[asterisk-users] Investigating international calls fraud

Steven McCann steven.r.mccann at gmail.com
Wed Jan 28 15:48:05 CST 2015


The UI (or anything really) is not open to the internet. The only things
open are SSH and RDP (on alternate ports). The freepbx web interface has a
strong username/password. The only weakness I see is a weak secret SIP
password, and default mitel admin password used. There is no provisioning
server for the Mitel phones right now.

The phone system is on the same subnet/VLAN as the internal network. My
guess is some internal computer has a trojan which allowed attackers to do
some internal configuration changes. I don't yet know how they launched an
outbound call from the internal extension.

On Wed, Jan 28, 2015 at 4:38 PM, Terry Brummell <terry at brummell.net> wrote:

>  You don't mention if the phone is remote, or local.  Although you do
> mention it had a default user/pass.  If the UI of the phone was/is
> accessible from the I'net, the GUI does have the ability to place a call
> from it, that is one way the calls could have been placed.
>
>
>
>
>
> *From:* asterisk-users-bounces at lists.digium.com [mailto:
> asterisk-users-bounces at lists.digium.com] *On Behalf Of *Steven McCann
> *Sent:* Wednesday, January 28, 2015 4:03 PM
> *To:* asterisk-users at lists.digium.com
> *Subject:* [asterisk-users] Investigating international calls fraud
>
>
>
> Hello,
>
>
>
> I'm investigating a situation where there was a hundreds of minutes of
> calls from an internal SIP extension to an 855 number in Cambodia,
> resulting in a crazy ($25,000+) bill from the phone company. I'm
> investigating, but can anyone provide some feedback on what's happened
> here? I'm investigating how this happened as well as what types of
> arrangements can be made with the phone company (CenturyLink in Texas).
>
>
>
> Some details:
>
> * PBX is located in Texas
>
> * Phone carrier is CenturyLink
>
> * FreePBX distro running asterisk 1.8.14
>
> * source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin
> password (argh!). Phone is used by many different people.
>
>
>
> More PBX setting details:
>
> * inbound SIP traffic is not allowed through the firewall
>
> * internal network is not accessed by many
>
> * FreePBX web interface
>
>
>
> *Questions I have at this moment:*
>
> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> Asterisk PBX?
>
> 2) how does this typically get sorted out with the phone company? they are
> charging $6.25 per minute for the Texas to Cambodia calls. The phone system
> owners are at fault, but how have these situations worked out in the past?
>
>
>
> I'll be tightening things up, but any feedback is appreciated.
>
>
>
> Thanks,
>
> Steve
>
>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/1024f72e/attachment.html>


More information about the asterisk-users mailing list