[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

Brad Anouar Brad at broadcore.com
Fri Nov 1 12:54:20 EDT 2013


Hi Matt,

Assuming that the accounts associated with the POTS lines are registering users, have you already considered the fact that the attack could've originated somewhere other than the edgemark?
Have you checked the auth/pass for the users associated with the POTS lines? Is international calling enabled for these users? Do they have a voice portal?

Brad Anouar

Sent from my Verizon Wireless 4G LTE Smartphone


----- Reply message -----
From: "Matt Yaklin" <myaklin at g4.net>
To: "voiceops at voiceops.org" <voiceops at voiceops.org>
Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
Date: Fri, Nov 1, 2013 9:31 AM




Hi all,

I had some toll fraud to Grenada last night which we stopped as soon
as we became aware of it. Example numbers being dialed were:

1-473-405-0085
1-473-405-0084
1-473-405-0088

Normally I can track down how it happened to figure out who was at fault.
But this time I am having a hard time.

The customer has two types of service from us. Yealink phones connected
to our Broadsoft system with an Edgemarc 200EW installed at the customer
premise. They also have some POTS line with us for faxing. One of those
POTS lines is connected to the Edgemarc 200EW via the built in FXO port
for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has
a failure they can at least have one line to dial out on in case of an
emergency. That is about the only time it would ever be used except for
faxing.

The toll fraud CPN just happens to be that POTS line connected to the
Edgemarc. That POTS line is also connected to a very basic fax machine.

In the Edgemarc for that FXO port two stage dialing is disabled in
both directions. We had incoming calls on the FXO line being forward to a
Yealink phone but that would never function properly due to the customer
having a fax line picking up first. Just leftover config during the
install where we made an assumption the customer might want it.

The Yealink phones are behind the Edgemarc (NAT) and not reachable via the
internet. The Edgemarc is using radius for user auth and has strong
passwords set. I cannot find any config in Broadsoft where a user
had call forwarding setup or whatever that would cause this. I cannot find
any settings in the Edgemarc that would allow this to take place. As in
a config mistake.

The Edgemarc is running code Version 11.6.19.
The Yealink phones are also up2date with the newest code from the vendor's
website.

I do not think this fraud was done on site via physical means. It is
a school and I just cannot picture a student or faculty having a need
to call Grenada.

The Edgemarc does have port 5060 open to the world but it is just a ?proxy?
I was under the impression that one cannot brute force an account on a
proxy device that has no config as such like an asterisk box would. You
would be basically brute forcing against Broadsoft in that case?

Either way I am still digging into things but I thought by sending this
email someone might have some advice to clue me into something I am
missing when it comes to Edgemarc and FXO security.

Thanks,

matt at g4.net


_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops



More information about the VoiceOps mailing list