[cisco-voip] E1 call Fraud + h.323 Gw

Jawad A Hai ahjawad at hotmail.com
Sat Jan 15 23:50:42 EST 2011 

Hello Jason,

The CME has intenret accessibility, but with Natted IP.
Its behind firewall, 
I think we were hacked by those pay phone gangs,
they have some how scanned the system for the CLID manipulation, once they found the matching four digit DID, they have started sending calls using that DID.
I traced the calls, they were going to "dial to win " hold your call as long as to win prizes, blah blah.
I don't have any call pattern.
But what amazes with the sophistication of those gangs, it was done deliberately during weekend.
I see SIP call legs in call logs, I don't have SIP configured in the CME, but I don't have in " h.323 to sip and sip to h.323 " conversion in voice service voip.

Still not sure how was it done, with CLID manipulation.
Please share any ideas.



From: Jason Aarons (US) 
Sent: Sunday, January 16, 2011 6:35 AM
To: Jawad A Hai ; cisco-voip at puck.nether.net 
Subject: RE: [cisco-voip] E1 call Fraud + h.323 Gw


Hopefully the CME doesn't have any Internet accessability? It's behind a firewall right?

 

From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jawad A Hai
Sent: Saturday, January 15, 2011 1:21 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] E1 call Fraud + h.323 Gw

 

Hello Group,

 

Recently I faced a problem with one of my client, who has got E1r2, DID/DOD.

He has Cisco CME and Cisco Voice Gateway.

Suddenly all 30 ports got busy with international calls. All the calls are being generated by ONE IP Phone which has got local extension 2000.

This extension was translated to DID number, so that any call goes out via this number takes the DID and any call comes on this DID will land on this Phone.

The CME was configured to access via outside with live IP. ie Live IP to Local IP (NAT).

Now the thing here is all the calls which were generated are international calls, we rebooted the gw, we rebooted the CME it stayed same..once it reboots all 30 ports got busy with international calls.

calls going to african countries/russian countries( dial codes belongs to these countries).

When I changed the international dial peer on the CME they stopped.

But catch here is they have received more than 100 k USD bill from TELCO.  DEAD DEAD Bang Bang.

What are the chances of toll Fraud or any other way of hacking ?

OR could it be TELCO side issue?

Cuz I see mostly calls are being generated by single DID number ??

 

Aali

 



--------------------------------------------------------------------------------


Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110116/2979ac4c/attachment.html>

More information about the cisco-voip mailing list