[AusNOG] Rise in fake calling numbers?

Narelle narellec at gmail.com
Tue May 1 07:03:29 EST 2018 

The problem is that they are now using genuine third party numbers.

And the poor ducks that actually own them end up receiving a million calls
in response.

Please everyone - make sure you secure your call servers and ensure good
authentication!! Not to mention enforcement of number ownership in your
configs...


Narelle



On Tue, 1 May 2018, 1:23 AM Chris Watts <Chris.Watts at techanalysis.com.au>
wrote:

> Yea got 2 today and one yesterday all were the Telstra scam, you know the
> one... alleging to be from Telstra technical support.
> 0403 567 139
> 0161 926 190 91
> +91 80-432 640 00
>
> I block them at the pbx so they cant call me from that number again.
>
> Chris.
>
>
> On 1/05/2018 1:05 am, Tom Storey wrote:
>
> Im based in London, but a colleague of mine has been getting a few calls
> on his mobile recently from random Australian numbers.
>
> Random-ish anyway. The last 3 digits seem to be the same, although that
> could be entirely coincidental.
>
> 0403 595 417
> 0401 499 417
>
> Does anyone else see the same kind of thing, or am I reading way too far
> in to it?
>
>
> On 23 April 2018 at 07:18, Narelle <narellec at gmail.com> wrote:
>
>>
>> And here is the promised summary of responses! Thanks team. Please send
>> any additional commentary to narelle.clark "at" accan.org.au-nospamplease
>>
>> Problem statement:
>> Consumer reps are hearing a rise in the incidence of VoIP calls faking
>> their caller ID for the purposes of spamming and scamming.
>>
>> Consumers check the caller ID on their handset CND and accept the
>> Australian sourced number, only to find it is a complete scam. This is
>> often tied to the 'missed call scam' but now they are presenting using
>> genuine Aussie phone numbers and the actual owners aren't happy.
>>
>> Summary of responses:
>> This could be from a few likely possibilities 1. a local VoIP system has
>> poor security and has been compromised and is being used as a local
>> dialler. 2 incorrect configuration of a VoIP server with incorrect numbers
>> on outbound calls within Australia or 3 outright fraud from overseas VoIP
>> servers presenting as Australian numbers.
>>
>> Ideally, this could be handled similarly to IP address matching within
>> BGP ASes, but not likely to be as simple.
>>
>> By inference any provider doing so would be in contravention of the ACMA
>> Numbering Plan 2015 Part 2 s102 and therefore fines are payable:
>> "s 102 Carriage service provider must not issue a number that it has not
>> been
>> allocated
>> A carriage service provider must not issue a number to a customer unless
>> the
>> carriage service provider holds the number."
>>
>>
>>
>> De-identified responses (some typos corrected):
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<---------
>> I'd say that in my experience, most of the time it's not spoofed CID or
>> ANI, rather a compromised set of SIP gateway credentials. Once in, they
>> either don't bother setting CLIP (because it's a scam call) or they set it
>> to something that the caller is likely to pick up - local area code prefix
>> or similar. The side effect of this is the usual network security approach,
>> rather than telephony security - setting up fail2ban, choosing strong
>> passwords, whitelisting source IP's that you know are cool, blacklisting
>> certain countries IP ranges (India...) yada yada.
>>
>> Personally, for our call-center kids, we use zendesk for telephony,
>> single-sign-on via gsuite authentication, which in turn is protected by
>> password policies and enforced 2factor auth. Works well.
>>
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<---------
>>
>> Most network operators will filter the source CallerID to ensure that
>> only CallerIDs attached to the calling account are able to make a call.
>>
>> The ACMA is rather strict in regards to this and network operators can
>> face fines if they knowingly allow a 'spoofed' callerID without verifying
>> the number owner.
>>
>> Most larger network operators/carriers have implemented filtering across
>> their network so if a report of nuisance calls is received they have
>> procedures
>>
>> in place to deal with it quickly.
>>
>>
>> I would suspect that the calls you are seeing may come from a compromised
>> device or account with the most unlikely being an untrustworthy operator.
>> Technically speaking the best you can do is report every case to your
>> provider and police then block the number if it's not a legitimate number.
>>
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<---------
>>
>>   I would say they are likely coming in from overseas based telco's. All
>> of the Australian based operators that I'm aware of take their
>> responsibility seriously when setting the outbound calling number that
>> calling customer has the right to use that number. We will not set an
>> outbound CLID for our customers unless the inbound is churned to us or the
>> customer has provided proof they own the rights to the number. Like their
>> mobile number for example.
>>
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<---------
>> Yes I have seen this. Even personally had it
>> Had the solar grant scam call with its Caller ID as a Gladstone number.
>>
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<
>> Unfortunately this is very hard to protect against. Pretty much relying
>> on the source carrier to so their due diligence and actually stop you from
>> setting a number owned by someone else as your caller ID.
>>
>> Unfortunately there are a lot of VoIP providers that don't do this. There
>> are even some VoIP systems that are open to the internet that allow
>> unauthenticated or default user/pass to connect..
>>
>>  --------8<  --------8<  --------8<  --------8<  --------8<  --------8<
>>  --------8<  --------8<
>>
>> I often (as in sometimes several times a day) receive scam calls from the
>> 'I'm from Telstra, I regret to inform you we will be cutting off your
>> internet' or 'you have a virus I'm calling to help you'  variety, some of
>> them lately showing a obviously dodgy caller ID of 61234567890.
>>
>> Verifying caller ID from direct customers is within their range is OK,
>> but  could a large international gateway verify:
>> (a) all caller IDs coming up from customer VoIP networks aggregating
>> throusaands of number ranges from downstream and downstream-of-downstream
>> customer VoIP gateways?
>>     - possibly doable, in the same way ISPs require downstream ISPs to
>> register IP address block ranges to get them into a filter before they'll
>> allow the ranges into BGP routing rables
>>
>> (b) incoming calls from upstream wholesale suppliers, including
>> international networks, which may or may not have any CLI information at
>> all? In telephone networks looped calls are OK, so it is perfectly ok to
>> recieve a call routing from an international gateway with a Caller ID
>> starting with '+61' or any other country prefix, and to forward it through.
>>
>>
>> Best regards and thanks again for the input
>>
>>
>> Narelle Clark
>>
>>
>> On Mon, Apr 23, 2018 at 1:22 PM, Narelle <narellec at gmail.com> wrote:
>>
>>>
>>> Hi folks
>>> we may be hearing a rise in the incidence of VoIP calls faking their
>>> caller ID for the purposes of spamming and scamming.
>>>
>>> Consumers check the caller ID on their hand CND and accept the
>>> Australian sourced number, only to find it is a complete scam. This is
>>> often tied to the 'missed call scam' but now they are using genuine Aussie
>>> phone numbers and the genuine owners aren't happy.
>>>
>>> From my rusty experience at setting up VoIP systems, you should be able
>>> to impose filters on incoming calls  at the network level here the number
>>> doesn't match the source - can people please give me a clearer update on
>>> this from the trenches?
>>>
>>> What are the good housekeeping steps for network operators?
>>>
>>> Off list please and I'll summarise the responses,
>>>
>>> thanks in advance
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Narelle Clark
>>> narellec at gmail.com
>>>
>>
>>
>>
>> --
>>
>>
>> Narelle
>> narellec at gmail.com
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180430/753c499c/attachment.html>

More information about the AusNOG mailing list