VoIP fraud is very sophisticated and it's not just about toll fraud. The author uses a small snapshot and tries to suggest scenarios. However, that's like the one-shot case study that shows all clover have 4 leaves and are sometimes green. You need much more data (and investigation) to make any proper conclusions.
Often the multiple calls a denial of service - frequent numbers are often large companies being subject to a denial of service (the US embassy is a popular target) or they are test calls to verify a server works (i.e. call their own number and listen for audio) before pimping it out for toll fraud.
The PA ones could be a mix of that plus the more sinister DoS block on targets about to be attacked to prevent them calling for help.
There's a list of hack attempts over a much longer period available at https://network-systems-solutions.ca/voipblocklist.php That gives a bit more meat for anyone interested in looking for patterns (or protecting their server I suppose)
To be more accurate, I've shown a snippet describing only 48 hours of "suspected attacks" that were performed to a
single server. The overall network contains 6 different honeypots around the world, which had been changing IP
numbers once every 7 days for the past 2 years.
Just to give a rough idea, the overall number of attacks, that specific server received in the month of December was
over 180,000 attacks, with about 60 distinct attack sources and about 8 different attack patterns. Analysing all the data
is far beyond my current time capability, simply because I'm dealing with other subjects.
It is true that you can't deduce any type of specific reasoning from the displayed information, as the data set is
very much limited. However, it shows that as much as Skype/Facebook/Whatsapp are popular, the popularity of VoIP
hacking and hijacking still proves this is a booming market with much financial gain.
I ran a VoIP server for an application. It received daily attack attempts in various formats. The only reason it never got abused was that I tightly bound it to the application logic, so essentially no call outside the application could be placed. You can secure it without doing that, but it's very easy to get it wrong - there's a lot of horror stories out there. I definitely would've been pwned if I didn't write direct application code into the server from the get-go. I only learned of the various attacks over time from inspecting the logs.
Quite often those numbers will be another hacked service, which is set to forward the calls. Perhaps eventually to a premium service. This is done to better hide the origination.
Another common fraud is to provide cheap calls to a certain area/country. (often named black/grey routes).
Basically the telco or state regulators might have a very expensive price to call a certain country/network. You set up your own telephony service in country A, route incoming calls over the internet to country B where you set up a similar service that can terminate the calls in country B.
Your call the phone number in country A , that phone is just a bot/pbx, which routes the call over to country B, but using the cheap internet, instead of the expensive price your telco would charge you to do. Seen from the telco in both in country A and B, it's just two local calls.
What's even cheaper than doing this ? Hack an existing PBX tp do the same, to incur all costs to the PBX owner.
3. Users are in a situation where they do not have a computer, only their cell phone, with a data plan that is too expensive to use skype, or without a data plan altogether.
4. Users does not know about, are not able or trained to use skype.
5. Internet is not available at the location of either of the users.
6. Users are in a coverage area with only basic phone services, no data availability.
Throughout the world there are far, far more people having access to simple phone services than a computer and the internet.
The places I often see these kinds of frauds, are for minorities living/working in one country, that wants to talk to their families back home - often poor people with no access to a computer, nor the ability to operate one - but with a mobile phone, and a little bit of money to pay for a few calls - which is enough for someone else to make a buck by selling blakc/grey routes to these people.
Come get your nCLI greylist routes with 1.2sec of audio latency! That is basically what is going on with these routes, or they are used to route calling card traffic.
They are almost certainly test numbers, to see if they can get calls through to a country where calling is expensive. Often if you attempt to set up a call & not SIP 403 reject, they won't accept the audio media, so call setup cannot complete.
I wonder if the author had considered more closely replicating a 'real call'? Most of the fraudsters use automated dialers that anticipate the 200OK as a successful call ... etc.
I did something like that, and was surprised to learn both the lack of media, and predictable media (white noise, or a particular pre-recording) were themselves indicative of 'artificial traffic' (and therefore, likely fraud).
Actually, the honeypot system is slightly smarter than that. Some of the honeypots are actually based up a SIPP UAS scenario, which will accept any traffic and will play back an audio file of 5 minutes. Those servers normally yield slightly different results, that normally look like a scan, then followed by a media test then followed by something that looks almost manual - and after the manual test, they go away, after realizing they hit a honey pot.
Yeah, often fraudsters using Sipvicious won't complete the call and connect to media, I've seen this when routing all unauthorized traffic to 800 numbers.
I see attempts to push fraudulent traffic constantly on my SIP servers, recently I've taken to putting recordings on for them or routing to a random 800 number.
Is calling Palestine Mobile Phones not possible over VOIP currently? I kinda want to let a few calls complete, cause that is often a destination fraudulent call attempts try to call. I see the prefix in my ratedeck, anyone know of a less expensive provider?
Israel,Palestine,97292,0.189,1,1
Israel,Palestine,97282,0.189,1,1
Israel,Palestine,97242,0.189,1,1
Israel,Palestine,97222,0.189,1,1
Israel,Palestine Mobile Other,97259,0.219,1,1
Israel,Palestine Mobile Other,97256,0.219,1,1
actually, people don't really know the following: The PA is identified by both the 972 (Israel) country code and the 970 (PA) country code.
When calling Israel on 97259, or 97222, or 97242, or 972502, or 972522 or 972542 - in some specific number ranges, you actually reach the PA. This is why many Israeli and worldwide PBX owners have routing mistakes on them, and you can basically get a minute of PA traffic, that normally costs around $0.19 for - wait for it - $0.008.
The main issue is that when the ITU assigned 970 to the PA, they never made them drop the 972 prefix - resulting in the world's longest arbitrage wholesale game.
A coffee shop just because it's Amsterdam? That's interesting prejudice right there. Everybody would be losing their shit if it was a black country and it mentioned something typical of there...
Dude, calm down, if you don't live in the Netherlands, coffee shop refers to a place like Starbucks that usually has free wifi, which makes sense in the context he's describing. That's what he meant. I moved here 3 months ago and I still accidentally ask people if they want to stop by a coffee shop when I meant I wanted to stop and get coffee.
Often the multiple calls a denial of service - frequent numbers are often large companies being subject to a denial of service (the US embassy is a popular target) or they are test calls to verify a server works (i.e. call their own number and listen for audio) before pimping it out for toll fraud.
The PA ones could be a mix of that plus the more sinister DoS block on targets about to be attacked to prevent them calling for help.
There's a list of hack attempts over a much longer period available at https://network-systems-solutions.ca/voipblocklist.php That gives a bit more meat for anyone interested in looking for patterns (or protecting their server I suppose)