User Badges:

Hi folks,

I don't know if you have been going through this problem.

Many clients that have acces to Internet through ADSL service are having their phone/voice lines busy because an external user through Internet takes their lines to make world wide phone calls, charging this cost to the ADSL user.

The fraud is related to the way the hacker takes the gateway that belongs to another user in another country and provides phone services.

PLease let me know if you have heard about this. Is there any vulnerability?

Thanks in advance.

Orlando

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
shikamarunara Fri, 08/03/2007 - 09:30
User Badges:

You need to get in touch with the IXC or whoever is providing the SIP telephony service. They will have a CDR of all calls and the IP address that the call originated from. The reason that these fraudsters are able to make these calls is because there is basically no real authentication at the IXC SIP peer. It should require a username, password, and a hardcoded static IP address (in other words, not just any host should be able to connect to the SIP proxy and generate calls, only hosts from a specific static IP address.) If you can't do that, there will pretty much always be fraud use. Change to a telephony provider that has some security.


HTH - don't forget to rate posts!


-Shikamaru

omendieta77 Fri, 08/03/2007 - 10:26
User Badges:

Hi.

Thanks 4 your reply.

The thing is that behind the ADSL modem we have a pix and a router with CCME in the LAN that is the local PBX(With SCCP phones, there are no H323/SIP trunks). So the attack was made from internet and they reached the LAN to make phone calls (Toll Fraud) using the IP PBX in the LAN through the COs connected to that router. Do you know about any bug, or vulnerability?

Thanks once again!

Regards,

ORlando


omendieta77 Fri, 08/03/2007 - 10:30
User Badges:

I'm pasting some info collected about it.

And take a look to the following IP address:

203.121.71.211.

The following phone calls are made from somewhere in Internet taking advantage of some vulnerability.

Regards,

Orlando.


*************


WGIRtr01#sho voice call active voice compact

A/O FAX T Codec type Peer Address IP R:

Total call-legs: 8

513 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18188

514 ORG T6 g729r8 TELE P9001095367356257

515 ANS T6 g729r8 VOIP P10101010101 203.121.71.211:18196

516 ORG T6 g729r8 TELE P90010951534883

517 ANS T4 g729r8 VOIP P10101010101 203.121.71.211:18204

518 ORG T4 g729r8 TELE P9001021260860325

519 ANS T5 g729r8 VOIP P10101010101 203.121.71.211:18212

520 ORG T5 g729r8 TELE P9001095015569

shikamarunara Fri, 08/03/2007 - 11:33
User Badges:

If 203.121.71.211 is not your own address, then it has nothing to do with your inside network or with a bug or exploit. Like I said before, if you SIP peer on the Internet is not secure, anyone could connect to it and make calls. It wouldn't matter where the connection came from. That's why I said that if your IXC can't lock it down properly, find another one.


Please rate this post if it helps

-Shikamaru

omendieta77 Fri, 08/03/2007 - 11:46
User Badges:

The thing is that we do not use any SIP connection through internet. It's just the CCME in the LAN that has been accesed from Internet...somehow. That CCME do not have any voice/data traffic from/to Internet, and even that, it happened.

The CCME only has dial-peers to connect to the local PSTN. We don't have dial-peers to any other system/PBX.

Regards,

Orlando

valstan Fri, 08/03/2007 - 12:35
User Badges:

You didn't provide which version of Call Manager are you using?

omendieta77 Fri, 08/03/2007 - 13:13
User Badges:

OK thanks,

let me take a look to the link

Regards,

Orlando


omendieta77 Tue, 08/28/2007 - 10:18
User Badges:

Hi,

thanks a lot 4 your reply.

I was out of the office, and now i'm back to this case.

I'll try, and let you know if it works 4 me.

Have a nice day.

Orlando

Actions

This Discussion