[VoiceOps] [VOIPSEC] Phone fraud doubles

J. Oquendo sil at infiltrated.net
Thu Nov 21 16:15:30 EST 2013 

On Thu, 21 Nov 2013, Vijay Balasubramaniyan wrote:

> The report is split into 2 sections:
> A) What we are seeing at call centers
> B) What individual consumers are seeing.
> 
> The 2.4 million comments are with respect to B) not A). So this is not with
> respect to a call center. At FI call centers we are seeing 1 in 2500 calls
> being an attempt to take over an account (ATO). So if you get 1 million
> calls a month you are likely to see 400 attempts at ATO. Our last report
> was purely consumer focussed and in this report we are showing what we
> believe are both sides of the coin. Please let me know if this clarifies
> your concerns and appreciate your feedback. Let me know if you have any
> follow up questions.
> 
> This is also a great way to finally send a mail on this group which I have
> been following for all the information it provides.
> 

So it is just as I expected. I will give you an example.
We have all seen/read/experience 'ye phantom call' that
Sandro Gauci clarified last week. I have a client with a
couple of trunks, Audiocodes gateway thing-a-ma-bob. She
calls us up telling us she is receiving hundreds of calls
a day.

With this data, how accurate would it be if I averaged her
calls, multiplied the number ghost calls, then reported:
"Man, I am seeing 10,000,000 fraud attempts per month!" The
realities behind those numebrs aren't real. They're scaled
sideways. I do this (scaling sideways) when I want new
equipment all the time.

Me: "Man, the amount of attacks has quadrupled. Take a look
at my Splunk parsing. Call leg in, call leg out that's 2
calls! (when its really 1). We need the latest and gr8est
in Juniperism Equipment otherwise we are doomed!"

Manager: "Wow we are getting attacked aren't we!"

Scans - I don't count as attacks
Enumeration - I don't count that either

I could an actual compromise as an attack. We have had
those on PBXs we provided trunks for. This is because
the clients don't learn no matter what we tell them. "Stop
using 12345 as a password k thanx!"

This is not a post to take away from your data, but the
reality is, from my perspective, if you said 2.5 million,
I'm willing to bet a years worth of lunch, the actual number
is in the tens of thousands *IF* even that much. Even our
upstreams (VZ, Level3, MiniLevel3 (GBLX), Tandem, etc.) have
gotten a little smart on alerting for fraud. (Its after the
fact, but its nice to know they saw it tenteen hours late).

My colleagues and I stopped counting managed PBXs, trunks, 
etc because it reached too many to keep track of. We do
however, run all through SBCs with using Transnexus which
is great, but at the same time, we have learned the ropes
and created our own Frankenstein alerting system. ATTACK
wise (meaning compromise) these have dwindled into perhaps
the teens, and even then, Transnexus allows us to further
minimize the $ damage. 

Mind you, I could easily say: "Im getting scanned! (attack)"
"I'm being brute forced! (attack)" and throw this number
into the tens of millions easily. This doesn't even include
clients softphones, Snoms, Polys, etc., that receive ghost
calls. "I'm getting spammed, ghost calls." Heck I wouldn't
even know where to place the figure. Tens of millions?

So define ATO. Is this a scan, someone bruteforcing. What
is an ATO. I define an attack as a compromise when it comes
to VoIP. Lord knows there aren't enough days in the year
to count scans, sipvicious, other nonsense. Not to forget
about the honeypots I have lurking.

400 "attempts" is literally peanuts (.25%)

sourcetype 	Count 		Last Update
CDR-6		5,716,520	Thu Nov 21 16:06:42 2013

One SBC, one month. If I dug out how many failed brute
force attempts, scans, etc., I could easily say.. Of the
5,716,520 calls that were put through, based on the amount
of scans, brute forcers, etc., I have seen, there were
100,000,000 attacker. 1,000 people tried scanning 1,000
accounts! See the dilemma?

No harm no foul. Reality? OF the 5,716,520 calls, we had
450 ATTEMPTED fraudulent attempts, of which 90 completed,
of which most were blocked after N attempts (Transnexus).
So bottom line? we had 90 fraudulent calls aka 0.001574%
fraud. Even if I multiplied this 44x (to meet your 400
call criteria), I'd be in the 0.069% range for fraud at
a little over a quarter billion calls. 

I won't even get into what the call center we have is
saying. This is coming from engineering now. People in my
call center will tell me the Internet is blown up simply
because their browser isn't opened. They aren't trained to
see real data. Anyhow ;) Let me stop picking on the list
before someone steps on me!

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

More information about the VoiceOps mailing list