Most carriers should have a call analyzing software that they use for finding calls. empirix hammer, agilient etc. We use them for putting together situations like these. I seem to recall a method of manipulating a call like this by having a number on the originating switch forward it's incoming calls to another number that can deliver a dial tone and pass the calls through that way. something like that..... do you have a calling pattern that you are able to share? I might be interested to scan it past my switches to see if anything is going on as well. Any suggestions what I should be asking the long distance carrier who

...

warned us about this?

I would be asking for any call details they may be able to give you, call times etc. they may or may not share, it may be proprietary for them. thanks, joel ----- Original Message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "Paul Timmins" <paul at timmins.net> Cc: VoiceOps at voiceops.org Sent: Friday, April 16, 2010 5:50:29 PM GMT -07:00 US/Canada Mountain Subject: Re: [VoiceOps] A question about some international calling fraud to Eritrea On Fri, 16 Apr 2010, Paul Timmins wrote:

Can Fairpoint take the originating trunk group information and date from the LD carrier and correlate them in their cabs records to determine the originating trunk group / line?

That is exactly what we plan to do as the next step. We are asking our long distance carrier for more information. As in the raw CDRs and a bit of assistance from them on what value the trunk number matches up to their circuits from Fairpoint, etc... I am not sure if any of you have worked with Fairpoint since they bought out some of Verizon but it is not very much fun to say the least. An ILEC is a beast to begin with but then add in a buy out that did not go very smoothly... sigh. Thanks Paul for the advice. matt at G4.net

-Paul

Matt Yaklin wrote:

...

Hey all,

I will try to explain this the best I can.

We got a call from one of our long distance carriers today telling us that we had a spike of long distance international calls going through their switch. These calls were to Africa and the country name is Eritrea.

The originating number is a customer of ours. The trick is that this customer uses resold ILEC POTs lines that has their long distance calls PIC'd to the carrier who called to warn us about the spike of odd call traffic.

This customer of ours happens to be a large agency in NH who has the ability to look at CDRs directly from the 5ESS in Concord, NH. A rather special situation to say the least.

They can state, with quite a bit of assurance, that these calls were not generated from their PBX/network as they cannot see any records for them.

Also, as I checked earlier, these calls did not go through any of my switches/asterisk servers.

So the customer and I are left wondering how these calls managed to get to this long distance carrier who warned us about the spike. The calls came into this long distance carrier from the Manchester, NH Fairpoint tandem.

Naturally we will try to contact Fairpoint for assistance but I am not very hopeful at this point they will be much help.

The long distance carrier who warned us tends to think that the calls were generated by our customer who has something SIP/PBX insecure but when the customer has a link to look at CDR records right from the 5ESS he is rather sure that is not the case.

I am trying to figure out creative ways this fraud can be happening if the customer is not at fault. One way is for a person who owns/operates a full blown switch to generate this type of fraud but it does seem unlikely.

Any suggestions what I should be asking the long distance carrier who warned us about this?

Any suggestions on how this type of fraud can be committed without the customer being the cause?

Should I be grilling our customer one more time stating that since the originating number was theirs AND that it was PIC'd to the right long distance carrier... it is hard to imagine that someone could duplicate this fraud that easily?

Thank you for your time. I hope I was clear enough to give you an idea of what is going on.

matt at g4.net _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

Here is an update all on this problem. It was the customer and the person in charge stated this: "We were able to locate some of the calls on the 5ESS SMDR feed. There was a problem with the feed dropping the country code. The calls did flow through the Concord 5ESS." Thank you for all the comments. I have to admit in this situation the customer was the likely problem but it was a fun mental exercise to see if I/we could come up with a reasonable idea of how it could be done without them being the cause. matt at g4.net On Mon, 19 Apr 2010, Dawson, Robert wrote:

...

...

...

...

I seem to recall a method of manipulating? a call like this by having a number on the originating switch forward it's incoming calls to another number that can deliver a dial tone and pass the calls through that way.?? something like that.....

?

DISA or voice portal dialing compromise possibly but you should still see the call origination.

?

?

From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of cololiberty at comcast.net Sent: Friday, April 16, 2010 10:18 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] A question about some international calling fraud to Eritrea

?

Most carriers should have a call analyzing software that they use for finding calls.

empirix hammer, agilient etc.

We use them for putting together situations like these.

I seem to recall a method of manipulating? a call like this by having a number on the originating switch forward it's incoming calls to another number that can deliver a dial tone and pass the calls through that way.?? something like that.....

do you have a calling pattern that you are able to share?? I might be interested to scan it past my switches to see if anything is going on as well.

Any suggestions what I should be asking the long distance carrier who

...

...

warned us about this?

I would be asking for any call details they may be able to give you, call times etc.? they may or may not share, it may be proprietary for them.

thanks,

joel

----- Original Message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "Paul Timmins" <paul at timmins.net> Cc: VoiceOps at voiceops.org Sent: Friday, April 16, 2010 5:50:29 PM GMT -07:00 US/Canada Mountain Subject: Re: [VoiceOps] A question about some international calling fraud to Eritrea

On Fri, 16 Apr 2010, Paul Timmins wrote:

...

Can Fairpoint take the originating trunk group information and date from the LD carrier and correlate them in their cabs records to determine the originating trunk group / line?

That is exactly what we plan to do as the next step. We are asking our long distance carrier for more information. As in the raw CDRs and a bit of assistance from them on what value the trunk number matches up to their circuits from Fairpoint, etc...

I am not sure if any of you have worked with Fairpoint since they bought out some of Verizon but it is not very much fun to say the least. An ILEC is a beast to begin with but then add in a buy out that did not go very smoothly... sigh.

Thanks Paul for the advice.

matt at G4.net

...

-Paul

Matt Yaklin wrote:

...

Hey all,

I will try to explain this the best I can.

We got a call from one of our long distance carriers today telling us that we had a spike of long distance international calls going through their switch. These calls were to Africa and the country name is Eritrea.

The originating number is a customer of ours. The trick is that this customer uses resold ILEC POTs lines that has their long distance calls PIC'd to the carrier who called to warn us about the spike of odd call traffic.

This customer of ours happens to be a large agency in NH who has the ability to look at CDRs directly from the 5ESS in Concord, NH. A rather special situation to say the least.

They can state, with quite a bit of assurance, that these calls were not generated from their PBX/network as they cannot see any records for them.

Also, as I checked earlier, these calls did not go through any of my switches/asterisk servers.

So the customer and I are left wondering how these calls managed to get to this long distance carrier who warned us about the spike. The calls came into this long distance carrier from the Manchester, NH Fairpoint tandem.

Naturally we will try to contact Fairpoint for assistance but I am not very hopeful at this point they will be much help.

The long distance carrier who warned us tends to think that the calls were generated by our customer who has something SIP/PBX insecure but when the customer has a link to look at CDR records right from the 5ESS he is rather sure that is not the case.

I am trying to figure out creative ways this fraud can be happening if the customer is not at fault. One way is for a person who owns/operates a full blown switch to generate this type of fraud but it does seem unlikely.

Any suggestions what I should be asking the long distance carrier who warned us about this?

Any suggestions on how this type of fraud can be committed without the customer being the cause?

Should I be grilling our customer one more time stating that since the originating number was theirs AND that it was PIC'd to the right long distance carrier... it is hard to imagine that someone could duplicate this fraud that easily?

Thank you for your time. I hope I was clear enough to give you an idea of what is going on.

matt at g4.net _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops