[AusNOG] Rise in fake calling numbers?

Narelle narellec at gmail.com
Mon Apr 23 16:18:43 EST 2018 

And here is the promised summary of responses! Thanks team. Please send any
additional commentary to narelle.clark "at" accan.org.au-nospamplease

Problem statement:
Consumer reps are hearing a rise in the incidence of VoIP calls faking
their caller ID for the purposes of spamming and scamming.

Consumers check the caller ID on their handset CND and accept the
Australian sourced number, only to find it is a complete scam. This is
often tied to the 'missed call scam' but now they are presenting using
genuine Aussie phone numbers and the actual owners aren't happy.

Summary of responses:
This could be from a few likely possibilities 1. a local VoIP system has
poor security and has been compromised and is being used as a local
dialler. 2 incorrect configuration of a VoIP server with incorrect numbers
on outbound calls within Australia or 3 outright fraud from overseas VoIP
servers presenting as Australian numbers.

Ideally, this could be handled similarly to IP address matching within BGP
ASes, but not likely to be as simple.

By inference any provider doing so would be in contravention of the ACMA
Numbering Plan 2015 Part 2 s102 and therefore fines are payable:
"s 102 Carriage service provider must not issue a number that it has not
been
allocated
A carriage service provider must not issue a number to a customer unless the
carriage service provider holds the number."



De-identified responses (some typos corrected):
 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<---------
I'd say that in my experience, most of the time it's not spoofed CID or
ANI, rather a compromised set of SIP gateway credentials. Once in, they
either don't bother setting CLIP (because it's a scam call) or they set it
to something that the caller is likely to pick up - local area code prefix
or similar. The side effect of this is the usual network security approach,
rather than telephony security - setting up fail2ban, choosing strong
passwords, whitelisting source IP's that you know are cool, blacklisting
certain countries IP ranges (India...) yada yada.

Personally, for our call-center kids, we use zendesk for telephony,
single-sign-on via gsuite authentication, which in turn is protected by
password policies and enforced 2factor auth. Works well.

 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<---------

Most network operators will filter the source CallerID to ensure that only
CallerIDs attached to the calling account are able to make a call.

The ACMA is rather strict in regards to this and network operators can face
fines if they knowingly allow a 'spoofed' callerID without verifying the
number owner.

Most larger network operators/carriers have implemented filtering across
their network so if a report of nuisance calls is received they have
procedures

in place to deal with it quickly.


I would suspect that the calls you are seeing may come from a compromised
device or account with the most unlikely being an untrustworthy operator.
Technically speaking the best you can do is report every case to your
provider and police then block the number if it's not a legitimate number.

 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<---------

  I would say they are likely coming in from overseas based telco's. All of
the Australian based operators that I'm aware of take their responsibility
seriously when setting the outbound calling number that calling customer
has the right to use that number. We will not set an outbound CLID for our
customers unless the inbound is churned to us or the customer has provided
proof they own the rights to the number. Like their mobile number for
example.

 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<---------
Yes I have seen this. Even personally had it
Had the solar grant scam call with its Caller ID as a Gladstone number.

 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<
Unfortunately this is very hard to protect against. Pretty much relying on
the source carrier to so their due diligence and actually stop you from
setting a number owned by someone else as your caller ID.

Unfortunately there are a lot of VoIP providers that don't do this. There
are even some VoIP systems that are open to the internet that allow
unauthenticated or default user/pass to connect..

 --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
 --------8<  --------8<

I often (as in sometimes several times a day) receive scam calls from the
'I'm from Telstra, I regret to inform you we will be cutting off your
internet' or 'you have a virus I'm calling to help you'  variety, some of
them lately showing a obviously dodgy caller ID of 61234567890.

Verifying caller ID from direct customers is within their range is OK, but
could a large international gateway verify:
(a) all caller IDs coming up from customer VoIP networks aggregating
throusaands of number ranges from downstream and downstream-of-downstream
customer VoIP gateways?
    - possibly doable, in the same way ISPs require downstream ISPs to
register IP address block ranges to get them into a filter before they'll
allow the ranges into BGP routing rables

(b) incoming calls from upstream wholesale suppliers, including
international networks, which may or may not have any CLI information at
all? In telephone networks looped calls are OK, so it is perfectly ok to
recieve a call routing from an international gateway with a Caller ID
starting with '+61' or any other country prefix, and to forward it through.


Best regards and thanks again for the input


Narelle Clark


On Mon, Apr 23, 2018 at 1:22 PM, Narelle <narellec at gmail.com> wrote:

>
> Hi folks
> we may be hearing a rise in the incidence of VoIP calls faking their
> caller ID for the purposes of spamming and scamming.
>
> Consumers check the caller ID on their hand CND and accept the Australian
> sourced number, only to find it is a complete scam. This is often tied to
> the 'missed call scam' but now they are using genuine Aussie phone numbers
> and the genuine owners aren't happy.
>
> From my rusty experience at setting up VoIP systems, you should be able to
> impose filters on incoming calls  at the network level here the number
> doesn't match the source - can people please give me a clearer update on
> this from the trenches?
>
> What are the good housekeeping steps for network operators?
>
> Off list please and I'll summarise the responses,
>
> thanks in advance
>
>
>
> --
>
>
> Narelle Clark
> narellec at gmail.com
>



-- 


Narelle
narellec at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180423/302e55c3/attachment-0001.html>

More information about the AusNOG mailing list