[VoiceOps] A question about some international calling fraud to Eritrea

Matt Yaklin myaklin at g4.net
Mon Apr 19 14:04:10 EDT 2010 

Here is an update all on this problem.

It was the customer and the person in charge stated this:

"We were able to locate some of the calls on the 5ESS SMDR feed.  There
was a problem with the feed dropping the country code. The calls did
flow through the Concord 5ESS."

Thank you for all the comments. I have to admit in this situation
the customer was the likely problem but it was a fun mental exercise
to see if I/we could come up with a reasonable idea of how it could be
done without them being the cause.

matt at g4.net


On Mon, 19 Apr 2010, Dawson, Robert wrote:

> 
> >>>>I seem to recall a method of manipulating  a call like this by having a number on the originating switch forward it's
> incoming calls to another number that can deliver a dial tone and pass the calls through that way.   something like
> that.....
> 
>  
> 
> DISA or voice portal dialing compromise possibly but you should still see the call origination.
> 
>  
> 
>  
> 
> From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of cololiberty at comcast.net
> Sent: Friday, April 16, 2010 10:18 PM
> To: voiceops at voiceops.org
> Subject: Re: [VoiceOps] A question about some international calling fraud to Eritrea
> 
>  
> 
> Most carriers should have a call analyzing software that they use for finding calls.
> 
> empirix hammer, agilient etc.
> 
> We use them for putting together situations like these.
> 
> I seem to recall a method of manipulating  a call like this by having a number on the originating switch forward it's
> incoming calls to another number that can deliver a dial tone and pass the calls through that way.   something like
> that.....
> 
> do you have a calling pattern that you are able to share?  I might be interested to scan it past my switches to see if
> anything is going on as well.
> 
> 
> Any suggestions what I should be asking the long distance carrier who
> >> warned us about this?
> 
> I would be asking for any call details they may be able to give you, call times etc.  they may or may not share, it may
> be proprietary for them.
> 
> 
> thanks,
> 
> joel
> 
> 
> 
> ----- Original Message -----
> From: "Matt Yaklin" <myaklin at g4.net>
> To: "Paul Timmins" <paul at timmins.net>
> Cc: VoiceOps at voiceops.org
> Sent: Friday, April 16, 2010 5:50:29 PM GMT -07:00 US/Canada Mountain
> Subject: Re: [VoiceOps] A question about some international calling fraud to Eritrea
> 
> 
> 
> On Fri, 16 Apr 2010, Paul Timmins wrote:
> 
> > Can Fairpoint take the originating trunk group information and date from the
> > LD carrier and correlate them in their cabs records to determine the
> > originating trunk group / line?
> >
> 
> That is exactly what we plan to do as the next step. We are asking our
> long distance carrier for more information. As in the raw CDRs and a
> bit of assistance from them on what value the trunk number matches up
> to their circuits from Fairpoint, etc...
> 
> I am not sure if any of you have worked with Fairpoint since they bought
> out some of Verizon but it is not very much fun to say the least. An ILEC
> is a beast to begin with but then add in a buy out that did not go very
> smoothly... sigh.
> 
> Thanks Paul for the advice.
> 
> matt at G4.net
> 
> 
> > -Paul
> >
> >
> > Matt Yaklin wrote:
> >>
> >> Hey all,
> >>
> >> I will try to explain this the best I can.
> >>
> >> We got a call from one of our long distance carriers today telling us
> >> that we had a spike of long distance international calls going through
> >> their switch. These calls were to Africa and the country name is Eritrea.
> >>
> >> The originating number is a customer of ours. The trick is that this
> >> customer uses resold ILEC POTs lines that has their long distance calls
> >> PIC'd to the carrier who called to warn us about the spike of odd call
> >> traffic.
> >>
> >> This customer of ours happens to be a large agency in NH who has the
> >> ability to look at CDRs directly from the 5ESS in Concord, NH. A rather
> >> special situation to say the least.
> >>
> >> They can state, with quite a bit of assurance, that these calls were not
> >> generated from their PBX/network as they cannot see any records for them.
> >>
> >> Also, as I checked earlier, these calls did not go through any of my
> >> switches/asterisk servers.
> >>
> >> So the customer and I are left wondering how these calls managed to get
> >> to this long distance carrier who warned us about the spike. The calls
> >> came into this long distance carrier from the Manchester, NH Fairpoint
> >> tandem.
> >>
> >> Naturally we will try to contact Fairpoint for assistance but I am not
> >> very hopeful at this point they will be much help.
> >>
> >> The long distance carrier who warned us tends to think that the calls
> >> were generated by our customer who has something SIP/PBX insecure but when
> >> the customer has a link to look at CDR records right from the 5ESS he
> >> is rather sure that is not the case.
> >>
> >> I am trying to figure out creative ways this fraud can be happening if
> >> the customer is not at fault. One way is for a person who owns/operates
> >> a full blown switch to generate this type of fraud but it does seem
> >> unlikely.
> >>
> >> Any suggestions what I should be asking the long distance carrier who
> >> warned us about this?
> >>
> >> Any suggestions on how this type of fraud can be committed without
> >> the customer being the cause?
> >>
> >> Should I be grilling our customer one more time stating that since
> >> the originating number was theirs AND that it was PIC'd to the right
> >> long distance carrier... it is hard to imagine that someone could
> >> duplicate this fraud that easily?
> >>
> >> Thank you for your time. I hope I was clear enough to give you an
> >> idea of what is going on.
> >>
> >> matt at g4.net
> >> _______________________________________________
> >> VoiceOps mailing list
> >> VoiceOps at voiceops.org
> >> https://puck.nether.net/mailman/listinfo/voiceops
> >>
> >
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
>

More information about the VoiceOps mailing list