> Hmm the calls are made during the day (and sometimes very early in the > morning). Right now it looks like someone actually made these calls. If > that is the case it's somewhat comforting to know the system wasn't > compromised. However, the $25,000 phone bill still remains. Yikes. $6.25 > per minute to Cambodia seems quite steep to me.Since the Mitel had a default admin password, it seems possible that somebody accessed its UI over the network, and then accessed and copied its SIP credentials for your Asterisk server. If that's the case, the calls might not have been placed through the phone. The miscreant could have configured the purloined credentials into another hardphone, or a softphone app on any PC or tablet or cellphone which was able to access your LAN. The "cloned" phone would not have needed to actually register with Asterisk... it could simply have send an INVITE to place a call, and Asterisk would have challenged it and then accepted the credentials. If your CDR log shows IP addresses for each call, you might be able to compare these with your DHCP (or whatever) IP registration service, and see if the calls actually came through the phone or not. If not you might be able to identify the device which initiated the calls. The bad news is, I suspect that you're probably "on the hook" for the cost of the calls. In the case of an "inside job" it's often hard to legitimately "disavow" the charges. You may have to pay the bill and then (if you can identify whomever placed the unauthorized calls) attempt to recover the cost from him/her in court. This sort of misused by an insider might be "theft by conversion".
dk at donkelly.biz
2015-Jan-29 11:51 UTC
[asterisk-users] Investigating international calls fraud
It's very unlikely that this was an employee calling Mom for 66 hours (I'm assuming these calls appeared on a single bill). It's also unlikely that someone "inside" would benefit financially from making these calls. (Follow the money!) Don't discount the possibility that you've overlooked something in the firewall. Meanwhile, does the client need to do international calling? If not, they may request that international calls be blocked by the carrier; once blocked, any international calls are the carrier's responsibility, not the client's. --Don -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Dave Platt Sent: Thursday, January 29, 2015 12:11 AM To: asterisk-users at lists.digium.com Subject: Re: [asterisk-users] Investigating international calls fraud> Hmm the calls are made during the day (and sometimes very early in the > morning). Right now it looks like someone actually made these calls. > If that is the case it's somewhat comforting to know the system wasn't > compromised. However, the $25,000 phone bill still remains. Yikes. > $6.25 per minute to Cambodia seems quite steep to me.Since the Mitel had a default admin password, it seems possible that somebody accessed its UI over the network, and then accessed and copied its SIP credentials for your Asterisk server. If that's the case, the calls might not have been placed through the phone. The miscreant could have configured the purloined credentials into another hardphone, or a softphone app on any PC or tablet or cellphone which was able to access your LAN. The "cloned" phone would not have needed to actually register with Asterisk... it could simply have send an INVITE to place a call, and Asterisk would have challenged it and then accepted the credentials. If your CDR log shows IP addresses for each call, you might be able to compare these with your DHCP (or whatever) IP registration service, and see if the calls actually came through the phone or not. If not you might be able to identify the device which initiated the calls. The bad news is, I suspect that you're probably "on the hook" for the cost of the calls. In the case of an "inside job" it's often hard to legitimately "disavow" the charges. You may have to pay the bill and then (if you can identify whomever placed the unauthorized calls) attempt to recover the cost from him/her in court. This sort of misused by an insider might be "theft by conversion". -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Michel Verbraak
2015-Jan-29 13:37 UTC
[asterisk-users] Investigating international calls fraud
Did you have a look at the phone it self already? Is call forwarding activated or something and can you call the phone/extension from externally? I have seen this in the past where an employee enabled call forwarding on the phone and once at home he or family called the phone which forwarded the call to abroad. Good luck. Michel. Op 29-01-15 om 12:51 schreef dk at donkelly.biz:> It's very unlikely that this was an employee calling Mom for 66 hours (I'm > assuming these calls appeared on a single bill). It's also unlikely that > someone "inside" would benefit financially from making these calls. (Follow > the money!) Don't discount the possibility that you've overlooked something > in the firewall. > > Meanwhile, does the client need to do international calling? If not, they > may request that international calls be blocked by the carrier; once > blocked, any international calls are the carrier's responsibility, not the > client's. > > --Don > > > -----Original Message----- > From: asterisk-users-bounces at lists.digium.com > [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Dave Platt > Sent: Thursday, January 29, 2015 12:11 AM > To: asterisk-users at lists.digium.com > Subject: Re: [asterisk-users] Investigating international calls fraud > >> Hmm the calls are made during the day (and sometimes very early in the >> morning). Right now it looks like someone actually made these calls. >> If that is the case it's somewhat comforting to know the system wasn't >> compromised. However, the $25,000 phone bill still remains. Yikes. >> $6.25 per minute to Cambodia seems quite steep to me. > Since the Mitel had a default admin password, it seems possible that > somebody accessed its UI over the network, and then accessed and copied its > SIP credentials for your Asterisk server. > > If that's the case, the calls might not have been placed through the phone. > The miscreant could have configured the purloined credentials into another > hardphone, or a softphone app on any PC or tablet or cellphone which was > able to access your LAN. > The "cloned" phone would not have needed to actually register with > Asterisk... it could simply have send an INVITE to place a call, and > Asterisk would have challenged it and then accepted the credentials. > > If your CDR log shows IP addresses for each call, you might be able to > compare these with your DHCP (or whatever) IP registration service, and see > if the calls actually came through the phone or not. If not you might be > able to identify the device which initiated the calls. > > The bad news is, I suspect that you're probably "on the hook" for the cost > of the calls. In the case of an "inside job" it's often hard to > legitimately "disavow" the charges. You may have to pay the bill and then > (if you can identify whomever placed the unauthorized calls) attempt to > recover the cost from him/her in court. This sort of misused by an insider > might be "theft by conversion". > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to > Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150129/5c67a728/attachment.html>