[asterisk-biz] Fraud alert

Bill Michaelson astbiz at bill.from.net
Fri Feb 27 16:16:35 CST 2009 

I confess. They hit me too - yesterday. I had a security hole they could 
drive a truck through, and they apparently used port 5060 to fish for a 
local extension they could masquerade as. Then they started calling out 
with one of my caller IDs. Within minutes I was deluged with calls from 
puzzled people.

After blocking them, I redirected incoming calls to this DID to a 
recorded explanation and apology. Then I sent a broadcast to the 281 
logged out-dial numbers with a similar message.

So, heads up.

FWIW, I was hit by these IPs:

84.126.205.1
78.157.193.103

It would seem that we all might gain from cooperative work here. Also, 
can we share the FBI contact? I was going to call the FBI, but figured 
it would be a waste of time just getting through the bureaucracy to the 
right person.

I didn't capture the audio. Did the verbiage contain a spoken return 
call #? I was getting responses based on caller ID, and I'm wondering if 
the perpetrator expected to take return calls via the bogus SIP 
registration or via another channel.


Matt Gibson wrote:
> Same here, but about 3 months ago. Luckily I was able to stop it after about
> 30 minutes, but they still got about 100 calls out, I got a lot of calls
> back from little old ladies wanting to give me their credit card info, scary
> stuff. 
>
>
>   
>> -----Original Message-----
>> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-
>> bounces at lists.digium.com] On Behalf Of C. Savinovich
>> Sent: Friday, February 27, 2009 4:18 PM
>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>> Subject: Re: [asterisk-biz] Fraud alert
>>
>>
>>   It seems to be the same pattern of people who attacked 3 of my
>> servers in
>> a 3 week period a couple of weeks ago.  The calls were made mostly to
>> area
>> codes 252 and 818 and indeed they showed the caller-id of the phones.
>> My
>> customer claims he received a call from the FBI saying that the calls
>> were
>> credit card solicitations.  The point is, whoever is doing this, is
>> doing
>> this massively.
>>
>> CS
>>
>> -----Original Message-----
>> From: asterisk-biz-bounces at lists.digium.com
>> [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of
>> voip-asterisk at maximumcrm.com
>> Sent: Friday, February 27, 2009 4:04 PM
>> To: Commercial and Business-Oriented Asterisk Discussion
>> Subject: Re: [asterisk-biz] Fraud alert
>>
>>     
>>>> I'd suggest to everyone to ban that IP, it's been scanning our
>>>>         
>> networks
>>     
>>>> from time to time, in a sequential manner by IP.
>>>>         
>>> I've had really good luck with this:
>>>
>>> http://www.voip-
>>>       
>> info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
>>     
>>> Basically, it automatically blackhols via IPtables any host that
>>>       
>> fails a
>>     
>>> certain number of registration attempts in a given period.
>>>       
>> Yeah we're actually rolling it out on all of our production servers,
>> it's
>> a great application to run.
>>
>> I'm working on some scripts to propagate the bans to the firewall so
>> that
>> all of the servers get protected as soon as possible.
>>
>>     
>>> [default]
>>> ; Send any unauthenticated calls to the local FBI office
>>> context=local-fbi-office
>>>
>>> I've got a honeypot server that pretty much accepts any calls that
>>>       
>> come
>>     
>>> through, and plays a "Thank you for calling the Telecommunications
>>>       
>> Fraud
>>     
>>> hotline. Please stay online for the next available representative."
>>>       
>> If
>> they
>>     
>>> stay online for more than 20 seconds, it connects them to an agent at
>>>       
>> the
>>     
>>> FBI that we have been working with.
>>>
>>> I've been meaning to add some code in that pulls out the originating
>>>       
>> IP
>>     
>>> address of the call and tells it to the agent when we call. :)
>>>       
>> That would be great to have!
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>     
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090227/490f408c/attachment-0001.htm

More information about the asterisk-biz mailing list