A company we work closely with, but is not our customer, had their Cisco Call Manager hacked due to some h.323 vulnerability that I don't have full details on yet. There were a number of calls placed to: 881835211540 881835211556 881835211547 My findings indicate these are Globalstar satellite numbers that cost somewhere between $4 and $7/minute to call, depending on carrier. The victim's carrier is billing them at $6.50. The total bill for the event is around $13k. This is a small company that can't really afford this. I am not an interested party in the sense that it wasn't on our network, but it's a company we work with a lot and want to help. I also want to learn from this to potentially protect our own network. Some questions... 1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours. 2. Anyone experienced the same thing with those numbers or similar numbers? 3. About a year ago I attended an FBI presentation on VoIP fraud and there was a VoIP specialist who gave his contact info, but I can't find it. What is the best way for this company to report this crime? -- Carlos Alvarez TelEvolve 602-889-3003
From: "Carlos Alvarez" <carlos at televolve.com> To: voiceops at voiceops.org Sent: Wednesday, January 26, 2011 6:20:51 PM Subject: [VoiceOps] h.323 breech and toll fraud case A company we work closely with, but is not our customer, had their Cisco Call Manager hacked due to some h.323 vulnerability that I don't have full details on yet. There were a number of calls placed to:
881835211540 881835211556 881835211547
My findings indicate these are Globalstar satellite numbers that cost somewhere between $4 and $7/minute to call, depending on carrier. The victim's carrier is billing them at $6.50. The total bill for the event is around $13k. This is a small company that can't really afford this. I am not an interested party in the sense that it wasn't on our network, but it's a company we work with a lot and want to help. I also want to learn from this to potentially protect our own network.
Some questions...
1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours.
2. Anyone experienced the same thing with those numbers or similar numbers?
3. About a year ago I attended an FBI presentation on VoIP fraud and there was a VoIP specialist who gave his contact info, but I can't find it. What is the best way for this company to report this crime?
If you find out please let me know. I had a $180k voip fraud last year (SIP, Ukraine -> Cuba) and reported to the FBI with NO response.
-- Carlos Alvarez TelEvolve 602-889-3003
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com P: 413-746-2760
Matthew S. Crocker wrote:
1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours.
2. Anyone experienced the same thing with those numbers or similar numbers
We got hit with some inmarsat earlier this year, I can't figure out what the deal was, but I did hear the typical allison asterisk conference bridge prompt when I called the ones we got hit with. I can't figure out how a satphone can handle so many simultaneous calls, and ones to an asterisk box, at that. Is there a revenue share in there somewhere? I don't get it. -Paul
On 01/26/2011 07:47 PM, Paul Timmins wrote:
I can't figure out how a satphone can handle so many simultaneous calls, and ones to an asterisk box, at that.
I'm sure there are ways to plumb the data into an Asterisk box through some channel or another. After all, Asterisk probably has the largest, most comprehensive base of hardware interface support - between built-in drivers and third-party hacks - available. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On 01/26/2011 07:53 PM, Alex Balashov wrote:
On 01/26/2011 07:47 PM, Paul Timmins wrote:
I can't figure out how a satphone can handle so many simultaneous calls, and ones to an asterisk box, at that.
I'm sure there are ways to plumb the data into an Asterisk box through some channel or another. After all, Asterisk probably has the largest, most comprehensive base of hardware interface support - between built-in drivers and third-party hacks - available.
Also, I forgot to mention: Numerous types of standalone transceiver units can be used with Globalstar, Inmarsat and Iridium. Some of these are capable of making and receiving an impressive number of concurrent calls intended for analog data transmission and acquisition for various specialised purposes, pseudo-military applications, technical monitoring and remote management of marine and aviation hardware, etc. It wouldn't surprise me if someone bothered to wire one of those up to an Asterisk interface somehow. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Carlos, On 01/26/2011 06:20 PM, Carlos Alvarez wrote:
1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours.
In my experience, generally speaking the scam is contingent on the party that's doing the hacking being involved on both sides. They initiate the calls, but they are also in bed with whoever is taking the calls (or is a high-margin intermediary in completing the calls, depending on the cost structure of that particular destination and infrastructure). Therefore, they get some non-trivial percentage of the charges kicked back to them in some fashion or another. This is not an uncommon occurrence with telcos that run premium numbers or some special rural tariffs in other countries. It's rather akin to rural ILEC access charge arbitrage / traffic pumping schemes in the US, in the sense that someone either shows up at the telco's door purporting to offer some sort of "free" service or "novel" business model that seeks profit sharing in the access revenue to make it work, or, for the more ballsy ones, dispense with any such pretense and simply conspire with the telco to game some calls in with false answer supervision or other blatant tomfoolery in return for a cut of the toll action. The difference is that with costs in the several dollars/minute, there's just a lot more money to be made in other jurisdictions, not fractions of pennies. -- Alex -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
If there is truly nothing to be gained on the receiving side, even within the supply chain, then the only other plausible incentive to route calls to high-priced destinations would be to deliberately impart financial harm upon the victim company in question. On 01/26/2011 07:43 PM, Alex Balashov wrote:
Carlos,
On 01/26/2011 06:20 PM, Carlos Alvarez wrote:
1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours.
In my experience, generally speaking the scam is contingent on the party that's doing the hacking being involved on both sides.
They initiate the calls, but they are also in bed with whoever is taking the calls (or is a high-margin intermediary in completing the calls, depending on the cost structure of that particular destination and infrastructure). Therefore, they get some non-trivial percentage of the charges kicked back to them in some fashion or another.
This is not an uncommon occurrence with telcos that run premium numbers or some special rural tariffs in other countries. It's rather akin to rural ILEC access charge arbitrage / traffic pumping schemes in the US, in the sense that someone either shows up at the telco's door purporting to offer some sort of "free" service or "novel" business model that seeks profit sharing in the access revenue to make it work, or, for the more ballsy ones, dispense with any such pretense and simply conspire with the telco to game some calls in with false answer supervision or other blatant tomfoolery in return for a cut of the toll action. The difference is that with costs in the several dollars/minute, there's just a lot more money to be made in other jurisdictions, not fractions of pennies.
-- Alex
-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On 1/26/2011 6:20 PM, Carlos Alvarez wrote:
Some questions...
1. What is the scam here? The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. Many of the calls were concurrent. It all happened in the span of just a few hours.
2. Anyone experienced the same thing with those numbers or similar numbers?
3. About a year ago I attended an FBI presentation on VoIP fraud and there was a VoIP specialist who gave his contact info, but I can't find it. What is the best way for this company to report this crime?
1) You assume the recipient of those calls gains nothing. The reality is, there is a high likelihood somewhere along the lines, there is some form of financial gain otherwise an attacker wouldn't waste time and resources compromising a system to place that call. 2) Yes similar, unsure about the numbers will check them out tomorrow and get back to you. 3) The best and only way is to contact the FBI. The issue with investigating these types of crimes boils down to the fact that it is difficult to rely on IP as a means of identification in tracking down what occurred. Secondly, there is a matter of jurisdiction hurdles in these cases. Think about it for a minute. An attack occurs RIGHT NOW from an address say in Egypt. You report it, someone comes down, sits with you, collects evidence. (Time elapsed AT LEAST 3 days) Investigator sees reason to pursue: (AT LEAST 2-3 weeks). Investigator seeks a subpoena for records for a provider abroad (AT LEAST 3-4 days). Minimum time elapsed being VERY VERY conservative, 3 - 5 weeks. Investigator delivers subpoena for records in an not-so-friendly country or rather, a country who is a bit behind on the times... Process starts again. Throughout all of this, let's say if the attacker came from say Iceland. Investigators there determine the machine was actually compromised from another source in China. Hilarity follows and an investigation goes nowhere. This is a vicious little circle an investigator ANYWHERE is likely to face when dealing with this issue. What I believe *may* help you is the fact that it went to a satellite based number. Many of these numbers tend to be *unique* in the sense of who actually needs these services. *drumroll* Terrorists? I would be willing to bet that you may have someone take a close look at this incident because of the satellite factor and if nothing else, you would still be raising a red alert against the provider. I'm sure that if enough queries into a specific company take place, *something* will occur. Over the past 5 years or so, I've seen approximately 8-10 different compromises with ONLY one of them going to a satellite based number. As for getting back to #3, I *may* know of someone who could help so I've forwarded them your post. They may or may not contact you it all depends on their caseload. For those on the list who follow this crime, I urge some to collaborate with by posting the names of the end carriers, numbers called and any information if your company allows it. My reasoning for this is simple, it allows those in the investigative field to get data on what numbers are being called, where attackers are coming from, what attackers are using etc. I sincerely believe that at some point in time, someone will surely connect the dots and reign in on the thieves. If you have qualms about posting that data, feel free to send it to me and I will post it on the VoIP Abuse with no identifiable information to your systems, clients, etc. See the VABL list for the structure of how data is posted. E.g.: IP Address of Offender | Violation | Date | checksum of host (incident response/backtracking) | ASN | Netblock | Provider | Country | etc, | Number called 197.195.64.64 | ADN | VABL | 20110123 | e0b1a605610f4d3196be32721050ae0d | 36992 | 197.192.0.0/13 | ETISALAT | EG | - | ETISALAT MISR | 001120111124336 Facts are facts though, if no complaint is made, this will continue as at no point in time is there any data to correlate: "We've seen a number of these calls from this company, let's investigate this company" the less people complain, the more the attacks will continue as some of the "shady" providers will continue unpunished making it seem as if EVERYONE is in bed with this type of crap. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
One of my customers just got hit by the same type of traffic The TN's dialed were: +881835211670 +881842011400 +881935211660 +881935211900 +881935211914 +881935211915 +881935211916 +881935211920 +881942011157 +881942011158 +881942011540 Some other insight on these breeches: Most sat plans (at least that resellers get) include free direct inbound and only bill if you use a dial-around (i.e. Iridium 2-stage dialing etc.) Either way if the owner of the DN was being billed they would just scream fraud, thus the reseller would be risking a lot to make a few quick bucks. I would think someone between the call path would be the one benefiting from this scheme, it's a weird one at that. On Wed, Jan 26, 2011 at 18:20, Carlos Alvarez <carlos at televolve.com> wrote:
A company we work closely with, but is not our customer, had their Cisco Call Manager hacked due to some h.323 vulnerability that I don't have full details on yet. ?There were a number of calls placed to:
881835211540 881835211556 881835211547
My findings indicate these are Globalstar satellite numbers that cost somewhere between $4 and $7/minute to call, depending on carrier. ?The victim's carrier is billing them at $6.50. ?The total bill for the event is around $13k. ?This is a small company that can't really afford this. ?I am not an interested party in the sense that it wasn't on our network, but it's a company we work with a lot and want to help. ?I also want to learn from this to potentially protect our own network.
Some questions...
1. ?What is the scam here? ?The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose. ?Many of the calls were concurrent. ?It all happened in the span of just a few hours.
2. ?Anyone experienced the same thing with those numbers or similar numbers?
3. ?About a year ago I attended an FBI presentation on VoIP fraud and there was a VoIP specialist who gave his contact info, but I can't find it. ?What is the best way for this company to report this crime?
-- Carlos Alvarez TelEvolve 602-889-3003
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (6)
-
abalashov@evaristesys.com -
adam.botbyl@gmail.com -
carlos@televolve.com -
matthew@corp.crocker.com -
paul@timmins.net -
sil@infiltrated.net