[asterisk-users] PBX hacked: why hundred of calls to the same number ?

Rainer Piper rainer.piper at soho-piper.de
Thu Oct 2 00:52:34 CDT 2014 

Am 01.10.2014 um 18:19 schrieb Markus:
> Am 01.10.2014 11:40, schrieb Olivier:
>> Some special numbers generate here and there revenues for callees (and
>> not for callers).
>
> Not just some, but ALL numbers generate revenue for the receiving 
> telecom. (Ok ok, a few exceptions, in the US for example)
>
> This is how telecoms have been earning money, ever have been and will 
> for a while longer until interconnection fees for incoming traffic 
> will be dropped completely, it's a work in progress, especially in the 
> EU. (Unfortunately)
>
> There are 2 schemes:
>
> 1) Not so popular, but it's on the rise in the last 1-2 years: get 
> landline numbers in country xyz, strike a deal with the telco that 
> owns these numbers so that they'll pass a bit of their revenue on to 
> you, and find a way to call yourself for free or at a lower rate than 
> these numbers pay (= abuse your unlimited subscriber plan). The 
> revenue is usually in the area of 0.00x or even 0.000x per minute, 
> depending on the country.
>
> 2) Just google International Premium Numbers, or short, IPRN. It's a 
> whole world of its own. Revenue is much higher. These are not "real" 
> numbers and they never have full worldwide connectivity. So the 
> fraudster has 2 tasks: 1) find a carrier through which he can reach 
> these numbers and 2) find a way to call these numbers at a lower rate 
> than they pay out. 2) is usually accomplished by hacking PBXes (= free 
> calls), fraudulent apps etc.  There are tons of stories of abuse 
> regarding IPRN out on the web, just research a bit (quite interesting 
> actually). Some technical background information on 1) How does it 
> work? Where does the revenue come from you might wonder? First to be 
> said, it can never work without a fraudulent telecom operator that is 
> part of the scheme. Imagine you are calling from France to Latvia. 
> Let's say the call passes France, Switzerland, Czech Republic and then 
> goes to Latvia. Each carrier on the path passes the call on to the 
> next carrier. Now, let's say the carrier in the Czech Republic is the 
> evil one. The call comes in, and they simply say: well, this Latvian 
> number that you just called belongs to us, we terminate the call here 
> and pick it up. Billing time starts. Now, they charge the Swiss telco 
> for the incoming call to Latvia, of course. And the Swiss telco 
> charges the French telecom. The French telecom charges their 
> subscriber (e.g. hacked PBX). The call never makes it to Latvia! Now, 
> the Czech Republic telco works together with an IPRN provider (or they 
> run an evil IPRN service by themselves kind of anonymously). They pass 
> a bit of the money they get from the Swiss telecom on to the IPRN 
> "owner" (the fraudster) and keep the remaining money for themselves. 
> Easy money! This is why IPRNs don't have worldwide connectivity and 
> can usually never get called from within a country (path is too short, 
> no fraudulent telecom in between). They can even be real numbers that 
> belong to someone, in this case, in Latvia, it doesn't matter. All you 
> need to be is an evil telco where calls transit through and you have 
> it. How much do you pay to your normal landline telco for a call to 
> Latvia? To a Latvian mobile number? Let it be 0.25 EUR per minute. 
> Thats what the subscriber pays, the Swiss telecom gets 0.22 of that, 
> the Czech telco 0.20 and the fraudster 0.11. Just an example - margins 
> are always high with IPRNs. Now you can simply do the same not with 
> Latvia but with faaar away countries, islands (!) where calling to is 
> even more expensive and your margins will go waaay up.
>
> Just to be clear: it's totally legit to earn money on incoming calls, 
> this is the main income source for telcos all over the world. But 
> abusing your unlimited plan and running IPRNs is not "that" legit I'd 
> say. :)
>
>
>> Beside sharing interests with the callee that get those revenues, why
>> a hacker would like to dial the same numbers over and over ?
>
> I don't see another reason.
>
>
>> In other words, in this case, is looking at callee number a promising
>> path to find hackers ?
>
> Not in my experience. Since the fraudulent telcos work together with 
> the IPRN "owners" you won't succeed. Must be a large-scale fraud 
> scheme with millions of EURs lost for some authority to investigate 
> properly. Plus, the IPRN owners even can get paid via Western Union 
> etc. from the IPRN service, so all they need is a stolen/fake 
> passport... so you are not left with much except maybe their IP 
> address which, of course, if they are not totally dumb, isn't theirs. 
> Gotta get in touch with some law enforcement agency and then catch 
> them when they pick up the money at the Western Union counter.
>
> I should write a book about that. :P
>
> Cheers
> Markus
>
>
Is the destination Number like Country Code +972?

+972 59 xxxxxx(x) mobile - Jawall [moving to 7-digit subscriber numbers]

source - http://www.wtng.info/wtng-972-il.html

My SIP Proxy logs all the unauth. INVITEs and I found the a lot calls go 
to the Country code +972 xxxxxxxxxxx

This is my log from this morning.:
Oct 2 07:32:15 server /sbin/kamailio[29866]: NOTICE: <script>: blocking 
IP 69.30.254.234 sipcli/v1.8 rm=INVITE aU=<null> rU=00972597613940 
<callto:00972597613940>

-- 
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141002/c5e594f5/attachment.html>

More information about the asterisk-users mailing list