[VOIPSEC] Tackling VoIP fraud, (not so) new idea

Eric Klein eric at humbuglabs.org
Sat Feb 22 01:40:48 CST 2014 

While I applaud the ideas that to jointly attack fraud, and the various
comments over the past few days about the idea, I  have to pour a little
cold water on this thread.

There are 2 aspects I would like to point out and explain:

   1. The idea is not new
   2. The idea is targeting multiple moving targets

First, there are already 2 lists for telecom fraud available. One is run by
carriers and law enforcement (and is not free to join), the second has more
activity in intercompany collection problems than actual fraudulent callers
or hackers.

So this gives us the CFCA http://cfca.org/ was set up by carriers with the
FBI and the GSM forum to track fraud (the last time I looked they had more
than 50,000 numbers on the list) or the VOIP Fraud Project List:
http://voipfraud.net/ which is community driven but tends to have more
activity about which VOIP provider owes someone money.

Both lists track fraudulent CLIDs (the VOIP Fraud list also includes hacker
IP addresses).

Now for the problems with using these lists - the targets move almost
faster than they can be reported.

In both cases you are trying to respond to rapidly changing attacks when
changing IP addresses or phone numbers can be done within a single provider
within min. plus there are lots of providers. So unless you blacklist full
carriers in response to an attack that happened, even though the attacker
may no longer be using that provider, it is hard to block them. Plus you
need to plan for the fact that today's fraudulent number can be tomorrows
legitimate number.

In my experience it is better to work with blocking types of traffic at the
PBX:

   - Off hours calls - most fraud seems to happen over nights and weekends,
   does your business or customers businesses need calls when they are closed?
   Also these can include "internal fraud" where the cleaning or security
   people make otherwise legitimate calls abroad that they are not authorized
   to make.
   - Unneeded international and premium destinations - do you or your
   customer need to call Cuba or Afghanistan? How about 1-900 or satellite
   phones?

In both cases you can block 90% of the fraud attempts that we have seen by
setting rules to block these and having a real-time look at traffic that
can notify the PBX admin of unusual traffic changes (repeat calls to one
number in short time, extremely long calls, etc).

Best regards
Eric Klein
VP Sales and Marketing
Humbug Telecom Labs
Mobile: +972-54-666-0933
Mail: Eric at humbuglabs.org
www.humbuglabs.org

<http://www.humbuglabs.org>

*Disclaimer*:
This e-mail is intended solely for the person to whom it is addressed and
may contain confidential or legally privileged information. Access to this
e-mail by anyone else is unauthorized. If an addressing or transmission
error has misdirected this e-mail, please notify the author by replying to
this e-mail and destroy this e-mail and any attachments.
E-mail may be susceptible to data corruption, interception, unauthorized
amendment, viruses and delays or the consequences thereof. If you are not
the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing or copying of
this email is strictly prohibited.

> Because none of us want to deal with fraud, and many of us
> have fought it, are fighting it, and eventually (like it or
> not) will come across it. I am proposing starting up a NON
> PUBLIC, TRUSTED mailing list. The purpose of the list would
> be to share information on attacks, numbers, dialed, and so
> forth. The reasoning for it not being public, would be
> obvious, avoid letting a threat actor know they have been
> flagged.
>
> The theory behind this list, would be to aggregate KNOWN
> fradulent destinations for the purposes of creating some
> form of blacklist, or triggering mechanism. For example,
> suppose I had a break in, where calls went to 2125551212.
> On the list I would send an email stating:
>
> x.x.x.x (IP) | 2125551212 | DATE | CHECKSUM
>
> First field is obvious, you'd want to block this address.
> Second field, one can set up a triggering mechanism.
> (Pseudo code)
>
> if [ number == 2125551212 ]
>         then
> do something (send_email || generate_phonecall
>         done
> fi
>
> The date, is for historical purposes, and the checksum
> would be a variable of which system saw what. For those
> who have seen my VABL list http://www.infiltrated.net/vabl.txt
> It would look EXACTLY like that. So for anyone who'd
> care to share, without disclosing WHO shared the
> information, there would be a mechanism to hide your
> identity (company info, etc..)
>
> The other reason for it being a NON public list, would be a
> matter of trust in the sense that, I would NOT allow any
> freemail (Gmail, Hotmail, etc) to be used, in order to
> minimize any false positives. The last thing I would want
> is for someone to maliciously submit data against a
> competitor. (make sense?)
>
> I am willing to start, and maintain such list, however, I'd
> need to know whether or not a) others are willing to share
> attack data (which will be sanitized) b) other businesses
> and peers would find the data useful.
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
>
> ___________

More information about the Voipsec mailing list