Maybe I am missing something here but why does the carrier that delivers the fraudulent traffic to the Telco that's in on the fraud pay the Telco that's in on the fraud for the calls that are delivered to their network? Seems pretty simple, if you cut off their revenue stream they won't have a reason to continue. I guess we all know there is no incentive for them to stop this practice because it's a big cash cow for everyone except for the poor end user who is left holding the bag. Our default dial plan won't let you dial these destinations so we don't have a real issue with this abusive traffic. Most of our customers who use international go with one of our filtered dial plans that let them dial most of the world except for known fraudulent and high toll rate destinations. Richey From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Ryan Delgrosso Sent: Saturday, February 22, 2014 11:48 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud In most cases you will lose this customer. They don't see this as their responsibility (i.e. the credit card fraud defense) but the reality is their equipment was compromised due to their negligence. If the customer is reasonable offer them your cost on the damages so its just a passthrough. Otherwise you can take them to court or just send them to collections. BTW while many will advocate fraud detection and mitigation systems here, its been my experience (we wrote our own fraud system that out-performs our upstream carriers by hours) that if you detect fraud on a customer like this, and shut it down in minutes, and mitigate what could have been thousands of dollars in damage due to their mis-configured systems, reducing it to just tens or hundreds they will often still fight that amount and deny responsibility. The fraud system protects you, and by extension the customer, but the customers don't see it that way. -Ryan On 02/19/2014 02:09 PM, John Curry wrote: I am new to your site. I was looking in the Archives and saw in November 2013 there were some of you who experienced fraud. We had a an Avaya IP Office customers system who got hit pretty bad. The customer is treating the fraudulent calls like credit card fraud and not taking any responsibility. Does anyone have any advice on how to persuade the customer take this issue seriously? His bill was racked up pretty good. Strangely and coincidentally Avaya came out with a security bulletin the end of December 2013 on this same issue. I tried to contact Avaya with no response. It seems as though someone has built a sniffer for the Avaya IP Offices and gleaning their registrations. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops

That is what our experience has been. The call origination IP is in countries that the Abuse email isn't even monitored. We have had reports to FBI, our upstream carriers, but no luck getting anywhere with these investigations. -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: Monday, February 24, 2014 12:31 PM To: My List Account Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud On Mon, 24 Feb 2014, My List Account wrote:

Maybe I am missing something here but why does the carrier that delivers the fraudulent traffic to the Telco that?s in on the fraud pay

the Telco that?s in on the fraud for the calls that are delivered to their network? Seems pretty simple, if you cut off their revenue stream they won?t have a reason to continue.

I would also like to add into this question: I realize it can be very difficult to track down the hacker generating these SIP calls from stolen credentials because they can hide behind TOR or other proxies... (Somehow I doubt they all do. Some are probably terribly stupid and doing it from their home internet conncetion). But where the calls are going can be tracked right to the switch that has the CDN on it. Thus you have the owners of the numbers nailed down as well as the telephone company providing the service. Why are they not grilled as to why hackers are generating calls to their numbers and if determined to be part of the fraud arrested and taken to court? Is it because these telephone companies are in countries where corruption is rampant and they are greasing the right palms to stay out of trouble? matt

I guess we all know there is no incentive for them to stop this practice

because it?s a big cash cow for everyone except for the poor end user who is left holding the bag.

Our default dial plan won?t let you dial these destinations so we don?t have a real issue with this abusive traffic. Most of our

customers who use international go with one of our filtered dial plans that let them dial most of the world except for known fraudulent and high toll rate destinations.

Richey

From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Ryan Delgrosso Sent: Saturday, February 22, 2014 11:48 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud

In most cases you will lose this customer. They don't see this as their

responsibility (i.e. the credit card fraud defense) but the reality is their equipment was compromised due to their negligence.

If the customer is reasonable offer them your cost on the damages so its

just a passthrough. Otherwise you can take them to court or just send them to collections.

BTW while many will advocate fraud detection and mitigation systems here, its been my experience (we wrote our own fraud system that out-performs our upstream carriers by hours) that if you detect fraud on

a customer like this, and shut it down in minutes, and mitigate what could have been thousands of dollars in damage due to their mis-configured systems, reducing it to just tens or hundreds they will often still fight that amount and deny responsibility. The fraud system protects you, and by extension the customer, but the customers don't see it that way.

-Ryan

On 02/19/2014 02:09 PM, John Curry wrote:

I am new to your site. I was looking in the Archives and saw in

November 2013 there were some of you who experienced fraud. We had a an Avaya IP Office customers system who got hit pretty bad. The

customer is treating the fraudulent calls like credit card fraud

and not taking any responsibility. Does anyone have any advice on how to persuade the customer take this issue seriously? His bill was

racked up pretty good. Strangely and coincidentally Avaya came

out with a security bulletin the end of December 2013 on this same issue. I tried to contact Avaya with no response. It seems as though

someone has built a sniffer for the Avaya IP Offices and gleaning

their registrations.

_______________________________________________

VoiceOps mailing list

VoiceOps at voiceops.org

https://puck.nether.net/mailman/listinfo/voiceops

On 2/24/14 10:48 AM, My List Account wrote:

Maybe I am missing something here but why does the carrier that delivers the fraudulent traffic to the Telco that?s in on the fraud pay the Telco that?s in on the fraud for the calls that are delivered to their network? Seems pretty simple, if you cut off their revenue stream they won?t have a reason to continue.

The telco that terminates the high rate calls is making money on them, the carrier that is next-in-line makes money, and there are sufficient non-fraudulent calls to that carrier that refusing to complete the calls isn't possible without impacting legitimate service. This is similar to the 900/976 arrangement in the US a few years back. Assume that the fraudulent "information service" gets paid the equivalent of 50 US cents per minute. The national telco which may or may not be in on the deal gets another 50 cents. Big international rate deck for million-minute delivery might be $1.25 and you might pay $1.50 and bill your customers $2.00. Your customer's PBX gets owned, and racks up 5000 minutes for a bill of $10K. Everyone upstream wants their bite of the apple, none of them is responsible for making the calls, or at least can't be proven to be. If you're a really nice guy and knock the bill down to the $7500 that it costs you, your customer still thinks you're the bad guy.

I guess we all know there is no incentive for them to stop this practice because it?s a big cash cow for everyone except for the poor end user who is left holding the bag.

Precisely, but it's the end user who left the barn door open. Nobody in the revenue stream forced your customer to enable offsite international forwarding and set the DTMF voice portal password to 1234.

Our default dial plan won?t let you dial these destinations so we don?t have a real issue with this abusive traffic. Most of our customers who use international go with one of our filtered dial plans that let them dial most of the world except for known fraudulent and high toll rate destinations.

And/or require verified auth codes and disable offsite forwarding, rate limit, put in monitoring and alerting/shutdown, and spend a lot of time, effort, and money protecting your customers from themselves. But, just as ISP customers want the whole Internet without filtering, most voice customers don't want "The Phone Company" telling them where they're allowed to call. Until they get the bill. Then they care. And if you do put in an alerting system, there's this dilemma: "My pager just went of at 4:00 AM Sunday morning - do I call the CEO of my biggest customer and ask if they are deliberately placing 50 simultaneous calls to Somalia, shut the trunk down, or just send them the bill and hope they pay it?" -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV

Hi Alex, good approach. one comment though: low-grade fraud traffic to audio text destinations will go undetected, and over time, it can accumulate more fraud loses than those who try to burst, get caught, and shut down immediately. thanks, dd. On Mon, Feb 24, 2014 at 4:41 PM, Alex Balashov <abalashov at evaristesys.com>wrote:

I've said it before and I'll say it again:

We stopped 95-98% of the losses on this sort of thing for a large customer who was losing thousands of dollars per day on it, by implementing the following approach:

Every trunk group gets a 'high-cost channel limit', which is the X number of simultaneous calls that they are allowed to make to destinations that cost over $Y/min. The limit was typically something like $0.10, so as to exclude domestic US traffic, but certainly catch Somalia and Globalstar. Both X and Y are configurable on a per-trunk group basis, so customers who have a legitimate need for 50 concurrent calls to Dakar can do that. For most typical domestic users, the limit was set to something like $0.10 and 2 channels.

When this limit was tripped, typically due to a compromised PBX with some extension password of 1234, the following things happen:

(1) All existing calls are terminated;

(2) An alert e-mail is sent out to the customer and to the NOC;

(3) Customer is downgraded to a termination rate plan that only allows for domestic calling. That way, they're not totally cut off from calling and, in all but the most unusual scenarios, not exceptionally angry. There is no reason to cut them off entirely. That's a false dichotomy. Downgrade them to a restricted calling plan.

The thinking was that (a) there's only so much exposure that two simultaneous calls to rural Chad can create; (2) almost any typical attack pattern relies on lighting up as many calls as possible in the shortest period of time, since they know they'll get cut off soon. So, almost any exploit is going to trip the wire, and do so quickly.

These assumptions proved correct, and the losses virtually disappeared.

Today, this fraud protection feature is integrated into the trunking platform that we sell. In our experience, it works very well.

-- Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/

_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops