Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
17
Helpful
10
Replies

Toll Fraud - Transfers from Unity 8.5

Yort Mantup
Level 4
Level 4

‎10-07-2013 08:28 AM - edited ‎03-16-2019 07:45 PM

Hello,

We have encountered two separate attacks regarding toll fraud.  Our carrier shut it down both times and alerted us.  After the first time, I worked with TAC to help identify and prevent furture attacks.  But it has occured again.  According to CDR, the calls are transers from VoiceMail ports to international (Cuba) numbers. 

Before the first attack, we did have restriction table in place to prevent this.  TAC verified these were in place correctly.  The one change that had me do is change the CSS on each VM port to one that does not allow International calling.

I am trying to figure out how this could be occuring.  The gateway these calls are using (both times) is a PRI.  I am looking for any ideas as to how this may be occuring.  I attached a portion of the CDR and the Restriction Table Configuration (which is same for each Table).

CUCM - 8.5.1.12900-7

CUCXN - 8.5.1ES47.12900-7

Labels:
Preview file
113 KB
Preview file
23 KB
0 Helpful
10 Replies 10

Anas Abueideh
Level 9
Level 9

‎10-07-2013 11:42 AM

Hi,

there is a service parameter in call manager called "block transfer off-net to offnet call", set this paramter to true.

also in the gateway set the call to "offnet".

HTH

Anas

please rate all helpful posts

Chris Deren
Hall of Fame
Hall of Fame
In response to Anas Abueideh

‎10-07-2013 11:46 AM

The call comes from Unity which is not considered offnet, so changing the parameter will do nothing.

To answer the question here, there are many ways toll fraud can be exploited via voicemail, any call handler, opening greeting etc can be exploited and caller might be able to enter any long distance or international number, that is the reason you configure restrictions rules in Unity, to prevent the potential.

HTH,

Chris

0 Helpful

Yort Mantup
Level 4
Level 4
In response to Chris Deren

‎10-07-2013 01:09 PM

Chris,

I agree and what I want to understand is what are "the many ways" this could have occured even though I have restriction tables in place to block fraud.  I tested the both a call handler and my own vm account by assigning an unused option to route to one of the fraudulent numbers shown on the report.  I could not get the call to go thru.  I have now created route patterns to block call to the fraud number from the gateway.  I just wish I knew how they were doing this? 

Thanks

0 Helpful

islam.kamal
Level 10
Level 10
In response to Yort Mantup

‎10-07-2013 01:22 PM

Hi

The most importnat thing which you have to take care of CSS of your VM  registered ports . You have to make sure from the partitions which included on VM ports CSS. Other question can you share with us the Partition for international call , you can check that and check again your CSS for VM ports . CSS of VM ports should not include  this partition , if there is no parition for international calls so you have to do a partition for international calls.

Thank you

please rate all useful information

0 Helpful

Chris Deren
Hall of Fame
Hall of Fame
In response to islam.kamal

‎10-07-2013 01:28 PM

Well, you have to be careful with that if you desire any phone call notifications to work. If you block all external calls from the VM ports or SIP trunk (if using SIP integration) that will also break your notifications.

HTH,

Chris

0 Helpful

islam.kamal
Level 10
Level 10
In response to Chris Deren

‎10-07-2013 01:38 PM

Hi

Regarding to Restriction tables , are ok  , but your VM ports can not do any outgoing call if VM CSS not include any partition for RP "route pattern" for outgoing call. I hope to share with us the CSS for VM ports and the included partitions and the partition for international calls.

Thank you

please rate all useful information

Dennis Mink
VIP Alumni
VIP Alumni
In response to islam.kamal

‎10-07-2013 10:38 PM

The simplest way to check if your VM ports are indeed not routing IDD calls, is to run the dialed number analyzer and see if the dialplan woulod actually block. i know a very crude test, but worth doing


=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

Yort Mantup
Level 4
Level 4
In response to Dennis Mink

‎10-08-2013 06:37 AM

Yes, after the first attack I checked the VM port CSS and they were set to a CSS that allowed International.  I changed them to a CSS that does not allow Int calls.  However I only applied the change on the Directory Number Info for each VM port.  The device information for each VM port still had a CSS that allowed Int calling.  I did not change it on the device information level because I though the Directory Number Info to precidence over the device information.  Screen shot below.  

I did the Dial Numb Analyzer and my CSS's are valid.

0 Helpful

Rob Huffman
Hall of Fame
Hall of Fame

‎10-08-2013 07:38 AM

Hi Troy,

I worked on a thread here where the poster was pretty

sure from his testing that the Line Level CSS was ignored on his

VM port configs.

It may be in your best interest to restrict @ the Device Level

as well just to be safe.

Cheers!

Rob

"Why do the best things always disappear " 

- The Band

Yort Mantup
Level 4
Level 4
In response to Rob Huffman

‎10-08-2013 07:43 AM

Already changed them this morning.  To your point Rob, I agee and verified with testing that the line level CSS is ignored.  Thanks to all for the help. 

0 Helpful
Customers Also Viewed These Support Documents