[asterisk-users] Investigating international calls fraud

[Dave Platt]

> Hmm the calls are made during the day (and sometimes very early in the
> morning). Right now it looks like someone actually made these calls. If
> that is the case it's somewhat comforting to know the system wasn't
> compromised. However, the $25,000 phone bill still remains. Yikes. $6.25
> per minute to Cambodia seems quite steep to me.

Since the Mitel had a default admin password, it seems possible that
somebody accessed its UI over the network, and then accessed and
copied its SIP credentials for your Asterisk server.

If that's the case, the calls might not have been placed through
the phone.  The miscreant could have configured the purloined
credentials into another hardphone, or a softphone app on any
PC or tablet or cellphone which was able to access your LAN.
The "cloned" phone would not have needed to actually register
with Asterisk... it could simply have send an INVITE to place
a call, and Asterisk would have challenged it and then accepted
the credentials.

If your CDR log shows IP addresses for each call, you might be
able to compare these with your DHCP (or whatever) IP registration
service, and see if the calls actually came through the phone or
not.  If not you might be able to identify the device which initiated
the calls.

The bad news is, I suspect that you're probably "on the hook" for
the cost of the calls.  In the case of an "inside job" it's often
hard to legitimately "disavow" the charges.  You may have to pay
the bill and then (if you can identify whomever placed the
unauthorized calls) attempt to recover the cost from him/her
in court.  This sort of misused by an insider might be
"theft by conversion".