[AusNOG] Rise in fake calling numbers?
Chris Watts
Chris.Watts at techanalysis.com.au
Tue May 1 01:22:59 EST 2018
Yea got 2 today and one yesterday all were the Telstra scam, you know
the one... alleging to be from Telstra technical support.
0403 567 139
0161 926 190 91
+91 80-432 640 00
I block them at the pbx so they cant call me from that number again.
Chris.
On 1/05/2018 1:05 am, Tom Storey wrote:
> Im based in London, but a colleague of mine has been getting a few
> calls on his mobile recently from random Australian numbers.
>
> Random-ish anyway. The last 3 digits seem to be the same, although
> that could be entirely coincidental.
>
> 0403 595 417
> 0401 499 417
>
> Does anyone else see the same kind of thing, or am I reading way too
> far in to it?
>
>
> On 23 April 2018 at 07:18, Narelle <narellec at gmail.com
> <mailto:narellec at gmail.com>> wrote:
>
>
> And here is the promised summary of responses! Thanks team. Please
> send any additional commentary to narelle.clark "at"
> accan.org.au-nospamplease
>
> Problem statement:
> Consumer reps are hearing a rise in the incidence of VoIP calls
> faking their caller ID for the purposes of spamming and scamming.
>
> Consumers check the caller ID on their handset CND and accept the
> Australian sourced number, only to find it is a complete scam.
> This is often tied to the 'missed call scam' but now they are
> presenting using genuine Aussie phone numbers and the actual
> owners aren't happy.
>
> Summary of responses:
> This could be from a few likely possibilities 1. a local VoIP
> system has poor security and has been compromised and is being
> used as a local dialler. 2 incorrect configuration of a VoIP
> server with incorrect numbers on outbound calls within Australia
> or 3 outright fraud from overseas VoIP servers presenting as
> Australian numbers.
>
> Ideally, this could be handled similarly to IP address matching
> within BGP ASes, but not likely to be as simple.
>
> By inference any provider doing so would be in contravention of
> the ACMA Numbering Plan 2015 Part 2 s102 and therefore fines are
> payable:
> "s 102 Carriage service provider must not issue a number that it
> has not been
> allocated
> A carriage service provider must not issue a number to a customer
> unless the
> carriage service provider holds the number."
>
>
>
> De-identified responses (some typos corrected):
> --------8< --------8< --------8< --------8< --------8< --------8< --------8< --------8<---------
>
> I'd say that in my experience, most of the time it's not spoofed
> CID or ANI, rather a compromised set of SIP gateway credentials.
> Once in, they either don't bother setting CLIP (because it's a
> scam call) or they set it to something that the caller is likely
> to pick up - local area code prefix or similar. The side effect of
> this is the usual network security approach, rather than telephony
> security - setting up fail2ban, choosing strong passwords,
> whitelisting source IP's that you know are cool, blacklisting
> certain countries IP ranges (India...) yada yada.
>
> Personally, for our call-center kids, we use zendesk for
> telephony, single-sign-on via gsuite authentication, which in turn
> is protected by password policies and enforced 2factor auth. Works
> well.
>
> --------8< --------8< --------8< --------8< --------8<
> --------8< --------8< --------8<---------
>
> Most network operators will filter the source CallerID to ensure
> that only CallerIDs attached to the calling account are able to
> make a call.
>
> The ACMA is rather strict in regards to this and network operators
> can face fines if they knowingly allow a 'spoofed' callerID
> without verifying the number owner.
>
> Most larger network operators/carriers have implemented filtering
> across their network so if a report of nuisance calls is received
> they have procedures
>
> in place to deal with it quickly.
>
>
> I would suspect that the calls you are seeing may come from a
> compromised device or account with the most unlikely being an
> untrustworthy operator.
>
> Technically speaking the best you can do is report every case to
> your provider and police then block the number if it's not a
> legitimate number.
>
> --------8< --------8< --------8< --------8< --------8< --------8< --------8< --------8<---------
>
> I would say they are likely coming in from overseas based
> telco's. All of the Australian based operators that I'm aware of
> take their responsibility seriously when setting the outbound
> calling number that calling customer has the right to use that
> number. We will not set an outbound CLID for our customers unless
> the inbound is churned to us or the customer has provided proof
> they own the rights to the number. Like their mobile number for
> example.
>
> --------8< --------8< --------8< --------8< --------8< --------8< --------8< --------8<---------
>
> Yes I have seen this. Even personally had it
> Had the solar grant scam call with its Caller ID as a Gladstone
> number.
>
> --------8< --------8< --------8< --------8< --------8< --------8< --------8< --------8<
>
> Unfortunately this is very hard to protect against. Pretty much
> relying on the source carrier to so their due diligence and
> actually stop you from setting a number owned by someone else as
> your caller ID.
>
> Unfortunately there are a lot of VoIP providers that don't do
> this. There are even some VoIP systems that are open to the
> internet that allow unauthenticated or default user/pass to connect..
>
> --------8< --------8< --------8< --------8< --------8< --------8< --------8< --------8<
>
>
> I often (as in sometimes several times a day) receive scam calls
> from the 'I'm from Telstra, I regret to inform you we will be
> cutting off your internet' or 'you have a virus I'm calling to
> help you' variety, some of them lately showing a obviously dodgy
> caller ID of 61234567890.
>
> Verifying caller ID from direct customers is within their range is
> OK, but could a large international gateway verify:
> (a) all caller IDs coming up from customer VoIP networks
> aggregating throusaands of number ranges from downstream and
> downstream-of-downstream customer VoIP gateways?
> - possibly doable, in the same way ISPs require downstream
> ISPs to register IP address block ranges to get them into a filter
> before they'll allow the ranges into BGP routing rables
>
> (b) incoming calls from upstream wholesale suppliers, including
> international networks, which may or may not have any CLI
> information at all? In telephone networks looped calls are OK, so
> it is perfectly ok to recieve a call routing from an international
> gateway with a Caller ID starting with '+61' or any other country
> prefix, and to forward it through.
>
>
> Best regards and thanks again for the input
>
>
> Narelle Clark
>
>
> On Mon, Apr 23, 2018 at 1:22 PM, Narelle <narellec at gmail.com
> <mailto:narellec at gmail.com>> wrote:
>
>
> Hi folks
> we may be hearing a rise in the incidence of VoIP calls faking
> their caller ID for the purposes of spamming and scamming.
>
> Consumers check the caller ID on their hand CND and accept the
> Australian sourced number, only to find it is a complete scam.
> This is often tied to the 'missed call scam' but now they are
> using genuine Aussie phone numbers and the genuine owners
> aren't happy.
>
> From my rusty experience at setting up VoIP systems, you
> should be able to impose filters on incoming calls at the
> network level here the number doesn't match the source - can
> people please give me a clearer update on this from the trenches?
>
> What are the good housekeeping steps for network operators?
>
> Off list please and I'll summarise the responses,
>
> thanks in advance
>
>
>
> --
>
>
> Narelle Clark
> narellec at gmail.com <mailto:narellec at gmail.com>
>
>
>
>
> --
>
>
> Narelle
> narellec at gmail.com <mailto:narellec at gmail.com>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
> <http://lists.ausnog.net/mailman/listinfo/ausnog>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180501/df1c9f51/attachment-0001.html>
More information about the AusNOG
mailing list