[AusNOG] Rise in fake calling numbers?

Matthew Moyle-Croft mmc at mmc.com.au
Tue May 1 07:19:29 EST 2018



> On 30 Apr 2018, at 2:03 pm, Narelle <narellec at gmail.com> wrote:
> 
> 
> The problem is that they are now using genuine third party numbers.
> 
> And the poor ducks that actually own them end up receiving a million calls in response.
> 
> Please everyone - make sure you secure your call servers and ensure good authentication!! Not to mention enforcement of number ownership in your configs…

This happens because people aren’t validating CLID on interconnects. It’s not really about security and authentication of VOIP infrastructure. It came about because people want to set CLID on outbound calls via carriers that don’t own their numbers. In some ways it’s consumer/business friendly BUT abuse leads to phone calls being a trashfire. In the US it’s meaning that some carriers run all calls through some validation and present some info about whether it’s real or not or the likely actual origin. T-Mobile are doing this - super helpful as you get info on whether it’s a scam or not. HIGHLY recommend Australian carriers get onto this. It’s cut down the amount of dodgy calls in the US a lot recently.

MMC

> 
> 
> Narelle 
> 
> 
> 
> On Tue, 1 May 2018, 1:23 AM Chris Watts <Chris.Watts at techanalysis.com.au <mailto:Chris.Watts at techanalysis.com.au>> wrote:
> Yea got 2 today and one yesterday all were the Telstra scam, you know the one... alleging to be from Telstra technical support.
> 0403 567 139
> 0161 926 190 91
> +91 80-432 640 00
> 
> I block them at the pbx so they cant call me from that number again.
> 
> Chris.
> 
> 
> On 1/05/2018 1:05 am, Tom Storey wrote:
>> Im based in London, but a colleague of mine has been getting a few calls on his mobile recently from random Australian numbers.
>> 
>> Random-ish anyway. The last 3 digits seem to be the same, although that could be entirely coincidental.
>> 
>> 0403 595 417
>> 0401 499 417
>> 
>> Does anyone else see the same kind of thing, or am I reading way too far in to it?
>> 
>> 
>> On 23 April 2018 at 07:18, Narelle <narellec at gmail.com <mailto:narellec at gmail.com>> wrote:
>> 
>> And here is the promised summary of responses! Thanks team. Please send any additional commentary to narelle.clark "at" accan.org.au-nospamplease
>> 
>> Problem statement:
>> Consumer reps are hearing a rise in the incidence of VoIP calls faking their caller ID for the purposes of spamming and scamming.
>> 
>> Consumers check the caller ID on their handset CND and accept the Australian sourced number, only to find it is a complete scam. This is often tied to the 'missed call scam' but now they are presenting using genuine Aussie phone numbers and the actual owners aren't happy.
>> 
>> Summary of responses:
>> This could be from a few likely possibilities 1. a local VoIP system has poor security and has been compromised and is being used as a local dialler. 2 incorrect configuration of a VoIP server with incorrect numbers on outbound calls within Australia or 3 outright fraud from overseas VoIP servers presenting as Australian numbers.
>> 
>> Ideally, this could be handled similarly to IP address matching within BGP ASes, but not likely to be as simple.
>> 
>> By inference any provider doing so would be in contravention of the ACMA Numbering Plan 2015 Part 2 s102 and therefore fines are payable:
>> "s 102 Carriage service provider must not issue a number that it has not been
>> allocated
>> A carriage service provider must not issue a number to a customer unless the
>> carriage service provider holds the number."
>> 
>> 
>> 
>> De-identified responses (some typos corrected):
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<--------- 
>> I'd say that in my experience, most of the time it's not spoofed CID or ANI, rather a compromised set of SIP gateway credentials. Once in, they either don't bother setting CLIP (because it's a scam call) or they set it to something that the caller is likely to pick up - local area code prefix or similar. The side effect of this is the usual network security approach, rather than telephony security - setting up fail2ban, choosing strong passwords, whitelisting source IP's that you know are cool, blacklisting certain countries IP ranges (India...) yada yada.
>> 
>> Personally, for our call-center kids, we use zendesk for telephony, single-sign-on via gsuite authentication, which in turn is protected by password policies and enforced 2factor auth. Works well. 
>> 
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<---------
>> Most network operators will filter the source CallerID to ensure that only CallerIDs attached to the calling account are able to make a call.
>> 
>> The ACMA is rather strict in regards to this and network operators can face fines if they knowingly allow a 'spoofed' callerID without verifying the number owner.
>> 
>> Most larger network operators/carriers have implemented filtering across their network so if a report of nuisance calls is received they have procedures 
>> in place to deal with it quickly.
>> 
>> I would suspect that the calls you are seeing may come from a compromised device or account with the most unlikely being an untrustworthy operator.
>> Technically speaking the best you can do is report every case to your provider and police then block the number if it's not a legitimate number.
>> 
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<--------- 
>> 
>>   I would say they are likely coming in from overseas based telco's. All of the Australian based operators that I'm aware of take their responsibility seriously when setting the outbound calling number that calling customer has the right to use that number. We will not set an outbound CLID for our customers unless the inbound is churned to us or the customer has provided proof they own the rights to the number. Like their mobile number for example.  
>> 
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<---------  
>> Yes I have seen this. Even personally had it
>> Had the solar grant scam call with its Caller ID as a Gladstone number.  
>> 
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8< 
>> Unfortunately this is very hard to protect against. Pretty much relying on the source carrier to so their due diligence and actually stop you from setting a number owned by someone else as your caller ID.
>> 
>> Unfortunately there are a lot of VoIP providers that don't do this. There are even some VoIP systems that are open to the internet that allow unauthenticated or default user/pass to connect..
>> 
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<  
>> 
>> I often (as in sometimes several times a day) receive scam calls from the 'I'm from Telstra, I regret to inform you we will be cutting off your internet' or 'you have a virus I'm calling to help you'  variety, some of them lately showing a obviously dodgy caller ID of 61234567890.
>> 
>> Verifying caller ID from direct customers is within their range is OK, but  could a large international gateway verify:
>> (a) all caller IDs coming up from customer VoIP networks aggregating throusaands of number ranges from downstream and downstream-of-downstream customer VoIP gateways?
>>     - possibly doable, in the same way ISPs require downstream ISPs to register IP address block ranges to get them into a filter before they'll allow the ranges into BGP routing rables
>> 
>> (b) incoming calls from upstream wholesale suppliers, including international networks, which may or may not have any CLI information at all? In telephone networks looped calls are OK, so it is perfectly ok to recieve a call routing from an international gateway with a Caller ID starting with '+61' or any other country prefix, and to forward it through.
>> 
>> 
>> Best regards and thanks again for the input
>> 
>> 
>> Narelle Clark
>> 
>> 
>> On Mon, Apr 23, 2018 at 1:22 PM, Narelle <narellec at gmail.com <mailto:narellec at gmail.com>> wrote:
>> 
>> Hi folks
>> we may be hearing a rise in the incidence of VoIP calls faking their caller ID for the purposes of spamming and scamming.
>> 
>> Consumers check the caller ID on their hand CND and accept the Australian sourced number, only to find it is a complete scam. This is often tied to the 'missed call scam' but now they are using genuine Aussie phone numbers and the genuine owners aren't happy.
>> 
>> From my rusty experience at setting up VoIP systems, you should be able to impose filters on incoming calls  at the network level here the number doesn't match the source - can people please give me a clearer update on this from the trenches?
>> 
>> What are the good housekeeping steps for network operators?
>> 
>> Off list please and I'll summarise the responses,
>> 
>> thanks in advance
>> 
>> 
>> 
>> -- 
>> 
>> 
>> Narelle Clark
>> narellec at gmail.com <mailto:narellec at gmail.com>
>> 
>> 
>> -- 
>> 
>> 
>> Narelle
>> narellec at gmail.com <mailto:narellec at gmail.com>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog <http://lists.ausnog.net/mailman/listinfo/ausnog>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180430/3058c4eb/attachment-0001.html>


More information about the AusNOG mailing list