[asterisk-users] Investigating international calls fraud

Eric Wieling EWieling at nyigc.com
Wed Jan 28 15:23:28 CST 2015 

I’ve seen the following exploits of Asterisk / FreePBX boxes:


1)  Default PlcmSpIp username and password for Polycom provisioning

2)  Insecure SIP usernames and secrets

3)  FreePBX GUI accessable from the internet

4)  OS remote exploit (maybe ssh/ssl exploit)

Mitigation options:

1)  Don’t use an easy to guess or default password on provisioning servers.

2)  Use secure secrets.  Users never enter the secret so we use a 32 char random string of characters for the password

3)  Don’t allow connections to port 80 from off-site.

4)  Make sure your OS and SSH/SSL is updated packages are updated.

Contact your carrier and ask about any possible fraud detection.    Verizon SIP service has that feature.   I don’t think Level 3 has.   Don’t know about CenturyLink.   I also recommend locking down the system very tight with IP tables – only allow whitelisted traffic rather than only blocking blacklisted traffic.

Fraud is a constant issue for everyone.


From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steven McCann
Sent: Wednesday, January 28, 2015 4:03 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Investigating international calls fraud

Hello,

I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).

Some details:
* PBX is located in Texas
* Phone carrier is CenturyLink
* FreePBX distro running asterisk 1.8.14
* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.

More PBX setting details:
* inbound SIP traffic is not allowed through the firewall
* internal network is not accessed by many
* FreePBX web interface

Questions I have at this moment:
1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?
2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?

I'll be tightening things up, but any feedback is appreciated.

Thanks,
Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/abe777c7/attachment.html>

More information about the asterisk-users mailing list