FRAUD HELP?

[LUALST]

I work for an ISP and we've had a lot of fraud over the christmas period- the usual dialing in on an external IP, creating extensions and dialing internationally- and we know how to avoid this and we have had a system lockdown.

However we've now experienced a new type of fraud that I'm not sure how to prevent- started off with one customer in the early hours of yesterday and more last night (including our office)

What happened is a phone seemed to be dialing out on it's own- as if someone was using a software to make it dial out internationally- a member of staff witnessed this and heard the line ringing and disconnect.

Anyone else had this? and any way I can lock systems down?

I'm thinking just change handset login code?

Cheers,

Luke

 

[IPOclueless]

Follow these guide lines.

http://support.avaya.com/css/P8/documents/100177418

Ross Shorrocks | Avaya SME BackBone Engineer | Global Support Services

 

[LUALST]

thanks, but this is already in action, however we have still experienced this different type of fraud- phones dialing out by themselves.. all the systems that were hacked have been previously locked down in this way other than extension passcodes- i can't believe that is how we've been hacked here.

Is it some form of phone manager or one-x? maybe flare?

the phones dial out by themselves..

 

[IPOclueless]

Without seeing a sysmon trace it's difficult to say.

Are you sure that the system is locked down? - If the system was locked down how can a third party connect to the IP Office and make external calls via Phone Manager, One-X or Flare? - If the extensions are dialing out they could be using TAPI to control and make external calls, but to do this the system would still need to accessible via the internet/externally.

Do they have one-X portal, is this accessible via the internet (FQDN or public ip address)? - If it is it could be used to dial external numbers as long as they have the right login details for a User(s)?

Changing passcodes would help.

Like I said without a sysmon trace capturing the external calls it's difficult to say.


Ross Shorrocks | Avaya SME BackBone Engineer | Global Support Services

 

[sagbab]

They probably use phonemanager and the pbx is missing a firewall because the IT/Tech thought it was a hassle to get the SIP traffic through it. Start with giving all the users a password. Then get a firewall in place.

 

[tlpeter]

sagbab (Programmer) 3 Jan 14 7:01
They probably use phonemanager and the pbx is missing a firewall because the IT/Tech thought it was a hassle to get the SIP traffic through it. Start with giving all the users a password. Then get a firewall in place.

Is this an assumption or are you sure?
Using phonemanager is an option but i doubt that.


BAZINGA!

I'm not insane, my mother had me tested!

 

[sagbab]

tlpeter,

Pure assumption based on the information given. My point is that the IPO might still be accessible from the internet in a way it shouldn't. What's making the actual calls is of less importance.

Would love to hear your initial thoughts though.

 

[tlpeter]

If all ports are closed then it should not be accessible anyway so then it must happen from the inside or by a bad configuration of the IPO and or VMPro.
Only a sysmon trace and a SSA trace can show this.

BAZINGA!

I'm not insane, my mother had me tested!

 

[Blow83]

HEEEELP!

We have had the same issue. There are no ports open for phone manager, Softphone or OneX.

The only thing is the I think the hackers have a copy of my config from a previous hack. They are using an extn that is already in use (205) the reason I know this is because we have call recording/SMDR on it.

I don't have a clue on how they are doing this. The calls are all made on the ISDN and are only outbound calls.

Any help would be appreciated.

 

[IPGuru]

Blow83
is there any signs of an inbound data call on the ISDN?

if they have a copy of your cfg file (or you have not bothered to change the default password) then they could easily be connecting to the system.

At this stage I would suggest you find a competent maintainer.

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[Blow83]

Hi IP Guru,
we are the maintainer (I take your point on being competent. This has been sorted last time they was hacked.)

So sign of inbound calls only outbound.

 

[Bas1234]

Seen them also hacking on the DialIn if you still have the RemoteManager password set to default.
They just look up on reseller sites to their case studies and have the endcustomers site/numbers.

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged (Avaya Search tool

http://tinyurl.com/bas1234

)
______________________________________

 

[Blow83]

All password were changed and none default

 

[IPGuru]

I would suggest a system monitor trace to try & identify what is causing the extn to dial out.

could they have a virus ion a pc that is doing it Via TAPI (I think that was suggested earlier)

I would also advised changing all of the passwords again (if the cfg has been compromised then the hacker has most of the ones needed to gain access)

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[amriddle01]

If you make all your passwords the same then if they can see the system from the web they can get the password very easily, at least make the "system" password (the one used for upgrades) different as that can be easily revealed