Scam telemarketers spoofing our NOC phone number for callerid
We have recently gotten complaints of harrassing and high pressure sales scams orginating from our NOC's phone number. Since the number is a virtual number on the PBX, it can't be used for outgoing calls. I assume the scammers choose the number from the whois db. Anyone else seen this happening? Any suggestions on whom we should contact? ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
On 06/10/10 10:29 -0400, Matthew Huff wrote:
We have recently gotten complaints of harrassing and high pressure sales scams orginating from our NOC's phone number. Since the number is a virtual number on the PBX, it can't be used for outgoing calls. I assume the scammers choose the number from the whois db. Anyone else seen this happening? Any suggestions on whom we should contact?
Could be Caller ID spoofing. If so, have a recipient of the call perform a trap and trace to find the originator of the call (doing so may require you to file a police report to find who's making the calls, depending on your jurisdiction). If your PBX is SIP based, you might be victim of a SIP registration hijack, which are on the rise, based on traffic we've been seeing in our network. -- Dan White
On Wed, Oct 6, 2010 at 10:37 AM, Dan White <dwhite@olp.net> wrote:
If your PBX is SIP based, you might be victim of a SIP registration hijack, which are on the rise, based on traffic we've been seeing in our network.
I had my unpublished asterisk box up for all of two days before getting half a megabit per second worth of false SIP registration attempts. Filled /var/log. I had to write a script to dynamically filter source IPs with too many failures. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Our system is PRI based, not sip. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: wherrin@gmail.com [mailto:wherrin@gmail.com] On Behalf Of William Herrin Sent: Wednesday, October 06, 2010 11:15 AM To: Dan White Cc: Matthew Huff; (nanog@nanog.org) Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid
On Wed, Oct 6, 2010 at 10:37 AM, Dan White <dwhite@olp.net> wrote:
If your PBX is SIP based, you might be victim of a SIP registration hijack, which are on the rise, based on traffic we've been seeing in our network.
I had my unpublished asterisk box up for all of two days before getting half a megabit per second worth of false SIP registration attempts. Filled /var/log. I had to write a script to dynamically filter source IPs with too many failures.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Wed, 6 Oct 2010, Matthew Huff wrote:
Our system is PRI based, not sip.
PRI for origination and termination...but what are your phones? Old school or VOIP/SIP? If your phone system supports SIP clients, it really ought to be IP restricted to only allow your phones access, or use something like fail2ban to stop the SIP scanners from eventually gaining access. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Digital all the way through. No sip. No outside access to the PBX subnet either. Just a mininute ago our telco has verified that the calls are not orginating from out phone system. It's a simple caller id spoofing. People don't realize that caller id can be spoofed and therefore are 100% sure that we are makign the harrasing calls. Just wanted nanog to be aware of this since the only two numbers that this has happened with are the ones in our ARIN whois records. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Jon Lewis [mailto:jlewis@lewis.org] Sent: Wednesday, October 06, 2010 11:34 AM To: Matthew Huff Cc: '(nanog@nanog.org)' Subject: RE: Scam telemarketers spoofing our NOC phone number for callerid
On Wed, 6 Oct 2010, Matthew Huff wrote:
Our system is PRI based, not sip.
PRI for origination and termination...but what are your phones? Old school or VOIP/SIP? If your phone system supports SIP clients, it really ought to be IP restricted to only allow your phones access, or use something like fail2ban to stop the SIP scanners from eventually gaining access.
---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 10/6/10 9:43 AM, Matthew Huff wrote:
Digital all the way through. No sip. No outside access to the PBX subnet either. Just a mininute ago our telco has verified that the calls are not orginating from out phone system. It's a simple caller id spoofing. People don't realize that caller id can be spoofed and therefore are 100% sure that we are makign the harrasing calls.
Just wanted nanog to be aware of this since the only two numbers that this has happened with are the ones in our ARIN whois records.
I'm currently dealing with an engineering firm in Florida that I believe is having the same issue. Getting calls at 2am, 3am MDT and at the exact same time 12 hours later to one of my numbers which has call screening. Left a message with their IT department, so hoping they follow up and return my call. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Wed, 6 Oct 2010, Matthew Huff wrote:
Digital all the way through. No sip. No outside access to the PBX subnet either. Just a mininute ago our telco has verified that the calls are not orginating from out phone system. It's a simple caller id spoofing. People don't realize that caller id can be spoofed and therefore are 100% sure that we are makign the harrasing calls.
Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want. There are perfectly legitimate, and not so legitimate uses for this. However, SIP scanning and brute forcing has become really common, so it's about as likely that a phone system has been compromised as someone is forging callerID to one of its numbers. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, 6 Oct 2010, Matthew Huff wrote:
Digital all the way through. No sip. No outside access to the PBX subnet either. Just a mininute ago our telco has verified that the calls are not orginating from out phone system. It's a simple caller id spoofing. People don't realize that caller id can be spoofed and therefore are 100% sure that we are makign the harrasing calls.
Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want.
That's not correct; what is true is that *some* LEC's do not filter the callerID submitted and so this is *sometimes* true. There are many examples where a LEC does not accept random callerID's from a PRI customer. Sometimes this is even problematic, for example, when the LEC helpfully inserts the callerID *they* think is correct and it's actually wrong.
There are perfectly legitimate, and not so legitimate uses for this.
Yes. It's very useful, for example, to be able to generate your cell phone's callerID from your PBX, since people have a habit of dialing you from the number you called, even if you specifically asked them to use a different callback number.
However, SIP scanning and brute forcing has become really common, so it's about as likely that a phone system has been compromised as someone is forging callerID to one of its numbers.
Correct. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis <jlewis@lewis.org> wrote:
Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want. There are perfectly legitimate, and not so legitimate uses for this.
You don't even need the PRI. There's a number of SIP providers that will allow you to set CallerID. In some cases they do some level of verification first, but in many cases it's just a free-for-all. There were some laws passed recently which makes "faking" caller-id illegal, although I'm not sure exactly what the details are (eg, I'm fairly sure sending your cell phone number from a desk phone is fine as you own both of them). Scott.
Scott Howard wrote:
On Wed, Oct 6, 2010 at 8:55 AM, Jon Lewis <jlewis@lewis.org> wrote:
Some do. Anyone with control of a phone system with digital lines (i.e. asterisk with PRI) can trivially set callerID to whatever they want. There are perfectly legitimate, and not so legitimate uses for this.
You don't even need the PRI. There's a number of SIP providers that will allow you to set CallerID. In some cases they do some level of verification first, but in many cases it's just a free-for-all.
There were some laws passed recently which makes "faking" caller-id illegal, although I'm not sure exactly what the details are (eg, I'm fairly sure sending your cell phone number from a desk phone is fine as you own both of them).
Scott.
It's HR 1258 the Truth in Caller ID Act however, means nothing to someone outside the United States and this is where the issue seems to stem from (a huge portion). So imagine the following: YourCompany --> VoIP_Peer --> Euro_Company Someone compromises something in Euro_Company, unbeknownst to that company, they're sending YOU traffic which you in turn pass (remember you trusted them here). Guess what? Euro_Company's PBX was sending false Caller ID. Should you be the one held liable as an ITSP? Further consideration: You --> Call Dell Support --> call re-routes to West Bumfork India --> Callee gets your callback Yourphone --> ring ring ring --> CID: Dell 12125551234 Where is the truth there? Anyhow, I don't know if Obama signed this into law yet. On my phone right now, I set the caller ID to the main number of my company so that clients take the appropriate steps in going through Customer Service. Guess what? When I'm at home and on-call my Caller-ID is set to my company's main number so that clients don't call me at home on a Sunday morning. Am I committing a "despicable" act by doing this? Is it any different than unplugging my Snom, Cisco or Polycom and bringing it home which yields the same results. While I do recognize the abuse (spammers, telemarketers, etc), I don't see how a bill is going to stop this from occurring. Who knows maybe blacklisting ITSP providers. Should we play a guessing game: "Well, it is coming from Global Crossing..." -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
From: scott@doc.net.au [mailto:scott@doc.net.au] Sent: Wednesday, October 06, 2010 2:26 PM Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid
There were some laws passed recently which makes "faking" caller-id illegal, although I'm not sure exactly what the details are (eg, I'm fairly sure sending your cell phone number from a desk phone is fine as you own both of them).
In the US - it's not quite law yet. The bill in question is H.R. 1258: Truth in Caller ID Act of 2010. It was passed by the house in April 2010 - but has not yet been passed by the Senate. A similar bill was passed by the Senate previously - so it's only a matter of time. Specifically - the bill will make it illegal "to cause any caller ID service to transmit misleading or inaccurate caller ID information." Changing your caller-id for legitimate non-nefarious purposes will still be allowed. Feargal
William Herrin wrote:
On Wed, Oct 6, 2010 at 10:37 AM, Dan White <dwhite@olp.net> wrote:
If your PBX is SIP based, you might be victim of a SIP registration hijack, which are on the rise, based on traffic we've been seeing in our network.
I had my unpublished asterisk box up for all of two days before getting half a megabit per second worth of false SIP registration attempts. Filled /var/log. I had to write a script to dynamically filter source IPs with too many failures.
Regards, Bill Herrin
"A Simple Asterisk Based Toll Fraud Prevention Script" http://www.infiltrated.net/asterisk-ips.html Cheap marketing of a free RBL for VoIP: http://www.infiltrated.net/voipabuse Anyhow, I spoke about this last week (toll fraud abuse via IP PBX tricksters). Show # 275 http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=22622&cmd=tc http://voipsa.org/blog/2010/09/29/voip-attackers-sometimes-they-come-back/ http://voipsa.org/blog/2010/09/28/voip-abuse-project/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On 06/10/2010 17:15, William Herrin wrote:
I had my unpublished asterisk box up for all of two days before getting half a megabit per second worth of false SIP registration attempts.
The script kiddies and botnets seem to by trying hard. I started announcing a brand new RIR allocation about 4 days ago and decided to tcpdump the background noise on the prefix before it gets used in production. About 80% of the traffic is systematic scanning on port 5060 across the entire prefix. -- Graham Beneke
not directly related, but i get occasional harrassing calls from mental/emotional children who are using whois. it's amusing but basically pathetic. randy
We get people calling our noc numbers pretty often trying to report abuse for other people's networks... that is always fun John van Oppen / AS11404 -----Original Message----- From: Randy Bush [mailto:randy@psg.com] Sent: Wednesday, October 06, 2010 3:16 PM To: Matthew Huff Cc: ' (nanog@nanog.org)' Subject: Re: Scam telemarketers spoofing our NOC phone number for callerid not directly related, but i get occasional harrassing calls from mental/emotional children who are using whois. it's amusing but basically pathetic. randy
We get people calling our noc numbers pretty often trying to report abuse for other people's networks... that is always fun
not directly related, but i get occasional harrassing calls from mental/emotional children who are using whois. it's amusing but basically pathetic.
no, i mean classic children's behavior pretending they are the police or whatever. randy
participants (12)
-
Brielle Bruns
-
Dan White
-
FEARGAL_LEDWIDGE@CRGL-THIRDPARTY.COM
-
Graham Beneke
-
J. Oquendo
-
Joe Greco
-
John van Oppen
-
Jon Lewis
-
Matthew Huff
-
Randy Bush
-
Scott Howard
-
William Herrin