asterisk users - Oct 2014 - PBX hacked: why hundred of calls to the same number ?

Hi,

Someone reported me that from a PBX on which someone gained fraudulent
access, he could observe hundreds of calls to the same destination
number.

For curiosity's sake, I'm wondering why would this happen (dialing the
same number over and over) ?

Some special numbers generate here and there revenues for callees (and
not for callers).
Beside sharing interests with the callee that get those revenues, why
a hacker would like to dial the same numbers over and over ?
In other words, in this case, is looking at callee number a promising
path to find hackers ?

Regards

Le 01/10/2014 11:40, Olivier a ?crit :
> Hi,
Hi
>
> Someone reported me that from a PBX on which someone gained fraudulent
> access, he could observe hundreds of calls to the same destination
> number.
>
> For curiosity's sake, I'm wondering why would this happen (dialing
the
> same number over and over) ?
>
> Some special numbers generate here and there revenues for callees (and
> not for callers).
> Beside sharing interests with the callee that get those revenues, why
> a hacker would like to dial the same numbers over and over ?
callee is also the bad men. Go and buy an 899 number in France, hack 
PBXS and call your number :-)

[...]

-- 
Daniel

Am 01.10.2014 11:40, schrieb Olivier:
> Some special numbers generate here and there revenues for callees (and
> not for callers).
Not just some, but ALL numbers generate revenue for the receiving 
telecom. (Ok ok, a few exceptions, in the US for example)

This is how telecoms have been earning money, ever have been and will 
for a while longer until interconnection fees for incoming traffic will 
be dropped completely, it's a work in progress, especially in the EU. 
(Unfortunately)

There are 2 schemes:

1) Not so popular, but it's on the rise in the last 1-2 years: get 
landline numbers in country xyz, strike a deal with the telco that owns 
these numbers so that they'll pass a bit of their revenue on to you, and 
find a way to call yourself for free or at a lower rate than these 
numbers pay (= abuse your unlimited subscriber plan). The revenue is 
usually in the area of 0.00x or even 0.000x per minute, depending on the 
country.

2) Just google International Premium Numbers, or short, IPRN. It's a 
whole world of its own. Revenue is much higher. These are not "real" 
numbers and they never have full worldwide connectivity. So the 
fraudster has 2 tasks: 1) find a carrier through which he can reach 
these numbers and 2) find a way to call these numbers at a lower rate 
than they pay out. 2) is usually accomplished by hacking PBXes (= free 
calls), fraudulent apps etc.  There are tons of stories of abuse 
regarding IPRN out on the web, just research a bit (quite interesting 
actually). Some technical background information on 1) How does it work? 
Where does the revenue come from you might wonder? First to be said, it 
can never work without a fraudulent telecom operator that is part of the 
scheme. Imagine you are calling from France to Latvia. Let's say the 
call passes France, Switzerland, Czech Republic and then goes to Latvia. 
Each carrier on the path passes the call on to the next carrier. Now, 
let's say the carrier in the Czech Republic is the evil one. The call 
comes in, and they simply say: well, this Latvian number that you just 
called belongs to us, we terminate the call here and pick it up. Billing 
time starts. Now, they charge the Swiss telco for the incoming call to 
Latvia, of course. And the Swiss telco charges the French telecom. The 
French telecom charges their subscriber (e.g. hacked PBX). The call 
never makes it to Latvia! Now, the Czech Republic telco works together 
with an IPRN provider (or they run an evil IPRN service by themselves 
kind of anonymously). They pass a bit of the money they get from the 
Swiss telecom on to the IPRN "owner" (the fraudster) and keep the 
remaining money for themselves. Easy money! This is why IPRNs don't have 
worldwide connectivity and can usually never get called from within a 
country (path is too short, no fraudulent telecom in between). They can 
even be real numbers that belong to someone, in this case, in Latvia, it 
doesn't matter. All you need to be is an evil telco where calls transit 
through and you have it. How much do you pay to your normal landline 
telco for a call to Latvia? To a Latvian mobile number? Let it be 0.25 
EUR per minute. Thats what the subscriber pays, the Swiss telecom gets 
0.22 of that, the Czech telco 0.20 and the fraudster 0.11. Just an 
example - margins are always high with IPRNs. Now you can simply do the 
same not with Latvia but with faaar away countries, islands (!) where 
calling to is even more expensive and your margins will go waaay up.

Just to be clear: it's totally legit to earn money on incoming calls, 
this is the main income source for telcos all over the world. But 
abusing your unlimited plan and running IPRNs is not "that" legit
I'd
say. :)

> Beside sharing interests with the callee that get those revenues, why
> a hacker would like to dial the same numbers over and over ?
I don't see another reason.

> In other words, in this case, is looking at callee number a promising
> path to find hackers ?
Not in my experience. Since the fraudulent telcos work together with the 
IPRN "owners" you won't succeed. Must be a large-scale fraud
scheme with
millions of EURs lost for some authority to investigate properly. Plus, 
the IPRN owners even can get paid via Western Union etc. from the IPRN 
service, so all they need is a stolen/fake passport... so you are not 
left with much except maybe their IP address which, of course, if they 
are not totally dumb, isn't theirs. Gotta get in touch with some law 
enforcement agency and then catch them when they pick up the money at 
the Western Union counter.

I should write a book about that. :P

Cheers
Markus