[asterisk-biz] Fraud alert

Brent Vrieze bvrieze at cimsoftware.com
Fri Feb 27 16:43:11 CST 2009 

Thanks for the heads up.  I just set up a brand new Asterisk system and 
we did not put all the security on.  After reading this we set our 
firewall to accept port 5060 only from our DID provider. 

Now a question.  Do we need to worry about our RTP ports we have open?

Thanks
   Brent

Bill Michaelson wrote:
> I confess.  They hit me too - yesterday.  I had a security hole they 
> could drive a truck through, and they apparently used port 5060 to 
> fish for a local extension they could masquerade as.  Then they 
> started calling out with one of my caller IDs.  Within minutes I was 
> deluged with calls from puzzled people.
>
> After blocking them, I redirected incoming calls to this DID to a 
> recorded explanation and apology.  Then I sent a broadcast to the 281 
> logged out-dial numbers with a similar message.
>
> So, heads up.
>
> FWIW, I was hit by these IPs:
>
> 84.126.205.1
> 78.157.193.103
>
> It would seem that we all might gain from cooperative work here.  
> Also, can we share the FBI contact?  I was going to call the FBI, but 
> figured it would be a waste of time just getting through the 
> bureaucracy to the right person.
>
> I didn't capture the audio.  Did the verbiage contain a spoken return 
> call #?  I was getting responses based on caller ID, and I'm wondering 
> if the perpetrator expected to take return calls via the bogus SIP 
> registration or via another channel.
>
>
> Matt Gibson wrote:
>> Same here, but about 3 months ago. Luckily I was able to stop it after about
>> 30 minutes, but they still got about 100 calls out, I got a lot of calls
>> back from little old ladies wanting to give me their credit card info, scary
>> stuff. 
>>
>>
>>   
>>> -----Original Message-----
>>> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-
>>> bounces at lists.digium.com] On Behalf Of C. Savinovich
>>> Sent: Friday, February 27, 2009 4:18 PM
>>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>>> Subject: Re: [asterisk-biz] Fraud alert
>>>
>>>
>>>   It seems to be the same pattern of people who attacked 3 of my
>>> servers in
>>> a 3 week period a couple of weeks ago.  The calls were made mostly to
>>> area
>>> codes 252 and 818 and indeed they showed the caller-id of the phones.
>>> My
>>> customer claims he received a call from the FBI saying that the calls
>>> were
>>> credit card solicitations.  The point is, whoever is doing this, is
>>> doing
>>> this massively.
>>>
>>> CS
>>>
>>> -----Original Message-----
>>> From: asterisk-biz-bounces at lists.digium.com
>>> [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of
>>> voip-asterisk at maximumcrm.com
>>> Sent: Friday, February 27, 2009 4:04 PM
>>> To: Commercial and Business-Oriented Asterisk Discussion
>>> Subject: Re: [asterisk-biz] Fraud alert
>>>
>>>     
>>>>> I'd suggest to everyone to ban that IP, it's been scanning our
>>>>>         
>>> networks
>>>     
>>>>> from time to time, in a sequential manner by IP.
>>>>>         
>>>> I've had really good luck with this:
>>>>
>>>> http://www.voip-
>>>>       
>>> info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
>>>     
>>>> Basically, it automatically blackhols via IPtables any host that
>>>>       
>>> fails a
>>>     
>>>> certain number of registration attempts in a given period.
>>>>       
>>> Yeah we're actually rolling it out on all of our production servers,
>>> it's
>>> a great application to run.
>>>
>>> I'm working on some scripts to propagate the bans to the firewall so
>>> that
>>> all of the servers get protected as soon as possible.
>>>
>>>     
>>>> [default]
>>>> ; Send any unauthenticated calls to the local FBI office
>>>> context=local-fbi-office
>>>>
>>>> I've got a honeypot server that pretty much accepts any calls that
>>>>       
>>> come
>>>     
>>>> through, and plays a "Thank you for calling the Telecommunications
>>>>       
>>> Fraud
>>>     
>>>> hotline. Please stay online for the next available representative."
>>>>       
>>> If
>>> they
>>>     
>>>> stay online for more than 20 seconds, it connects them to an agent at
>>>>       
>>> the
>>>     
>>>> FBI that we have been working with.
>>>>
>>>> I've been meaning to add some code in that pulls out the originating
>>>>       
>>> IP
>>>     
>>>> address of the call and tells it to the agent when we call. :)
>>>>       
>>> That would be great to have!
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>     
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>   
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-biz

-- 
Brent T. Vrieze
CIM Automation
Softare Engineer
507-216-0465

More information about the asterisk-biz mailing list