[VoiceOps] h.323 breech and toll fraud case

Wed Jan 26 19:48:28 EST 2011

On 1/26/2011 6:20 PM, Carlos Alvarez wrote:
> Some questions...
>
> 1.  What is the scam here?  The recipient of those calls doesn't gain anything, and placing a few calls to three specific satellite phones seems to have little purpose.  
Many of the calls were concurrent.  It all happened in the span of just a few hours.
>
> 2.  Anyone experienced the same thing with those numbers or similar numbers?
>
> 3.  About a year ago I attended an FBI presentation on VoIP fraud and there was a VoIP specialist who gave his contact info, but I can't find it.  What is the best way 
for this company to report this crime?
>

1) You assume the recipient of those calls gains nothing. The reality is, there is a high likelihood somewhere along the lines, there is some form of financial gain 
otherwise an attacker wouldn't waste time and resources compromising a system to place that call.

2) Yes similar, unsure about the numbers will check them out tomorrow and get back to you.

3) The best and only way is to contact the FBI. The issue with investigating these types of crimes boils down to the fact that it is difficult to rely on IP as a means of 
identification in tracking down what occurred. Secondly, there is a matter of jurisdiction hurdles in these cases. Think about it for a minute. An attack occurs RIGHT NOW 
from an address say in Egypt. You report it, someone comes down, sits with you, collects evidence. (Time elapsed AT LEAST 3 days) Investigator sees reason to pursue: (AT 
LEAST 2-3 weeks). Investigator seeks a subpoena for records for a provider abroad (AT LEAST 3-4 days). Minimum time elapsed being VERY VERY conservative, 3 - 5 weeks. 
Investigator delivers subpoena for records in an not-so-friendly country or rather, a country who is a bit behind on the times... Process starts again.

Throughout all of this, let's say if the attacker came from say Iceland. Investigators there determine the machine was actually compromised from another source in China. 
Hilarity follows and an investigation goes nowhere.

This is a vicious little circle an investigator ANYWHERE is likely to face when dealing with this issue. What I believe *may* help you is the fact that it went to a 
satellite based number. Many of these numbers tend to be *unique* in the sense of who actually needs these services. *drumroll* Terrorists? I would be willing to bet that 
you may have someone take a close look at this incident because of the satellite factor and if nothing else, you would still be raising a red alert against the provider. 
I'm sure that if enough queries into a specific company take place, *something* will occur.

Over the past 5 years or so, I've seen approximately 8-10 different compromises with ONLY one of them going to a satellite based number. As for getting back to #3, I 
*may* know of someone who could help so I've forwarded them your post. They may or may not contact you it all depends on their caseload.

For those on the list who follow this crime, I urge some to collaborate with by posting the names of the end carriers, numbers called and any information if your company 
allows it. My reasoning for this is simple, it allows those in the investigative field to get data on what numbers are being called, where attackers are coming from, what 
attackers are using etc. I sincerely believe that at some point in time, someone will surely connect the dots and reign in on the thieves. If you have qualms about 
posting that data, feel free to send it to me and I will post it on the VoIP Abuse with no identifiable information to your systems, clients, etc.

See the VABL list for the structure of how data is posted. E.g.:

IP Address of Offender | Violation | Date | checksum of host (incident response/backtracking) | ASN | Netblock | Provider | Country | etc, | Number called

197.195.64.64 | ADN | VABL | 20110123 | e0b1a605610f4d3196be32721050ae0d | 36992 | 197.192.0.0/13 | ETISALAT | EG | - | ETISALAT MISR | 001120111124336

Facts are facts though, if no complaint is made, this will continue as at no point in time is there any data to correlate: "We've seen a number of these calls from this 
company, let's investigate this company" the less people complain, the more the attacks will continue as some of the "shady" providers will continue unpunished making it 
seem as if EVERYONE is in bed with this type of crap.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E