[cisco-voip] E1 call Fraud + h.323 Gw

Jason Aarons (US) jason.aarons at us.didata.com
Sat Jan 15 22:35:13 EST 2011 

Hopefully the CME doesn't have any Internet accessability? It's behind a firewall right?

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jawad A Hai
Sent: Saturday, January 15, 2011 1:21 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] E1 call Fraud + h.323 Gw

Hello Group,

Recently I faced a problem with one of my client, who has got E1r2, DID/DOD.
He has Cisco CME and Cisco Voice Gateway.
Suddenly all 30 ports got busy with international calls. All the calls are being generated by ONE IP Phone which has got local extension 2000.
This extension was translated to DID number, so that any call goes out via this number takes the DID and any call comes on this DID will land on this Phone.
The CME was configured to access via outside with live IP. ie Live IP to Local IP (NAT).
Now the thing here is all the calls which were generated are international calls, we rebooted the gw, we rebooted the CME it stayed same..once it reboots all 30 ports got busy with international calls.
calls going to african countries/russian countries( dial codes belongs to these countries).
When I changed the international dial peer on the CME they stopped.
But catch here is they have received more than 100 k USD bill from TELCO.  DEAD DEAD Bang Bang.
What are the chances of toll Fraud or any other way of hacking ?
OR could it be TELCO side issue?
Cuz I see mostly calls are being generated by single DID number ??

Aali



-----------------------------------------
Disclaimer:

This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the
designated addressee(s) named above only.  If you are not the
intended addressee, you are hereby notified that you have received
this communication in error and that any use or reproduction of
this email or its contents is strictly prohibited and may be
unlawful.  If you have received this communication in error, please
notify us immediately by replying to this message and deleting it
from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110115/ae53a7b6/attachment.html>

More information about the cisco-voip mailing list