FreePBX hardening ...

Dashrender

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

Skyetel

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

Typically bots will call international Toll Free numbers where fraudsters can charge insanely high per-min rates. Toll Fraud (its official name) can be insanely expensive (like $100k phone bill expensive). We are pretty insane with our fraud prevention to avoid this.

Edit - we describe the kinds of fraud we've seen here: https://skyetel.atlassian.net/wiki/spaces/SUG/pages/243761174/High+Cost+Calling
It also describes how our fraud prevention works.

scottalanmiller

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Skyetel

@scottalanmiller said in FreePBX hardening ...:

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Or sell illegal calling cards. Thats really common too.

scottalanmiller

@Skyetel said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Or sell illegal calling cards. Thats really common too.

yeah, I imagine that that is the main way of selling that kind of service.

Skyetel

Another really common type of Fraud is actually Inbound. Some companies will actually pay people to deliver calls to Toll Free numbers. (This is because Toll Free carriers give kickbacks to the parties who send calls to them). This makes it so that if a party calls a Toll Free number, they'll get a (very very small) per-min kickback. If they call enough Toll Free numbers and keep them on the line for a long time, they can make a lot of money.

So if you have any Toll Free numbers, make sure they go to an IVR or a Voicemail box that has a timeout :).

JaredBusch

@Skyetel said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Or sell illegal calling cards. Thats really common too.

Or simply being the telco charging the high rate. You setup bots to call into your system and sit there holding the connection.

JaredBusch

@JaredBusch said in FreePBX hardening ...:

So I tested.

The codes do appear to work on an inbound call, contrary to what that patch shows.

I cannot make it transfer in such a way as my inbound call stays on the call though.

But I can make the recipient side, such as my extension, be connected to some random number, potentially causing toll charges.

1. Call DID
2. Press *2 or ##
3. Hear "transfer" and then dialtone.
4. Dial a valid number
5. Call is connected.

I would expect that *2 attended transfer could be abused like this, but I could not get it to talk.

hahahaha wait.. i was testing from another FreePBX system.. as that was an outbound call, of course it was allowed to make the transfer...

So I disabled *2 and ## on the PBX I was calling out from.

No, I cannot dial in to a FreePBX system and make this work.

Totally patched 3 years ago.

BraswellJay

@JaredBusch said in FreePBX hardening ...:

@BraswellJay said in FreePBX hardening ...:

It appears that as currently set up, our FreePBX instance would suffer from this same kind of attack.

I would love it if you can prove this.

Because this was patched 3 years ago.

Just to follow up, I guess I effed up. I thought I had successfully done this but as you said it is not possible.

flaxking

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

I think this is the first episode of the Darknet Diaries