Call Traffic Mystery



  • Ok VoIP folks, tell me how crazy this sounds. I'm trying to figure out the source of an apparent spike in long-distance and in-bound toll-free minutes usage. For long-distance (interstate calling), I've found what appears to be a smoking gun, but here's where it gets odd.
    This is from a CDR record of what appears to be a bogus call (Field = Definition).

    Internal Call = External Call (This tells me call is not originating from my office).
    Direction = Inbound (Ok, this makes sense).
    Caller Type = PRI (from the documentation, this is the type of line for the incoming call)
    Caller ID = O (The letter O. Odd; however, it's caller ID -- strange things can appear)
    Target Type = PRI (from the documentation, the is the called target line type -- Odd, why would an inbound call have this?)
    Target ID = someLongDistanceNumber (How is this possible? An inbound call to my office with a target of an outside number**)
    DNIS = lastFourDigitsOfOurOfficeNumber (from the documentation, DNIS number for the incoming call)
    Exit State = Connected (makes sense)

    **The only way this is making sense to me is that something outside of our office is using someone's extension credentials to make a call to a long distance number. It just messes with my head to see an inbound call to an external number.


  • Service Provider

    @EddieJennings said in Call Traffic Mystery:

    Ok VoIP folks, tell me how crazy this sounds. I'm trying to figure out the source of an apparent spike in long-distance and in-bound toll-free minutes usage. For long-distance (interstate calling), I've found what appears to be a smoking gun, but here's where it gets odd.
    This is from a CDR record of what appears to be a bogus call (Field = Definition).

    Internal Call = External Call (This tells me call is not originating from my office).
    Direction = Inbound (Ok, this makes sense).
    Caller Type = PRI (from the documentation, this is the type of line for the incoming call)
    Caller ID = O (The letter O. Odd; however, it's caller ID -- strange things can appear)
    Target Type = PRI (from the documentation, the is the called target line type -- Odd, why would an inbound call have this?)
    Target ID = someLongDistanceNumber (How is this possible? An inbound call to my office with a target of an outside number**)
    DNIS = lastFourDigitsOfOurOfficeNumber (from the documentation, DNIS number for the incoming call)
    Exit State = Connected (makes sense)

    **The only way this is making sense to me is that something outside of our office is using someone's extension credentials to make a call to a long distance number. It just messes with my head to see an inbound call to an external number.

    I cannot make any sense of this from your descriptions. Can you screenshot this?

    Also, what PBX is it?

    That said, you probably have a weak voicemail password somewhere and they are calling in to the voicemail and then dialing out.

    This is a very common toll fraud hack.



  • @JaredBusch ! !!!! !!! Let me check something!



  • This is from the CDR search of my good 'ole Altigen Max Communication Server 8.0

    307.754.2800 is some random number in Wyoming
    0_1497469800684_43846d3f-9579-463a-b6db-4dfdf509df37-image.png

    It's preceded by this (happens seconds before the long distance call) which looks like a call that's forwarded to the user's extension who I think is compromised. Target ID is the person's extension. Target name is . . .well. . duh.
    0_1497470001002_3e201920-5ce0-45d2-8045-739c130309d2-image.png


  • Service Provider

    @EddieJennings said in Call Traffic Mystery:

    This is from the CDR search of my good 'ole Altigen Max Communication Server 8.0

    307.754.2800 is some random number in Wyoming
    0_1497469800684_43846d3f-9579-463a-b6db-4dfdf509df37-image.png

    It's preceded by this (happens seconds before the long distance call) which looks like a call that's forwarded to the user's extension who I think is compromised. Target ID is the person's extension. Target name is . . .well. . duh.
    0_1497470001002_3e201920-5ce0-45d2-8045-739c130309d2-image.png

    It is not a random number in Wyoming. It is almost certainly a call service abusing high interconnect rates.

    You have a compromised extension. Recreate all passwords associated to it.



  • I did find two extensions configured to "Allow Outside Caller to Make / Return calls from within the Voice Mail system," which I've now disabled. Unfortunately, I didn't think to check the extension in question before I deleted it (as that extension isn't in use anymore). :(


  • Service Provider

    Yup, standard DISA (Dial In Service Out) toll fraud.



  • The curious thing is I think I see something similar for another extension, but it's not configured with that option. Regardless, we might need a system-wide everyone-make-a-new-voicemail passcode, as I know there's no policy available in this Altigen system to automatically expires stuff.



  • I think I understand the basic process of the scammer.

    They call us toll-free. During that toll-free call, they use the compromised extension to make a long-distance call.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.