[cisco-voip] Phone Fraud H.323

Erick Bergquist erickbee at gmail.com
Tue Sep 13 12:54:24 EDT 2016


Yep, seen that scenario a few dozen times with unity.

Restriction tables and lock down CSS on CUCM side if unity does not
need to make external calls. Use a separate CSS for Unity (don't
re-use the LDCss, etc on voicemail ports/trunk).

COBRA also doesn't include restriction tables, so those need to be put
back in if you use COBRA to migrate to other server.

I wish they would add option to class of service to not allow users to
enable alternate transfer method. No good unity report to see when a
user changed transfer method either.

Erick





On Tue, Sep 13, 2016 at 6:11 AM, David Zhars <dzhars at gmail.com> wrote:
> The main problem, as Ryan pointed out, is more than likely weak voicemail
> passwords.  Hackers are able to dial your main number and get an automated
> greeting, when they press (asterisk) they get the "welcome to voicemail"
> prompt.  From there, it's pretty easy to start inputting extensions
> (especially if any are published on your website) and guessing passwords.
> Once they have that, they can input call forwarding details when someone
> receives a message, and just start calling that extension all the time.  I
> have definitely seen THAT scenario before.
>
> Dave
>
> On Mon, Sep 12, 2016 at 10:39 PM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>
>> Oh, we definitely have dial-peers. Both inbound and outbound.
>>
>> I'm concerned because of the earlier comment about not all DIDs being
>> accounted for.
>>
>> I'm pretty sure I have an "inward dial" config on each PRI. But not sure I
>> have a num-exp for each.
>>
>> I'll double check my configs and share.
>>
>> Sent from my iPhone
>>
>> On Sep 12, 2016, at 10:11 PM, Nick Britt <nickolasjbritt at gmail.com> wrote:
>>
>> Do a
>>
>> Sh run all | sec dial-p
>>
>> If you don't have any DP's in the config I would imagine you are OK.
>>
>> On Monday, 12 September 2016, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>>
>>>
>>> Here's a question:
>>>
>>> We're using PRIs w/ MGCP so I'm assuming we're not affected. However, we
>>> have SRST configured, which I believe uses H323.
>>>
>>> Could this affect us as well?
>>>
>>> Lelio
>>>
>>> Sent from my iPhone
>>>
>>> On Sep 11, 2016, at 8:46 PM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>>>
>>> +1 here. By default with (the older?) IOS if someone dialled a number
>>> associated with the line plugged into your router, you'd get dial tone and
>>> from there you could dial an number the dial plan allowed.
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On Sep 11, 2016, at 11:49 AM, Nick Britt <nickolasjbritt at gmail.com>
>>> wrote:
>>>
>>> Hi David,
>>>
>>> Can I ask Which version of IOS you are using?
>>>
>>> Also could you post your incoming dial peer configuration or are you just
>>> using the default DP 0?
>>>
>>> Ive experienced a similar issue before (luckily I didn't configure this
>>> particular deployment)
>>>
>>> Before IOS 15 (I believe) direct in ward dial was not applied to the
>>> default dial peer. This allows people to call in on an unnnallocated number
>>> with in the DID range and receive a dial tone. (Check it out quite scary)
>>>
>>> The resolution was to apply the command direct in wars dial to all
>>> incoming dial peers.
>>>
>>> I will try and dig out the link from Cisco.
>>>
>>>
>>>
>>> On Sunday, 11 September 2016, David Zhars <dzhars at gmail.com> wrote:
>>>>
>>>> So yesterday I was alerted by our landline company that some of our
>>>> phone numbers that come in POTS on an H323 router, we being used for phone
>>>> fraud.  I am wondering how this happens with an H323 router (I am familiar
>>>> with someone hacking Unity and setting up actions to route to Jamaica once
>>>> someone leaves a voicemail or similar).
>>>>
>>>> The odd part is that these numbers are almost NEVER used for calling
>>>> out, unless the user presses a 7 for an outbound line (versus an 8 which
>>>> puts the call out on ISDN).
>>>>
>>>> I found a link on how to disable OffNet calling in UCM, but should I
>>>> instead look at securing the H323 router?  Or does the call blocking rule
>>>> need to be done in UCM?
>>>>
>>>> Thanks for any enlightenment you can provide.
>>>>
>>>> PS- Client is in USA, call fraud to Jamaica which does not require a
>>>> country code, so harder to block.
>>>
>>>
>>>
>>> --
>>> - Nick
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>>
>> --
>> - Nick
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>


More information about the cisco-voip mailing list