[VoiceOps] h.323 breech and toll fraud case

Adam Botbyl adam.botbyl at gmail.com
Tue Feb 8 22:30:03 EST 2011 

One of my customers just got hit by the same type of traffic
The TN's dialed were:
+881835211670
+881842011400
+881935211660
+881935211900
+881935211914
+881935211915
+881935211916
+881935211920
+881942011157
+881942011158
+881942011540

Some other insight on these breeches:

Most sat plans (at least that resellers get) include free direct inbound
and only bill if you use a dial-around (i.e. Iridium 2-stage dialing
etc.)

Either way if the owner of the DN was being billed they would just
scream fraud, thus the reseller would be risking a lot to make a few
quick bucks.

I would think someone between the call path would be the one benefiting
from this scheme, it's a weird one at that.


On Wed, Jan 26, 2011 at 18:20, Carlos Alvarez <carlos at televolve.com> wrote:
> A company we work closely with, but is not our customer, had their Cisco
> Call Manager hacked due to some h.323 vulnerability that I don't have full
> details on yet.  There were a number of calls placed to:
>
> 881835211540
> 881835211556
> 881835211547
>
> My findings indicate these are Globalstar satellite numbers that cost
> somewhere between $4 and $7/minute to call, depending on carrier.  The
> victim's carrier is billing them at $6.50.  The total bill for the event is
> around $13k.  This is a small company that can't really afford this.  I am
> not an interested party in the sense that it wasn't on our network, but it's
> a company we work with a lot and want to help.  I also want to learn from
> this to potentially protect our own network.
>
> Some questions...
>
> 1.  What is the scam here?  The recipient of those calls doesn't gain
> anything, and placing a few calls to three specific satellite phones seems
> to have little purpose.  Many of the calls were concurrent.  It all happened
> in the span of just a few hours.
>
> 2.  Anyone experienced the same thing with those numbers or similar numbers?
>
> 3.  About a year ago I attended an FBI presentation on VoIP fraud and there
> was a VoIP specialist who gave his contact info, but I can't find it.  What
> is the best way for this company to report this crime?
>
> --
> Carlos Alvarez
> TelEvolve
> 602-889-3003
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>

More information about the VoiceOps mailing list