[VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed

Fri Nov 1 15:04:13 EDT 2013

Approx 60-70 calls.

matt at g4.net

On Fri, 1 Nov 2013, David Thompson wrote:

> How many calls are we talking about here?
>
> David Thompson
> Network Services Support Technician
> (O) 858.357.8794
> (F) 858-225-1882
> (E) dthompson at esi-estech.com
> (W) www.esi-estech.com
>
> -----Original Message-----
> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt
> Yaklin
> Sent: Friday, November 01, 2013 10:20 AM
> To: Brad Anouar
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] looking for advice on international fraud that
> took place via an Edgemarc 200EW with FXO line installed
>
>
> Hi Brad,
>
> On Fri, 1 Nov 2013, Brad Anouar wrote:
>
>> Hi Matt,
>>
>> Assuming that the accounts associated with the POTS lines are
>> registering users, have you already considered the fact that the
>> attack could've originated somewhere other than the edgemark?
>> Have you checked the auth/pass for the users associated with the POTS
> lines?
>
> If I understood you correctly I think this will answer your question. The
> POTS line is not SIP at all. It is a POTS line provided out of our legacy
> Coppercom voice switch. It travels via GR303 to a central office and from
> there to the customer premise via Pairgain SHDSL gear. That gear muxes up
> to 6 POTS lines down a single copper pair to the customer premise. A
> little CPE unmuxes them.
>
> My CDR records on my border T7000 switch clearly show the call coming from
> the Coppercom switch via SS7 trunks and then going out to Level3.
>
> All of this is TDM based POTS lines. No SIP at all when discussing the
> POTS line.
>
> So based on that the call had to be generated at the customer premise in
> some fashion. The Edgemarc is the most likely culprit unless physical
> access was used to make the calls.
>
>
>> Is international calling enabled for these users?
>
> It was on the Broadsoft system. It is not anymore. Any call the Broadsoft
> group generates goes out as their main number unless they call 911. The
> main number is not the POTS line number. Plus I would have seen any
> Broadsoft generated call come in a different path to our border switch.
>
> It was allowed via the dialing rules on the Edgemarc. I have not modified
> that yet to only allow certain calls. Grenada, sadly, is part of the North
> American Dialing Plan. No 011 needed in front of the number. Just a
> 1+xxx-xxx-xxxx. Modifying the dialing plan on the Edgemarc may be painful
> unless I just allow New Hampshire's area code to start, 911, and 7 digit
> dialing.
>
>
>
>> Do they have a voice portal?
>
> Yes they do. It is on Broadsoft. But once again any Broadsoft call would
> come into my border switch via a different path. I would know if it came
> from that system.
>
>
> matt at g4.net
>
>>
>> Brad Anouar
>>
>> Sent from my Verizon Wireless 4G LTE Smartphone
>>
>>
>> ----- Reply message -----
>> From: "Matt Yaklin" <myaklin at g4.net>
>> To: "voiceops at voiceops.org" <voiceops at voiceops.org>
>> Subject: [VoiceOps] looking for advice on international fraud that
>> took place via an Edgemarc 200EW with FXO line installed
>> Date: Fri, Nov 1, 2013 9:31 AM
>>
>>
>>
>>
>> Hi all,
>>
>> I had some toll fraud to Grenada last night which we stopped as soon
>> as we became aware of it. Example numbers being dialed were:
>>
>> 1-473-405-0085
>> 1-473-405-0084
>> 1-473-405-0088
>>
>> Normally I can track down how it happened to figure out who was at
> fault.
>> But this time I am having a hard time.
>>
>> The customer has two types of service from us. Yealink phones
>> connected to our Broadsoft system with an Edgemarc 200EW installed at
>> the customer premise. They also have some POTS line with us for
>> faxing. One of those POTS lines is connected to the Edgemarc 200EW via
>> the built in FXO port for "Survivability". Meaning if the WAN ethernet
>> port on the Edgemarc has a failure they can at least have one line to
>> dial out on in case of an emergency. That is about the only time it
>> would ever be used except for faxing.
>>
>> The toll fraud CPN just happens to be that POTS line connected to the
>> Edgemarc. That POTS line is also connected to a very basic fax machine.
>>
>> In the Edgemarc for that FXO port two stage dialing is disabled in
>> both directions. We had incoming calls on the FXO line being forward
>> to a Yealink phone but that would never function properly due to the
>> customer having a fax line picking up first. Just leftover config
>> during the install where we made an assumption the customer might want
> it.
>>
>> The Yealink phones are behind the Edgemarc (NAT) and not reachable via
>> the internet. The Edgemarc is using radius for user auth and has
>> strong passwords set. I cannot find any config in Broadsoft where a
>> user had call forwarding setup or whatever that would cause this. I
>> cannot find any settings in the Edgemarc that would allow this to take
>> place. As in a config mistake.
>>
>> The Edgemarc is running code Version 11.6.19.
>> The Yealink phones are also up2date with the newest code from the
>> vendor's website.
>>
>> I do not think this fraud was done on site via physical means. It is a
>> school and I just cannot picture a student or faculty having a need to
>> call Grenada.
>>
>> The Edgemarc does have port 5060 open to the world but it is just a
> ?proxy?
>> I was under the impression that one cannot brute force an account on a
>> proxy device that has no config as such like an asterisk box would.
>> You would be basically brute forcing against Broadsoft in that case?
>>
>> Either way I am still digging into things but I thought by sending
>> this email someone might have some advice to clue me into something I
>> am missing when it comes to Edgemarc and FXO security.
>>
>> Thanks,
>>
>> matt at g4.net
>>
>>
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>