[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

David Thompson dthompson at esi-estech.com
Fri Nov 1 13:47:58 EDT 2013 

How many calls are we talking about here?

David Thompson
Network Services Support Technician
(O) 858.357.8794
(F) 858-225-1882
(E) dthompson at esi-estech.com
(W) www.esi-estech.com

-----Original Message-----
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt
Yaklin
Sent: Friday, November 01, 2013 10:20 AM
To: Brad Anouar
Cc: voiceops at voiceops.org
Subject: Re: [VoiceOps] looking for advice on international fraud that
took place via an Edgemarc 200EW with FXO line installed


Hi Brad,

On Fri, 1 Nov 2013, Brad Anouar wrote:

> Hi Matt,
>
> Assuming that the accounts associated with the POTS lines are
> registering users, have you already considered the fact that the
> attack could've originated somewhere other than the edgemark?
> Have you checked the auth/pass for the users associated with the POTS
lines?

If I understood you correctly I think this will answer your question. The
POTS line is not SIP at all. It is a POTS line provided out of our legacy
Coppercom voice switch. It travels via GR303 to a central office and from
there to the customer premise via Pairgain SHDSL gear. That gear muxes up
to 6 POTS lines down a single copper pair to the customer premise. A
little CPE unmuxes them.

My CDR records on my border T7000 switch clearly show the call coming from
the Coppercom switch via SS7 trunks and then going out to Level3.

All of this is TDM based POTS lines. No SIP at all when discussing the
POTS line.

So based on that the call had to be generated at the customer premise in
some fashion. The Edgemarc is the most likely culprit unless physical
access was used to make the calls.


> Is international calling enabled for these users?

It was on the Broadsoft system. It is not anymore. Any call the Broadsoft
group generates goes out as their main number unless they call 911. The
main number is not the POTS line number. Plus I would have seen any
Broadsoft generated call come in a different path to our border switch.

It was allowed via the dialing rules on the Edgemarc. I have not modified
that yet to only allow certain calls. Grenada, sadly, is part of the North
American Dialing Plan. No 011 needed in front of the number. Just a
1+xxx-xxx-xxxx. Modifying the dialing plan on the Edgemarc may be painful
unless I just allow New Hampshire's area code to start, 911, and 7 digit
dialing.



> Do they have a voice portal?

Yes they do. It is on Broadsoft. But once again any Broadsoft call would
come into my border switch via a different path. I would know if it came
from that system.


matt at g4.net

>
> Brad Anouar
>
> Sent from my Verizon Wireless 4G LTE Smartphone
>
>
> ----- Reply message -----
> From: "Matt Yaklin" <myaklin at g4.net>
> To: "voiceops at voiceops.org" <voiceops at voiceops.org>
> Subject: [VoiceOps] looking for advice on international fraud that
> took place via an Edgemarc 200EW with FXO line installed
> Date: Fri, Nov 1, 2013 9:31 AM
>
>
>
>
> Hi all,
>
> I had some toll fraud to Grenada last night which we stopped as soon
> as we became aware of it. Example numbers being dialed were:
>
> 1-473-405-0085
> 1-473-405-0084
> 1-473-405-0088
>
> Normally I can track down how it happened to figure out who was at
fault.
> But this time I am having a hard time.
>
> The customer has two types of service from us. Yealink phones
> connected to our Broadsoft system with an Edgemarc 200EW installed at
> the customer premise. They also have some POTS line with us for
> faxing. One of those POTS lines is connected to the Edgemarc 200EW via
> the built in FXO port for "Survivability". Meaning if the WAN ethernet
> port on the Edgemarc has a failure they can at least have one line to
> dial out on in case of an emergency. That is about the only time it
> would ever be used except for faxing.
>
> The toll fraud CPN just happens to be that POTS line connected to the
> Edgemarc. That POTS line is also connected to a very basic fax machine.
>
> In the Edgemarc for that FXO port two stage dialing is disabled in
> both directions. We had incoming calls on the FXO line being forward
> to a Yealink phone but that would never function properly due to the
> customer having a fax line picking up first. Just leftover config
> during the install where we made an assumption the customer might want
it.
>
> The Yealink phones are behind the Edgemarc (NAT) and not reachable via
> the internet. The Edgemarc is using radius for user auth and has
> strong passwords set. I cannot find any config in Broadsoft where a
> user had call forwarding setup or whatever that would cause this. I
> cannot find any settings in the Edgemarc that would allow this to take
> place. As in a config mistake.
>
> The Edgemarc is running code Version 11.6.19.
> The Yealink phones are also up2date with the newest code from the
> vendor's website.
>
> I do not think this fraud was done on site via physical means. It is a
> school and I just cannot picture a student or faculty having a need to
> call Grenada.
>
> The Edgemarc does have port 5060 open to the world but it is just a
?proxy?
> I was under the impression that one cannot brute force an account on a
> proxy device that has no config as such like an asterisk box would.
> You would be basically brute forcing against Broadsoft in that case?
>
> Either way I am still digging into things but I thought by sending
> this email someone might have some advice to clue me into something I
> am missing when it comes to Edgemarc and FXO security.
>
> Thanks,
>
> matt at g4.net
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list