Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2600Hz - Detecting and Managing VoIP Fraud

This is an overview of VoIP fraud, different types of fraud and what telecommunication carriers are doing to combat this issue. Types of fraud include International / Premium Number Fraud, Impersonation / Social Engineering, Service Degradation / Denial of service. Presented by Mark Magnusson at KazooCon 2015.

  • Be the first to comment

2600Hz - Detecting and Managing VoIP Fraud

  1. 1. PRESENTED BY: Detecting and Managing VoIP Fraud Mark Magnusson
  2. 2. @kazoocon History of telecom fraud Fraud has been around as long as the telephone Phone “phreaking” has been around since the 50's Early fraud techniques relied on exploiting signaling using special tones This was done by using custom electronics that people could build themselves “boxes”, often reffed to by different colors
  3. 3. @kazoocon History of telecom fraud Red Box Used to generate tones that would correspond to coins being inserted in a pay phone.
  4. 4. @kazoocon History of telecom fraud Orange Box Used to spoof caller id
  5. 5. @kazoocon History of telecom fraud Blue Box One of the more infamous 'boxes' Sends a 2600hz tone to allow seizing of control of long distance trunks Used to make free long distance calls
  6. 6. @kazoocon History of telecom fraud These early methods were rendered obsolete by the move to out-of-band signaling and digital equipment By the late 1990's these methods were ineffective for the majority of phone systems Right around that time, VoIP started emerging As the phone systems and technologies evolved, so did fraud against them
  7. 7. @kazoocon Fraud in the modern era VoIP is much more powerful than early phone systems, this provides a much greater surface area for attacks and fraud The impact of fraud is potentially much greater as a result Larger and more coordinated criminal enterprises are now focused on exploiting VoIP and phone systems Computers can automate exploitation, increasing results and lowering the barrier to entry for would be criminals As a result the impact and prevalence of fraud has increased dramatically
  8. 8. @kazoocon Impact In 2013 the cost of toll fraud was estimated at 46 billion dollars This was a 15% increase since 2011 Often affects small businesses the hardest They are less prepared to combat fraud The financial impact is much greater Often left on the hook for charges Source: Communications Fraud Control
  9. 9. @kazoocon Types of VoIP Fraud
  10. 10. @kazoocon International / Premium Number Fraud Can be used to make free calls These days, foreign VoIP operators use this to try and route MILLIONS of dollars of calls via unsuspecting systems Calls don't need to be real as long as they cause billing to occur Attacker benefits from the bogus / billed calls, often getting a cut of the cost Believe it or not... VoIP fraud has become a very “organized crime” No longer just a few individuals trying to call Grandma for free
  11. 11. @kazoocon Impersonation / Social Engineering Caller Id spoofing can be used to impersonate a 3 rd party Used to make a call to a target person appear to originate from a legitimate source, which would assist the attacker with obtaining confidential information Can also be used to place calls to a target then quickly hang up in an attempt to get the target to call back When they call back, the caller id is instead a premium or international number, and they are charged for it Exploits mostly human weaknesses, as such it is very difficult to prevent Caller Id spoofing can be used for some very nefarious things
  12. 12. @kazoocon Service Degradation / Denial of service Attacker attempts to overload the system with bogus requests Registration attempts w/ no key Since the key must be stored temporarily enough of these messages in a short time period can lead to memory exhaustion Overloading servers with unresolvable DNS in SIP messages The server attempts to resolve a bogus DNS entry which takes time, enough of these requests in a short enough timespan can cause the server to stop responding to legitimate requests Spamming legitimate INVITES This can swamp the system with calls that appear legitimate, but then just end up playing Rick Astley in a loop
  13. 13. @kazoocon Methods of Fraud
  14. 14. @kazoocon Enumeration / Scanning Automated attacks that attempt to find externally vulnerable systems One popular method is “friendly-scanner” Freely available tool Once they scan, they DoS or start more targeted attacks Example kamailio log: Oct 1 23:07:06 lb001 kamailio[919]: WARNING: <script>: 403961299714971072758039|end|dropping message with user-agent friendly-scanner from Sometimes, the hacker doesn’t realize he’s hit a phone, not a server Extension 100 ringing an actual phone (local SIP port) over and over and users are wondering why This is because the phone itself is on 5060 and externally accessible
  15. 15. @kazoocon PBX dial through / forwarding Placing a call to a business and then exploiting their PBX to route the call to an external number This can be done if the PBX is improperly configured (such as allowing callers to perform transfers) Also can be done by exploiting call forwarding to an external number Calls will then be placed from the target business to a high cost premium or international number The business is then charged for the high cost of those calls Once a vulnerable system is identified the attack can be automated, greatly increasing its impact
  16. 16. @kazoocon PBX registration exploitation Attempting to register a device on the target PBX Relies on exploiting weak or default credentials with the goal of having a device capable of placing calls via the target PBX Very easy to automate Easy to detect IF someone is monitoring the frequency of registration attempts on the system
  17. 17. @kazoocon Server based attacks Exploit security vulnerabilities in the server software Can be used to attempt to root the server itself, or to place unauthorized calls Example AST-2008-003, specially crafted FROM headers would allow unauthorized calls to be placed An even larger attack surface since the server security itself is also a target Any other services running on the server provide potential attack vectors One the server itself is compromised, the PBX system can then be exploited easily
  18. 18. @kazoocon Phone based attacks People often do not realize that modern VoIP phones are themselves small computers Many run slimmed down linux systems and services Often possible due to weak voicemail, user, or admin passwords Can be used to set call forwarding to a premium external number, the attacker then places many calls that are forwarded out Automating password guessing for voicemail, or spoofing caller id to access mail boxes Can be used to eavesdrop on voicemail There have been several high profile examples of this Configuration can be exploited or downloaded if it is externally accessible
  19. 19. @kazoocon Attacks on people Not the kind with a baseball bat… attacks that deceive users into providing information These attacks are very difficult to prevent and mitigate (people are easily fooled) End user education is the most effective prevention method here, however most people do not want to bother with it Luckily (for you) the impact of these attacks is usually localized to the person in question, and not the system itself
  20. 20. @kazoocon Avoidance and Mitigation
  21. 21. @kazoocon Some General Tips Avoid being the low hanging fruit Most widely targeted attacks will not bother with you if the system is not easily exploitable as there are plenty that are, so make yours not worth their time Ensure that your configuration and permissions are as restrictive as possible while allowing normal operation
  22. 22. @kazoocon Network / Server Security Correctly configure and use firewalls / SBCs Limit the external exposure of your phones and systems Filter out traffic from known bad addresses Keep server patched and up to date If the server is compromised, so is your phone system (and potentially lots more) Ensure that the minimum number of services are running and externally accessible to reduce the attack vectors against the system
  23. 23. @kazoocon Kazoo Tips SECURE YOUR PHONES! Secure BOTH the user and admin accounts Upgrade to the latest firmwares keep phones behind firewalls New provisioner helps with many of these things New provisioner forces a different user / admin password New provisioner changes the local SIP port so it can’t be 5060 Force new firmware (that we know is secure)
  24. 24. @kazoocon Use limits and restrict access Use Kazoo’s limits. It’s worth taking the time to learn how they work and set them properly. Allow you to limit the impact of any fraud Especially important because you may not be able to prevent sub- accounts from making easily exploitable mistakes High limit for your master reseller account Low limit for the sub-accounts Blocked classifiers / areas for high-rate and international numbers IaaS installs can have custom classifiers that get even more specific
  25. 25. @kazoocon Real time monitoring 2600hz has carriers who block suspicious repeat calling to high-rate areas If we see over 100 calls to Saudia Arabia in a row, the number is automatically blocked We get a notice and the area is flagged with who did the calling so we can investigate Real time monitoring is essential in quickly detecting and mitigating any fraud Know your system and the typical traffic / requests that are handled so that you can more easily notice something out of the ordinary Certain detection is easy to automate Sharp increase in registration attempts Sudden flood of INVITES
  26. 26. @kazoocon User education Make people aware of these types of attacks This is the only effective method to prevent people themselves from being easily exploited The more people that you have looking out for suspicious and strange usage and activity, the better your odds of detecting it
  27. 27. Thank You! @kazoocon