Although a rare occurrence, we have seen a few cases of call fraud where several misconfigurations led to the unnecessary exposure and compromisation of DIVATEL IP PBX. In this blog post we are going to highlight some common mistakes we’ve noticed that lead to call fraud and what you can do to avoid them.
What is a Call Fraud? Simply put, a call fraud occurs when untrusted parties place calls through your PBX, at your expense. Usually this happens overnight or when offices are closed, and calls are placed in bulk to various international destinations. And then you get a large bill at the end of the month which you need to pay….
Since the early ages of PBXs, free international calling has been the target of phone phreaks. You might think that it’s something of the past with communication costs having drastically decreased, however in the modern age of VoIP telephony a global threat of organized crime has occurred looking to make big profits in an industrial manner.
Usually, a hacker compromises IP PBX servers in order to establish calls to premium international numbers. His motivation is an indirect financial gain, as he will dial thousands of numbers in an automated manner from premium services under his control, in order to get paid commissions per call or per time spent on the line. This is also known as International Revenue Sharing Fraud (IRSF). Another common way to profit more directly is the simple resale of stolen credentials on the darknet for whoever wants a cheap route to dial out.
DIVATEL IPPBX Phone System has many inbuilt security features and default settings which prevent such abuses, however, administrators sometimes disable safeties without understanding the risks implied leading to the inevitable.
We will detail below the TOP 5 common mistakes to avoid.
Number 1: Weak Credentials
The first mistake is using weak credentials for your extensions.
hen creating an extension in your phone system, default random credentials are generated at all levels, strong SIP Authentication ID and password for SIP, strong password for your web client, for your hard phone web interface, random voicemail PIN, etc. You should stick to those random values which ensure protection against password-guessing attacks, also called brute-force.
Since v15.5 it is impossible to edit and save an extension with credentials that are too short, however, you may have inherited such a setting from previous versions or backups.
By the way, please never set temporary credentials for testing, thinking that you will change them later when going in production as usually people tend to forget these things.
Number 2: Allowing Remote Access
The second most common mistake is to have the option “Disallow use outside LAN” unticked under your extensions when not needed.
This option prevents remote SIP registration on your extension and is ticked by default when creating an extension. You can still use a remote DIVATEL client or the DIVATEL Web Client under this condition without being affected, as the client uses the tunnel protocol to connect to the PBX. In effect, the option should be unticked only when using a remote STUN hard phone.
Number 3: Too Many Countries Allowed
When first installing your PBX a screen prompted for the countries to allow in and outbound calls. This list can be later found in Security / Allowed country codes.
It should be restricted to the countries called commonly by the users. By default we restrict to the country of installation only.
A bad practice is of course to allow all countries thinking that it will be adjusted later, usually never.
Note for US customers: the North American Numbering Plan (NANP) allows to dial 25 regions or countries from North America and the Caribbean, without an international dial code. The international dial code would be 011, or + in case of US. The anti-hacking feature will let such numbers go through as local numbers (as per ITU standards). You should therefore have strict outbound rules, with a list of NANP prefixes to block and route 1: Block calls, and ensure this rule is in first position.
Number 4: Lazy Outbound Rules
Another bad practice is to have “lazy” outbound rules, letting any number dialed from anyone in the system go through. A typical rule is one with no criteria other than the DEFAULT extension group.
You should have rules set as strictly as possible, like in firewalls, defining specific prefixes or number lengths, and which extensions or which extension groups will be allowed to dial out.
Number 5: Misconfigured E164 Settings
Under Settings / E164 Processing are standard settings ensuring the replacement of the “+” by your local international dial code. The reference is the country defined at the installation time. For example in most countries you will get “00” as the international dial code, for the US you will get “011”. Those are values as per ITU standards.
This setting is important as it is also used to determine the list of country codes blocked as per the “Allowed country codes” tab discussed above. For instance, with “00” and Albania blocked, the feature will look for numbers dialed in the form of 00355xxx or +355xxx. If you misconfigured the international dial code, this can result in a wrong “+” replacement but also in the safety being inoperant.