[VOIPSEC] Romanian Arrests

J. Oquendo sil at infiltrated.net
Wed Dec 15 09:41:48 CST 2010 

Sandro posted some news about some arrests being made in Romania
http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html

Not so surprising, my honeypot saw one of the numbers called that is
associated with the arrests:
http://www.infiltrated.net/voipabuse/RO/12-15-2010-arkeos.txt

Anyhow, on the VUC I believe I may have stated: "Romania is the one to
watch" and I do know that I did state this to DarkReading:  "And more of
the calls go through Romania than anywhere else," he says. ...
http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/227500994/index.html,
not to single Romania but the blog entry is about those arrests so out I
decided to parse out all calls that went to Romania from one of my
honeypots.
http://www.infiltrated.net/voipabuse/RO/12-15-2010-romania-destinations.txt

Moreso, I decided to parse out ALL CALL destinations (DNID's) and post
them to a logfile as well. The theory behind me doing this is, if you're
an 'analyst' connecting the dots, you'd likely want to know who made
what call, from where, what time/date, what his SIPUA is/was. I will NOT
make that particular log public as I feel it *may* lead to attackers
sending out random calls in the future. I do believe that an attacker
once on a system fires off one test call to a number in their control.
This will enable them to know that the trunk they compromised does work.
If this theory holds true, it's possible that data on 272 suspects.

Arkeos captures: Call Destination - IP Address of the machine placing
the call - Date and Time - SIP User Agent

So think about this from an investigative standpoint: We have someone
say Julio, who is using a Windows XP machine with Zoiper rev.7797, owns
say 2035551212 and is perhaps using an address on the 172.16.2.x.
network (1918 used for example). What is the likelihood of a "random"
attacker placing a call to Julio's DID, coincidentally running the same
version of a softphone, and coming from his same netblock. I think that
Julio would have a better chance of getting struck by lightning after
winning both the Powerball and Megamillions lottery one after the other.
Anyway, I'm of the belief that the DNID is the key at the end of the day
in tracking down those responsible for toll-fraud.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list