Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was "taken advantage of" over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the first few days of this fiasco, and was only $700. I am afraid the one that is on the way will be tens of thousands. ONE CALL on the bill that just arrived was $200 (80 minutes to Sierra Leone). I'm sure this started out as a single scan. It must have been posted, because I have at least ten IP addresses now that were placing calls via the same peer. They are from all over the world. So what is the accepted procedure? I'm in the US Virgin Islands, so do I go to the FBI? Police? Is their some telecom fraud body to report such things to? Does any one ever get any relief from such events? I'm basically sick to my stomach right now. j
As a practical matter, on anything that can generate endless billings, there
should be a dumb trap that compares current usage to history (last month)
and if usage exceeds 2/1 or 3/1 for instance then usage is choked or denied
enough to cause the user to complain or perhaps generate a message to call
customer support, (or call your cell phone!)
Then if it is valid, raise last month's reference enough to let current
calling continue. If it isn't valid you have found a problem and saved your
or your customer's caboose.
As to who to complain to, gather all info possible and report to everyone
you can find. Someone may investigate, but there isn't likely anyone who
will absolve the problem. Some will just take the report and ... as far as
you are concerned, do nothing. There isn't much a local police dept. can do
about a hacker in Western Slobovia cracking your server.
Generally the FBI doesn't take matters of less than $10,000. But it sounds
like you may meet that test.
But they could take months or years or never finding the culprit and finding
the culprit will likely net you nothing financial for you will be 1/10,000
of the fraud they did.
This is a problem like spam in email. But this has cash costs to the server
operator/customer. Passwords need to be un-crack-able, and there should be
usage alarms, as described above.
Depending on the situation even a single counter to your upstream billable
sip server for all usage would likely trip on excessive usage and save your
bacon.
Cary Fitch
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jeff
LaCoursiere
Sent: Thursday, October 14, 2010 8:11 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] fraud advice
Hi,
Embarrassed as I am to write this, I am hoping for some advice. One of
our very first PBX installs, now six years old, was "taken advantage
of"
over the past few weeks. A victim of sipvicious, I assume, that managed
to guess one of the SIP passwords. 4000 calls to various middle eastern
destinations have been placed, which ended up being sent over our
customer's PSTN trunk, and of course there was no warning until the bill
came today. Unfortunately the bill only covered the first few days of
this fiasco, and was only $700. I am afraid the one that is on the way
will be tens of thousands. ONE CALL on the bill that just arrived was
$200 (80 minutes to Sierra Leone).
I'm sure this started out as a single scan. It must have been posted,
because I have at least ten IP addresses now that were placing calls via
the same peer. They are from all over the world.
So what is the accepted procedure? I'm in the US Virgin Islands, so do I
go to the FBI? Police? Is their some telecom fraud body to report such
things to? Does any one ever get any relief from such events?
I'm basically sick to my stomach right now.
j
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Jeff, I suggest talking to your PSTN/VoIP provider. We had a large amount going through TATA communications and have not accepted their word for payment because they had a duty to not allow traffic if our credit went down to $1k while the calls charged were actually more than that. Unfortunately, probably there is no one you can complain to. But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. I suggest checking your contract terms with your provider as they might have some sort of restrictions. At the very least PSTN providers try to bring the price per minute lowered to their buy rate which is usually less than half of the original bill. Regards, Bruce On Thu, Oct 14, 2010 at 9:10 PM, Jeff LaCoursiere <jeff at sunfone.com> wrote:> > Hi, > > Embarrassed as I am to write this, I am hoping for some advice. One of > our very first PBX installs, now six years old, was "taken advantage of" > over the past few weeks. A victim of sipvicious, I assume, that managed > to guess one of the SIP passwords. 4000 calls to various middle eastern > destinations have been placed, which ended up being sent over our > customer's PSTN trunk, and of course there was no warning until the bill > came today. Unfortunately the bill only covered the first few days of > this fiasco, and was only $700. I am afraid the one that is on the way > will be tens of thousands. ONE CALL on the bill that just arrived was > $200 (80 minutes to Sierra Leone). > > I'm sure this started out as a single scan. It must have been posted, > because I have at least ten IP addresses now that were placing calls via > the same peer. They are from all over the world. > > So what is the accepted procedure? I'm in the US Virgin Islands, so do I > go to the FBI? Police? Is their some telecom fraud body to report such > things to? Does any one ever get any relief from such events? > > I'm basically sick to my stomach right now. > > j > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101014/8c08f812/attachment.htm
On 10-10-14 10:49 PM, bruce bruce wrote:> Unfortunately, probably there is no one you can complain to. But it also > sickens me at how badly Asterisk is made to not cope with situations > like this and worse than that is FreePBX.How is password policy an Asterisk issue? The solution to the problem at hand is non-numeric usernames, and strong passwords. Leif.
Auditing is an important process of any system. Automatic auditing against CDRs is not that hard and phone calls that happen at 1am are easy to see. I would suggest a CRON job to email all calls that happen outside normal business hours to the owner of the phone system. ~ Andrew "lathama" Latham lathama at gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux
On Thu, 14 Oct 2010, bruce bruce wrote:> But it also sickens me at how badly Asterisk is made to not cope with > situations like this and worse than that is FreePBX.Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
For future I would highly recommend to have at least fail2ban installed. This way sipvicous IPs will be blocked instantly before they could create any damage. Also I prefer to limit International calling to only certain limit, e.g. only for $10 per account, but this depends upon how your business deals with international calls. I get a few IPs blocked everyday by fail2ban, though by default no new connections are allowed international calls on my system. Zeeshan A Zakaria -- www.ilovetovoip.com On 2010-10-15 10:40 AM, "Steve Edwards" <asterisk.org at sedwards.com> wrote: On Thu, 14 Oct 2010, bruce bruce wrote:> But it also sickens me at how badly Asterisk is made to n...Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _____________________________________________________________________ -- Bandwidth and Colocation Pr... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101015/ffef4cf0/attachment.htm
On Fri, 2010-10-15 at 07:29 -0700, Steve Edwards wrote:> On Thu, 14 Oct 2010, bruce bruce wrote: > > > But it also sickens me at how badly Asterisk is made to not cope with > > situations like this and worse than that is FreePBX. > > Kind of like blaming the gun manufacturer instead of the criminal with > their finger on the trigger? > > Is there some gaping hole in Asterisk security or are you just asleep at > the wheel? >Asterisk is just doing what you tell it to do, process calls. If you have no authentication or route blocking how do you expect Asterisk to know that there is a problem? I was just in a similar situation where someone guessed the username and password of my SIP trunk. The provider called me the next day to tell me that they detected strange traffic on my line and asked if I was making those calls. Now that is good service from a provider. -- Telecomunicaciones Abiertas de M?xico S.A. de C.V. Carlos Ch?vez Prats Director de Tecnolog?a +52-55-91169161 ext 2001 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20101015/ae8d0e10/attachment.pgp
On 10/14/10 9:10 PM, Jeff LaCoursiere wrote:> Hi, > > Embarrassed as I am to write this, I am hoping for some advice. One of > our very first PBX installs, now six years old, was "taken advantage of" > over the past few weeks. A victim of sipvicious, I assume, that managed > to guess one of the SIP passwords. 4000 calls to various middle eastern > destinations have been placed, which ended up being sent over our > customer's PSTN trunk, and of course there was no warning until the bill > came today. Unfortunately the bill only covered the first few days of > this fiasco, and was only $700. I am afraid the one that is on the way > will be tens of thousands. ONE CALL on the bill that just arrived was > $200 (80 minutes to Sierra Leone). > > I'm sure this started out as a single scan. It must have been posted, > because I have at least ten IP addresses now that were placing calls via > the same peer. They are from all over the world. > > So what is the accepted procedure? I'm in the US Virgin Islands, so do I > go to the FBI? Police? Is their some telecom fraud body to report such > things to? Does any one ever get any relief from such events? > > I'm basically sick to my stomach right now. > > j >We were hit several times in our early days with PRS fraud that ended up costing us DEARLY. We contacted the FBI, but they were completely unhelpful. The origin of the caller was Egypt (using a network in Egypt that has long been a front for criminal activity, so the networking people on that end were less than useless), and the Egyptian cyber fraud division is two guys with a yahoo email address. The FBI contacted them, but they were neither equipped nor entirely willing to be of any real help in tracking down the perpetrator. It doesn't hurt to contact the FBI, though. They may already have an open investigation into the individual or group responsible and need the information for their case. But do not expect them to be able to do much. Eventually, some of our debt was quashed by the provider who had violated their own policies in charging us for unlisted premium rate services, but it changed the entire way we do business. Unfortunately, it's now MUCH more difficult to pay us money than it used to be, and that's turned a lot of customers off, but we've had no problems with PRS fraud since. N.