[AusNOG] Rise in fake calling numbers?

Tom Storey tom at snnap.net
Tue May 1 01:05:17 EST 2018


Im based in London, but a colleague of mine has been getting a few calls on
his mobile recently from random Australian numbers.

Random-ish anyway. The last 3 digits seem to be the same, although that
could be entirely coincidental.

0403 595 417
0401 499 417

Does anyone else see the same kind of thing, or am I reading way too far in
to it?


On 23 April 2018 at 07:18, Narelle <narellec at gmail.com> wrote:

>
> And here is the promised summary of responses! Thanks team. Please send
> any additional commentary to narelle.clark "at" accan.org.au-nospamplease
>
> Problem statement:
> Consumer reps are hearing a rise in the incidence of VoIP calls faking
> their caller ID for the purposes of spamming and scamming.
>
> Consumers check the caller ID on their handset CND and accept the
> Australian sourced number, only to find it is a complete scam. This is
> often tied to the 'missed call scam' but now they are presenting using
> genuine Aussie phone numbers and the actual owners aren't happy.
>
> Summary of responses:
> This could be from a few likely possibilities 1. a local VoIP system has
> poor security and has been compromised and is being used as a local
> dialler. 2 incorrect configuration of a VoIP server with incorrect numbers
> on outbound calls within Australia or 3 outright fraud from overseas VoIP
> servers presenting as Australian numbers.
>
> Ideally, this could be handled similarly to IP address matching within BGP
> ASes, but not likely to be as simple.
>
> By inference any provider doing so would be in contravention of the ACMA
> Numbering Plan 2015 Part 2 s102 and therefore fines are payable:
> "s 102 Carriage service provider must not issue a number that it has not
> been
> allocated
> A carriage service provider must not issue a number to a customer unless
> the
> carriage service provider holds the number."
>
>
>
> De-identified responses (some typos corrected):
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<---------
> I'd say that in my experience, most of the time it's not spoofed CID or
> ANI, rather a compromised set of SIP gateway credentials. Once in, they
> either don't bother setting CLIP (because it's a scam call) or they set it
> to something that the caller is likely to pick up - local area code prefix
> or similar. The side effect of this is the usual network security approach,
> rather than telephony security - setting up fail2ban, choosing strong
> passwords, whitelisting source IP's that you know are cool, blacklisting
> certain countries IP ranges (India...) yada yada.
>
> Personally, for our call-center kids, we use zendesk for telephony,
> single-sign-on via gsuite authentication, which in turn is protected by
> password policies and enforced 2factor auth. Works well.
>
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<---------
>
> Most network operators will filter the source CallerID to ensure that only
> CallerIDs attached to the calling account are able to make a call.
>
> The ACMA is rather strict in regards to this and network operators can
> face fines if they knowingly allow a 'spoofed' callerID without verifying
> the number owner.
>
> Most larger network operators/carriers have implemented filtering across
> their network so if a report of nuisance calls is received they have
> procedures
>
> in place to deal with it quickly.
>
>
> I would suspect that the calls you are seeing may come from a compromised
> device or account with the most unlikely being an untrustworthy operator.
> Technically speaking the best you can do is report every case to your
> provider and police then block the number if it's not a legitimate number.
>
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<---------
>
>   I would say they are likely coming in from overseas based telco's. All
> of the Australian based operators that I'm aware of take their
> responsibility seriously when setting the outbound calling number that
> calling customer has the right to use that number. We will not set an
> outbound CLID for our customers unless the inbound is churned to us or the
> customer has provided proof they own the rights to the number. Like their
> mobile number for example.
>
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<---------
> Yes I have seen this. Even personally had it
> Had the solar grant scam call with its Caller ID as a Gladstone number.
>
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<
> Unfortunately this is very hard to protect against. Pretty much relying on
> the source carrier to so their due diligence and actually stop you from
> setting a number owned by someone else as your caller ID.
>
> Unfortunately there are a lot of VoIP providers that don't do this. There
> are even some VoIP systems that are open to the internet that allow
> unauthenticated or default user/pass to connect..
>
>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>  --------8<  --------8<
>
> I often (as in sometimes several times a day) receive scam calls from the
> 'I'm from Telstra, I regret to inform you we will be cutting off your
> internet' or 'you have a virus I'm calling to help you'  variety, some of
> them lately showing a obviously dodgy caller ID of 61234567890.
>
> Verifying caller ID from direct customers is within their range is OK,
> but  could a large international gateway verify:
> (a) all caller IDs coming up from customer VoIP networks aggregating
> throusaands of number ranges from downstream and downstream-of-downstream
> customer VoIP gateways?
>     - possibly doable, in the same way ISPs require downstream ISPs to
> register IP address block ranges to get them into a filter before they'll
> allow the ranges into BGP routing rables
>
> (b) incoming calls from upstream wholesale suppliers, including
> international networks, which may or may not have any CLI information at
> all? In telephone networks looped calls are OK, so it is perfectly ok to
> recieve a call routing from an international gateway with a Caller ID
> starting with '+61' or any other country prefix, and to forward it through.
>
>
> Best regards and thanks again for the input
>
>
> Narelle Clark
>
>
> On Mon, Apr 23, 2018 at 1:22 PM, Narelle <narellec at gmail.com> wrote:
>
>>
>> Hi folks
>> we may be hearing a rise in the incidence of VoIP calls faking their
>> caller ID for the purposes of spamming and scamming.
>>
>> Consumers check the caller ID on their hand CND and accept the Australian
>> sourced number, only to find it is a complete scam. This is often tied to
>> the 'missed call scam' but now they are using genuine Aussie phone numbers
>> and the genuine owners aren't happy.
>>
>> From my rusty experience at setting up VoIP systems, you should be able
>> to impose filters on incoming calls  at the network level here the number
>> doesn't match the source - can people please give me a clearer update on
>> this from the trenches?
>>
>> What are the good housekeeping steps for network operators?
>>
>> Off list please and I'll summarise the responses,
>>
>> thanks in advance
>>
>>
>>
>> --
>>
>>
>> Narelle Clark
>> narellec at gmail.com
>>
>
>
>
> --
>
>
> Narelle
> narellec at gmail.com
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180430/732708aa/attachment.html>


More information about the AusNOG mailing list