We have recently gotten complaints of harrassing and high pressure sales scams orginating from our NOC's phone number. Since the number is a virtual number on the PBX, it can't be used for outgoing calls. I assume the scammers choose the number from the whois db. Anyone else seen this happening? Any suggestions on whom we should contact?
Could be Caller ID spoofing. If so, have a recipient of the call perform a
trap and trace to find the originator of the call (doing so may require you
to file a police report to find who's making the calls, depending on your
jurisdiction).
If your PBX is SIP based, you might be victim of a SIP registration hijack,
which are on the rise, based on traffic we've been seeing in our network.
I had my unpublished asterisk box up for all of two days before
getting half a megabit per second worth of false SIP registration
attempts. Filled /var/log. I had to write a script to dynamically
filter source IPs with too many failures.
Regards,
Bill Herrin
Our system is PRI based, not sip.
PRI for origination and termination...but what are your phones? Old school or VOIP/SIP? If your phone system supports SIP clients, it really ought to be IP restricted to only allow your phones access, or use something like fail2ban to stop the SIP scanners from eventually gaining access.
Digital all the way through. No sip. No outside access to the PBX subnet either. Just a mininute ago our telco has verified that the calls are not orginating from out phone system. It's a simple caller id spoofing. People don't realize that caller id can be spoofed and therefore are 100% sure that we are makign the harrasing calls.
Just wanted nanog to be aware of this since the only two numbers that this has happened with are the ones in our ARIN whois records.
I'm currently dealing with an engineering firm in Florida that I believe
is having the same issue. Getting calls at 2am, 3am MDT and at the
exact same time 12 hours later to one of my numbers which has call
screening.
Left a message with their IT department, so hoping they follow up and
return my call.
Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want. There are perfectly legitimate, and not so legitimate uses for this.
However, SIP scanning and brute forcing has become really common, so it's about as likely that a phone system has been compromised as someone is forging callerID to one of its numbers.
> Digital all the way through. No sip. No outside access to the PBX subnet
> either. Just a mininute ago our telco has verified that the calls are
> not orginating from out phone system. It's a simple caller id spoofing.
> People don't realize that caller id can be spoofed and therefore are
> 100% sure that we are makign the harrasing calls.Some do. Anyone with control of a phone system with digital lines (i.e.
asterisk with PRI) can trivially set callerID to whatever they want.
That's not correct; what is true is that *some* LEC's do not filter
the callerID submitted and so this is *sometimes* true. There are
many examples where a LEC does not accept random callerID's from a
PRI customer. Sometimes this is even problematic, for example, when
the LEC helpfully inserts the callerID *they* think is correct and
it's actually wrong.
There are perfectly legitimate, and not so legitimate uses for this.
Yes. It's very useful, for example, to be able to generate your cell
phone's callerID from your PBX, since people have a habit of dialing
you from the number you called, even if you specifically asked them to
use a different callback number.
However, SIP scanning and brute forcing has become really common, so it's
about as likely that a phone system has been compromised as someone is
forging callerID to one of its numbers.
Correct.
... JG
William Herrin wrote:
If your PBX is SIP based, you might be victim of a SIP registration hijack,
which are on the rise, based on traffic we've been seeing in our network.
I had my unpublished asterisk box up for all of two days before
getting half a megabit per second worth of false SIP registration
attempts. Filled /var/log. I had to write a script to dynamically
filter source IPs with too many failures.Regards,
Bill Herrin
"A Simple Asterisk Based Toll Fraud Prevention Script"
http://www.infiltrated.net/asterisk-ips.html
Cheap marketing of a free RBL for VoIP: http://www.infiltrated.net/voipabuse
Anyhow, I spoke about this last week (toll fraud abuse via IP PBX
tricksters). Show # 275
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=22622&cmd=tc
The script kiddies and botnets seem to by trying hard.
I started announcing a brand new RIR allocation about 4 days ago and decided to tcpdump the background noise on the prefix before it gets used in production. About 80% of the traffic is systematic scanning on port 5060 across the entire prefix.
You don't even need the PRI. There's a number of SIP providers that will
allow you to set CallerID. In some cases they do some level of verification
first, but in many cases it's just a free-for-all.
There were some laws passed recently which makes "faking" caller-id illegal,
although I'm not sure exactly what the details are (eg, I'm fairly sure
sending your cell phone number from a desk phone is fine as you own both of
them).
Scott.
Scott Howard wrote:
Some do. Anyone with control of a phone system with digital lines (i.e.
asterisk with PRI) can trivially set callerID to whatever they want. There
are perfectly legitimate, and not so legitimate uses for this.You don't even need the PRI. There's a number of SIP providers that will
allow you to set CallerID. In some cases they do some level of verification
first, but in many cases it's just a free-for-all.There were some laws passed recently which makes "faking" caller-id illegal,
although I'm not sure exactly what the details are (eg, I'm fairly sure
sending your cell phone number from a desk phone is fine as you own both of
them).Scott.
It's HR 1258 the Truth in Caller ID Act however, means nothing to
someone outside the United States and this is where the issue seems to
stem from (a huge portion).
So imagine the following:
YourCompany --> VoIP_Peer --> Euro_Company
Someone compromises something in Euro_Company, unbeknownst to that
company, they're sending YOU traffic which you in turn pass (remember
you trusted them here). Guess what? Euro_Company's PBX was sending false
Caller ID. Should you be the one held liable as an ITSP? Further
consideration:
You --> Call Dell Support --> call re-routes to West Bumfork India -->
Callee gets your callback
Yourphone --> ring ring ring --> CID: Dell 12125551234
Where is the truth there?
Anyhow, I don't know if Obama signed this into law yet.
On my phone right now, I set the caller ID to the main number of my
company so that clients take the appropriate steps in going through
Customer Service. Guess what? When I'm at home and on-call my Caller-ID
is set to my company's main number so that clients don't call me at home
on a Sunday morning. Am I committing a "despicable" act by doing this?
Is it any different than unplugging my Snom, Cisco or Polycom and
bringing it home which yields the same results.
While I do recognize the abuse (spammers, telemarketers, etc), I don't
see how a bill is going to stop this from occurring. Who knows maybe
blacklisting ITSP providers. Should we play a guessing game: "Well, it
is coming from Global Crossing..."
There were some laws passed recently which makes "faking" caller-id illegal,
although I'm not sure exactly what the details are (eg, I'm fairly sure
sending your cell phone number from a desk phone is fine as you own both of
them).
In the US - it's not quite law yet.
The bill in question is H.R. 1258: Truth in Caller ID Act of 2010. It was passed by the house in April 2010 - but has not yet been passed by the Senate. A similar bill was passed by the Senate previously - so it's only a matter of time.
Specifically - the bill will make it illegal "to cause any caller ID service to transmit misleading or inaccurate caller ID information."
Changing your caller-id for legitimate non-nefarious purposes will still be allowed.
Feargal
not directly related, but i get occasional harrassing calls from
mental/emotional children who are using whois. it's amusing but
basically pathetic.
randy
We get people calling our noc numbers pretty often trying to report abuse for other people's networks... that is always fun
John van Oppen / AS11404
We get people calling our noc numbers pretty often trying to report
abuse for other people's networks... that is always funnot directly related, but i get occasional harrassing calls from
mental/emotional children who are using whois. it's amusing but
basically pathetic.
no, i mean classic children's behavior pretending they are the police or
whatever.
randy