2600Hz - Detecting and Managing VoIP Fraud
-
Upload
2600hz -
Category
Technology
-
view
2.525 -
download
0
Transcript of 2600Hz - Detecting and Managing VoIP Fraud
PRESENTED BY:
Detecting and Managing VoIP Fraud
Mark Magnusson
@kazoocon
History of telecom fraud
Fraud has been around as long as the telephone
Phone “phreaking” has been around since the 50's
Early fraud techniques relied on exploiting signaling using special tones
This was done by using custom electronics that people could build themselves “boxes”, often reffed to by different colors
@kazoocon
History of telecom fraud
Red Box
Used to generate tones that would correspond to coins being inserted in a pay phone.
@kazoocon
History of telecom fraud
Orange Box
Used to spoof caller id
@kazoocon
History of telecom fraud
Blue Box
One of the more infamous 'boxes'Sends a 2600hz tone to allow seizing of control of long distance trunksUsed to make free long distance calls
@kazoocon
History of telecom fraud
These early methods were rendered obsolete by the move to out-of-band signaling and digital equipment
By the late 1990's these methods were ineffective for the majority of phone systems
Right around that time, VoIP started emerging
As the phone systems and technologies evolved, so did fraud against them
@kazoocon
Fraud in the modern era
VoIP is much more powerful than early phone systems, this provides a much greater surface area for attacks and fraud
The impact of fraud is potentially much greater as a result
Larger and more coordinated criminal enterprises are now focused on exploiting VoIP and phone systems
Computers can automate exploitation, increasing results and lowering the barrier to entry for would be criminals
As a result the impact and prevalence of fraud has increased dramatically
@kazoocon
Impact
In 2013 the cost of toll fraud was estimated at 46 billion dollars
This was a 15% increase since 2011
Often affects small businesses the hardest They are less prepared to combat fraud The financial impact is much greater Often left on the hook for charges
Source: Communications Fraud Control Association
@kazoocon
Types of VoIP Fraud
@kazoocon
International / Premium Number Fraud
Can be used to make free calls
These days, foreign VoIP operators use this to try and route MILLIONS of dollars of calls via unsuspecting systems Calls don't need to be real as long as they cause billing to occur Attacker benefits from the bogus / billed calls, often getting a cut of the
cost
Believe it or not... VoIP fraud has become a very “organized crime” No longer just a few individuals trying to call Grandma for free
@kazoocon
Impersonation / Social Engineering
Caller Id spoofing can be used to impersonate a 3rd
party Used to make a call to a target person appear to originate from a
legitimate source, which would assist the attacker with obtaining confidential information
Can also be used to place calls to a target then quickly hang up in an attempt to get the target to call back When they call back, the caller id is instead a premium or international
number, and they are charged for it
Exploits mostly human weaknesses, as such it is very difficult to prevent
Caller Id spoofing can be used for some very nefarious things
@kazoocon
Service Degradation / Denial of service
Attacker attempts to overload the system with bogus requests
Registration attempts w/ no key Since the key must be stored temporarily enough of these messages in a
short time period can lead to memory exhaustion
Overloading servers with unresolvable DNS in SIP messages The server attempts to resolve a bogus DNS entry which takes time,
enough of these requests in a short enough timespan can cause the server to stop responding to legitimate requests
Spamming legitimate INVITES This can swamp the system with calls that appear legitimate, but then
just end up playing Rick Astley in a loop
@kazoocon
Methods of Fraud
@kazoocon
Enumeration / Scanning
Automated attacks that attempt to find externally vulnerable systems
One popular method is “friendly-scanner” Freely available tool Once they scan, they DoS or start more targeted attacks
Example kamailio log:
Oct 1 23:07:06 lb001 kamailio[919]: WARNING: <script>: 403961299714971072758039|end|dropping message with user-agent friendly-scanner from 77.221.158.186:5063
Sometimes, the hacker doesn’t realize he’s hit a phone, not a server Extension 100 ringing an actual phone (local SIP port) over and over and
users are wondering why This is because the phone itself is on 5060 and externally accessible
@kazoocon
PBX dial through / forwarding
Placing a call to a business and then exploiting their PBX to route the call to an external number
This can be done if the PBX is improperly configured (such as allowing callers to perform transfers)
Also can be done by exploiting call forwarding to an external number
Calls will then be placed from the target business to a high cost premium or international number
The business is then charged for the high cost of those calls
Once a vulnerable system is identified the attack can be automated, greatly increasing its impact
@kazoocon
PBX registration exploitation
Attempting to register a device on the target PBX
Relies on exploiting weak or default credentials with the goal of having a device capable of placing calls via the target PBX
Very easy to automate
Easy to detect IF someone is monitoring the frequency of registration attempts on the system
@kazoocon
Server based attacks
Exploit security vulnerabilities in the server software
Can be used to attempt to root the server itself, or to place unauthorized calls Example AST-2008-003, specially crafted FROM headers would allow
unauthorized calls to be placed
An even larger attack surface since the server security itself is also a target
Any other services running on the server provide potential attack vectors
One the server itself is compromised, the PBX system can then be exploited easily
@kazoocon
Phone based attacks People often do not realize that modern VoIP phones are themselves small
computers Many run slimmed down linux systems and services
Often possible due to weak voicemail, user, or admin passwords Can be used to set call forwarding to a premium external number, the
attacker then places many calls that are forwarded out
Automating password guessing for voicemail, or spoofing caller id to access mail boxes Can be used to eavesdrop on voicemail There have been several high profile examples of this
Configuration can be exploited or downloaded if it is externally accessible
@kazoocon
Attacks on people
Not the kind with a baseball bat… attacks that deceive users into providing information
These attacks are very difficult to prevent and mitigate (people are easily fooled)
End user education is the most effective prevention method here, however most people do not want to bother with it
Luckily (for you) the impact of these attacks is usually localized to the person in question, and not the system itself
@kazoocon
Avoidance and Mitigation
@kazoocon
Some General Tips
Avoid being the low hanging fruit
Most widely targeted attacks will not bother with you if the system is not easily exploitable as there are plenty that are, so make yours not worth their time
Ensure that your configuration and permissions are as restrictive as possible while allowing normal operation
@kazoocon
Network / Server Security
Correctly configure and use firewalls / SBCs Limit the external exposure of your phones and systems Filter out traffic from known bad addresses
Keep server patched and up to date If the server is compromised, so is your phone system (and potentially lots
more)
Ensure that the minimum number of services are running and externally accessible to reduce the attack vectors against the system
@kazoocon
Kazoo Tips
SECURE YOUR PHONES! Secure BOTH the user and admin accounts Upgrade to the latest firmwares keep phones behind firewalls
New provisioner helps with many of these things New provisioner forces a different user / admin password New provisioner changes the local SIP port so it can’t be 5060 Force new firmware (that we know is secure)
@kazoocon
Use limits and restrict access
Use Kazoo’s limits. It’s worth taking the time to learn how they work and set them properly. Allow you to limit the impact of any fraud
Especially important because you may not be able to prevent sub-accounts from making easily exploitable mistakes
High limit for your master reseller account Low limit for the sub-accounts
Blocked classifiers / areas for high-rate and international numbers IaaS installs can have custom classifiers that get even more specific
@kazoocon
Real time monitoring
2600hz has carriers who block suspicious repeat calling to high-rate areas If we see over 100 calls to Saudia Arabia in a row, the number is automatically
blocked We get a notice and the area is flagged with who did the calling so we can
investigate
Real time monitoring is essential in quickly detecting and mitigating any fraud
Know your system and the typical traffic / requests that are handled so that you can more easily notice something out of the ordinary
Certain detection is easy to automate Sharp increase in registration attempts Sudden flood of INVITES
@kazoocon
User education
Make people aware of these types of attacks
This is the only effective method to prevent people themselves from being easily exploited
The more people that you have looking out for suspicious and strange usage and activity, the better your odds of detecting it
Thank You!
@kazoocon