
Telephony Fraud – Still going strong - kimi
http://www.simionovich.com/2017/01/08/telephony-fraud-still-going-strong/
======
voip23
VoIP fraud is very sophisticated and it's not just about toll fraud. The
author uses a small snapshot and tries to suggest scenarios. However, that's
like the one-shot case study that shows all clover have 4 leaves and are
sometimes green. You need much more data (and investigation) to make any
proper conclusions.

Often the multiple calls a denial of service - frequent numbers are often
large companies being subject to a denial of service (the US embassy is a
popular target) or they are test calls to verify a server works (i.e. call
their own number and listen for audio) before pimping it out for toll fraud.

The PA ones could be a mix of that plus the more sinister DoS block on targets
about to be attacked to prevent them calling for help.

There's a list of hack attempts over a much longer period available at
[https://network-systems-solutions.ca/voipblocklist.php](https://network-
systems-solutions.ca/voipblocklist.php) That gives a bit more meat for anyone
interested in looking for patterns (or protecting their server I suppose)

~~~
falsedan
Thanks for describing some actual fraud scenarios rather than the author's
specious conjecture.

~~~
nirsimionovich
Well,

To be more accurate, I've shown a snippet describing only 48 hours of
"suspected attacks" that were performed to a single server. The overall
network contains 6 different honeypots around the world, which had been
changing IP numbers once every 7 days for the past 2 years.

Just to give a rough idea, the overall number of attacks, that specific server
received in the month of December was over 180,000 attacks, with about 60
distinct attack sources and about 8 different attack patterns. Analysing all
the data is far beyond my current time capability, simply because I'm dealing
with other subjects.

It is true that you can't deduce any type of specific reasoning from the
displayed information, as the data set is very much limited. However, it shows
that as much as Skype/Facebook/Whatsapp are popular, the popularity of VoIP
hacking and hijacking still proves this is a booming market with much
financial gain.

------
emerongi
I ran a VoIP server for an application. It received daily attack attempts in
various formats. The only reason it never got abused was that I tightly bound
it to the application logic, so essentially no call outside the application
could be placed. You can secure it without doing that, but it's very easy to
get it wrong - there's a lot of horror stories out there. I definitely
would've been pwned if I didn't write direct application code into the server
from the get-go. I only learned of the various attacks over time from
inspecting the logs.

------
cixin
Interesting, so if I've understood correctly the attackers are looking for
open Asterisk servers and attempting to dial out.

What's the pay off? The numbers listed in the article are not premium rate.
Are they just test numbers or is there another pay off?

~~~
noselasd
Quite often those numbers will be another hacked service, which is set to
forward the calls. Perhaps eventually to a premium service. This is done to
better hide the origination.

Another common fraud is to provide cheap calls to a certain area/country.
(often named black/grey routes).

Basically the telco or state regulators might have a very expensive price to
call a certain country/network. You set up your own telephony service in
country A, route incoming calls over the internet to country B where you set
up a similar service that can terminate the calls in country B.

Your call the phone number in country A , that phone is just a bot/pbx, which
routes the call over to country B, but using the cheap internet, instead of
the expensive price your telco would charge you to do. Seen from the telco in
both in country A and B, it's just two local calls.

What's even cheaper than doing this ? Hack an existing PBX tp do the same, to
incur all costs to the PBX owner.

~~~
annnnd
Sorry if I'm being naive, but what is keeping users from using Skype & co.?

~~~
noselasd
Here are a few reasons:

1\. Calling user does not have a computer

2\. Called user does not have a computer

3\. Users are in a situation where they do not have a computer, only their
cell phone, with a data plan that is too expensive to use skype, or without a
data plan altogether.

4\. Users does not know about, are not able or trained to use skype.

5\. Internet is not available at the location of either of the users.

6\. Users are in a coverage area with only basic phone services, no data
availability.

Throughout the world there are far, far more people having access to simple
phone services than a computer and the internet.

The places I often see these kinds of frauds, are for minorities
living/working in one country, that wants to talk to their families back home
- often poor people with no access to a computer, nor the ability to operate
one - but with a mobile phone, and a little bit of money to pay for a few
calls - which is enough for someone else to make a buck by selling blakc/grey
routes to these people.

------
telebone_man
I wonder if the author had considered more closely replicating a 'real call'?
Most of the fraudsters use automated dialers that anticipate the 200OK as a
successful call ... etc.

I did something like that, and was surprised to learn both the lack of media,
and predictable media (white noise, or a particular pre-recording) were
themselves indicative of 'artificial traffic' (and therefore, likely fraud).

~~~
nirsimionovich
Actually, the honeypot system is slightly smarter than that. Some of the
honeypots are actually based up a SIPP UAS scenario, which will accept any
traffic and will play back an audio file of 5 minutes. Those servers normally
yield slightly different results, that normally look like a scan, then
followed by a media test then followed by something that looks almost manual -
and after the manual test, they go away, after realizing they hit a honey pot.

------
trome
I see attempts to push fraudulent traffic constantly on my SIP servers,
recently I've taken to putting recordings on for them or routing to a random
800 number.

Is calling Palestine Mobile Phones not possible over VOIP currently? I kinda
want to let a few calls complete, cause that is often a destination fraudulent
call attempts try to call. I see the prefix in my ratedeck, anyone know of a
less expensive provider?

Israel,Palestine,97292,0.189,1,1 Israel,Palestine,97282,0.189,1,1
Israel,Palestine,97242,0.189,1,1 Israel,Palestine,97222,0.189,1,1
Israel,Palestine Mobile Other,97259,0.219,1,1 Israel,Palestine Mobile
Other,97256,0.219,1,1

~~~
mbrookes
> or routing to a random 800 number

800 numbers aren't free - the recipient pays. It may even be illegal to
forward your fraud traffic to them (but IANAL).

------
tehaugmenter
Looks like HN did some work on their site. For convenience here is a cached
link from google:

[http://webcache.googleusercontent.com/search?q=cache:94_ZVFM...](http://webcache.googleusercontent.com/search?q=cache:94_ZVFMBF94J:www.simionovich.com/2017/01/08/telephony-
fraud-still-going-strong/+&cd=1&hl=en&ct=clnk&gl=us)

~~~
nirsimionovich
Oh yaeh, that was a real surprise - also the various attacks on the server
were very surprising as well - that kind'a caught me off guard.

------
akjainaj
A coffee shop just because it's Amsterdam? That's interesting prejudice right
there. Everybody would be losing their shit if it was a black country and it
mentioned something typical of there...

~~~
p94ka
Dude, calm down, if you don't live in the Netherlands, coffee shop refers to a
place like Starbucks that usually has free wifi, which makes sense in the
context he's describing. That's what he meant. I moved here 3 months ago and I
still accidentally ask people if they want to stop by a coffee shop when I
meant I wanted to stop and get coffee.

