[asterisk-users] Investigating international calls fraud

Michelle Dupuis mdupuis at ocg.ca
Wed Jan 28 16:30:02 CST 2015

Do you have DISA setup?  We're seeing lots of attackers running scripts that send digits until they strike a DISA, misconfigured mailbox, etc.  (Assuming it wasn't a stupid employee forwarding an inbound call to a 9xxxxxxx number etc).

Have a look at SecAst (www.generationd.com) - it detects callers sending too many digits, monitors digit dialing speeds, etc. to help identify and block these types of attacks.  The free version is better than nothing (but if you've already suffered one $25k attack then you probably don't mind spending a bit of money).  Or have a look at http://www.voip-info.org/wiki/view/Asterisk+security for other ideas.

There were some (at least one) critical FreePBX weaknesses discovered this summer (you'll find them if you google).  Even if you don't expose the management interface to the internet, don't trust FreePBX security alone.


My opinions expressed are my own and do not necessarily reflect those of my employer.  However, as an employee of Generation D Systems my opinions are probably biased.

From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of Administrator TOOTAI <admin at tootai.net>
Sent: Wednesday, January 28, 2015 5:07 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Investigating international calls fraud

Le 28/01/2015 22:03, Steven McCann a écrit :
> Hello,


> I'm investigating a situation where there was a hundreds of minutes of
> calls from an internal SIP extension to an 855 number in Cambodia,
> resulting in a crazy ($25,000+) bill from the phone company. I'm
> investigating, but can anyone provide some feedback on what's happened
> here? I'm investigating how this happened as well as what types of
> arrangements can be made with the phone company (CenturyLink in Texas).
> Some details:
> * PBX is located in Texas
> * Phone carrier is CenturyLink
> * FreePBX distro running asterisk 1.8.14
> * source SIP extension is Mitel 5212, firmware, default
> admin password (argh!). Phone is used by many different people.
> More PBX setting details:
> * inbound SIP traffic is not allowed through the firewall
> * internal network is not accessed by many
> * FreePBX web interface
> *Questions I have at this moment:*
> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> Asterisk PBX?

Check your logs. In the full log with verbosity 3 you can follow how
calls were treated. Also the CDR should give you informations like the
extension(s) who placed those calls



-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:

More information about the asterisk-users mailing list