The internet world is full of fraud threats. The very freedom that the nature of the Internet demands is a lure for this scenario. Constant technological developments and possibilities usually leave average users without much defense (they exist, but they are increasingly complex). In the VoIP world this is no different.
In this article we will specifically explore the problems of telephone fraud. These problems have been responsible for massive losses, sometimes leading to the bankruptcy or closure of VoIP operators and other companies in this ecosystem.
The fraud is old and has plagued telephone system administrators for years. One of the most used schemes is quite simple, and has “organizations” established in places where, in addition to internet freedom, there is little or no legislation that restricts or punishes such actions. A malicious agent (hacker, phreaker, that is, whatever name is given to this type of criminal) acquires abroad, via the internet, a Premium Runtil Number (e.g. +31X3021212). It is a common international number, legally established in the country of origin. But this number pays calling numbers 50% of revenue. As it is a number abroad, when the call originates in Brazil, the originating operator receives a portion of the fee charged to “A's number” (originating the call).
Thus, the hacker, when breaking the security of your system and gaining access to a VoIP number, generates one (or numerous) calls to this PRN and ends up generating false traffic. Thus, the hacker who purchased the PRN receives an amount ranging from 10 to 20 euro cents per call on his credit card or PayPal for each call. However, the call often costs the customer 5 to 10 times more than that. 2.00 Euros may not be much. But the hacker doesn't just make a call or keep the connection open for just a minute. Normally it costs the user a small amount, but the operator holding the “A number” loses a lot in interconnection costs, especially because the user tends to complain.
How it works
With the PRN in hand, the hacker searches for a telephone exchange, softswitch or open IP phone on the Internet. Most often using an attack called SIP Bruteforce, the hacker obtains the password to access the extension. With the access password he starts making thousands of international calls. Fraud can easily reach around 30 to 40 thousand reais per day in international rates. If it persists for 30 days it can go from R$900,000 to R$1,200,000, which can easily bankrupt a small or medium-sized company.
The first and most serious problem is that traditional operators do not have any mechanism to limit their customers' credit. In other words, when you hire a telephone circuit you give the operator a kind of blank check for them to fill in the entire amount at the end of the month. If this amount is 1 million reais, it will be due and the controversy will inevitably go to our archaic and slow judicial system. In any case, with the loss of credit and the name on Serasa, most companies simply close and open under another name. The operator does not receive payment and has to pay for interconnections anyway, generating a cascade effect that can bankrupt more than one company.
How to avoid VOIP fraud?
There are several measures that can be adopted by both companies and telephone operators. I will list the 10 most important measures to avoid fraud in both categories, operators and companies.
Operators:
- Use strong passwords, a password of at least 8 digits with special characters for any customer account.
- Use prepaid accounts with credit limits instead of postpaid ones. Remember you can control security on your side, but not on your client's side.
- Don't enable all international destinations for all accounts. Most customers have little use for international routes and when they need it it is usually a limited set of countries. Enable only what he needs.
- Block IPs that are present on blacklists and those that fail authentication more than 5 times on your system. The fail2ban utility has been widely used for this.
- Monitor, Monitor and Monitor. Assign someone to check your CDR every day to make sure there are no strange calls.
Companies:
- Use a Session Border Controller to secure your PBX and limit calls to the operator. You can even create a prepaid limit for connections.
- Use strong passwords, a password of at least 8 digits with special characters for any customer account.
- Enable only the required international destinations and implement double authentication for international. Check with your PBX manufacturer how to do this. If your company is small, disable international and call via a prepaid VoIP account.
- Take care of the security of your IP PBX, do not expose it or be very careful when exposing it to the internet. VPNs can help in this case.
- Block IPs that are present on blacklists and those that fail authentication more than 5 times on your system. The fail2ban utility has been widely used for this.
- Monitor, Monitor and Monitor. Assign someone to check your CDR every day to make sure there are no strange calls.
The false security of firewalls
The two cases of defrauded customers we have had in recent years were due to overconfidence in the firewall. Just because your IP PBX is behind a firewall does not mean it is secure. In both cases, the firewall underwent a configuration change that exposed the IP PBX. Hackers try every day, in a single day it is possible to see dozens of scan attempts like the ones below. A small mistake can ruin everything.
Mar 1 02:06:40 SECURITY: SIP Scan Attempt from 173.242.123.12:5062 OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 02:21:21 SECURITY: SIP Scan Attempt from 115.168.71.84:5060 [OPTIONS/f=sip:100@192.168.1.9,r=sip:100@xyzw,ua=sundayddr]
Mar 1 03:28:23 SECURITY: SIP Scan Attempt from 199.19.105.20:5094 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 06:35:26 SECURITY: SIP Scan Attempt from 66.226.79.163:5060 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 08:12:30 SECURITY: Attempt to send an invalid request from 85.25.159.16 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=Trixbox
Mar 1 09:05:49 SECURITY: SIP Scan Attempt from 108.163.159.20:5073 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 09:07:45 SECURITY: SIP Scan Attempt from 217.172.184.56:5241 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 09:40:22 SECURITY: SIP Scan Attempt from 173.242.123.202:5069 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 10:23:16 SECURITY: SIP Scan Attempt from 173.242.123.17:5065 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 11:03:12 SECURITY: SIP Scan Attempt from 46.20.1.77:5068 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 11:56:52 SECURITY: SIP Scan Attempt from 12.208.130.194:5072 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 14:22:33 SECURITY: SIP Scan Attempt from 87.98.184.17:5121 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 14:36:38 SECURITY: SIP Scan Attempt from 178.211.44.76:5065 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 15:15:21 SIP Scan Attempt from 109.230.216.148:5063 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 18:20:29 SECURITY: SIP Scan Attempt from 202.155.233.190:5062 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 19:01:44 SECURITY: SIP Scan Attempt from 113.19.87.71:5064 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 19:59:18 SECURITY: SIP Scan Attempt from 203.220.87.126:5061 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Mar 1 23:25:24 SECURITY: SIP Scan Attempt from 108.163.156.148:5060 [OPTIONS/f=sip:100@1.1.1.1,r=sip:100@xyzw,ua=friendly-scanner]
Conclusion
Fraud is not new and will continue to occur, so be very careful with the supplier of your IP PBX or softswitch. This is a subject in which I would like to see Anatel regulate, telephone bills cannot be a “blank check” in the hands of large operators. They urgently need to limit the E1 channels they provide. I've already seriously thought about returning the E1 channel we have. Only then will I be able to sleep peacefully, because today I'm forced to look at the tickets from my exchange almost every day to make sure I'm not going to be the next victim. There is no way to stop all hackers, there is only one administrator and there are many hackers, not even governments have managed to do so. What we have an obligation to do is reduce the chances and limit the losses.
Questions, suggestions? Leave your comment!