Call Traffic Mystery
-
Ok VoIP folks, tell me how crazy this sounds. I'm trying to figure out the source of an apparent spike in long-distance and in-bound toll-free minutes usage. For long-distance (interstate calling), I've found what appears to be a smoking gun, but here's where it gets odd.
This is from a CDR record of what appears to be a bogus call (Field = Definition).Internal Call = External Call (This tells me call is not originating from my office).
Direction = Inbound (Ok, this makes sense).
Caller Type = PRI (from the documentation, this is the type of line for the incoming call)
Caller ID = O (The letter O. Odd; however, it's caller ID -- strange things can appear)
Target Type = PRI (from the documentation, the is the called target line type -- Odd, why would an inbound call have this?)
Target ID = someLongDistanceNumber (How is this possible? An inbound call to my office with a target of an outside number**)
DNIS = lastFourDigitsOfOurOfficeNumber (from the documentation, DNIS number for the incoming call)
Exit State = Connected (makes sense)**The only way this is making sense to me is that something outside of our office is using someone's extension credentials to make a call to a long distance number. It just messes with my head to see an inbound call to an external number.
-
@EddieJennings said in Call Traffic Mystery:
Ok VoIP folks, tell me how crazy this sounds. I'm trying to figure out the source of an apparent spike in long-distance and in-bound toll-free minutes usage. For long-distance (interstate calling), I've found what appears to be a smoking gun, but here's where it gets odd.
This is from a CDR record of what appears to be a bogus call (Field = Definition).Internal Call = External Call (This tells me call is not originating from my office).
Direction = Inbound (Ok, this makes sense).
Caller Type = PRI (from the documentation, this is the type of line for the incoming call)
Caller ID = O (The letter O. Odd; however, it's caller ID -- strange things can appear)
Target Type = PRI (from the documentation, the is the called target line type -- Odd, why would an inbound call have this?)
Target ID = someLongDistanceNumber (How is this possible? An inbound call to my office with a target of an outside number**)
DNIS = lastFourDigitsOfOurOfficeNumber (from the documentation, DNIS number for the incoming call)
Exit State = Connected (makes sense)**The only way this is making sense to me is that something outside of our office is using someone's extension credentials to make a call to a long distance number. It just messes with my head to see an inbound call to an external number.
I cannot make any sense of this from your descriptions. Can you screenshot this?
Also, what PBX is it?
That said, you probably have a weak voicemail password somewhere and they are calling in to the voicemail and then dialing out.
This is a very common toll fraud hack.
-
@JaredBusch ! !!!! !!! Let me check something!
-
This is from the CDR search of my good 'ole Altigen Max Communication Server 8.0
307.754.2800 is some random number in Wyoming
It's preceded by this (happens seconds before the long distance call) which looks like a call that's forwarded to the user's extension who I think is compromised. Target ID is the person's extension. Target name is . . .well. . duh.
-
@EddieJennings said in Call Traffic Mystery:
This is from the CDR search of my good 'ole Altigen Max Communication Server 8.0
307.754.2800 is some random number in Wyoming
It's preceded by this (happens seconds before the long distance call) which looks like a call that's forwarded to the user's extension who I think is compromised. Target ID is the person's extension. Target name is . . .well. . duh.
It is not a random number in Wyoming. It is almost certainly a call service abusing high interconnect rates.
You have a compromised extension. Recreate all passwords associated to it.
-
I did find two extensions configured to "Allow Outside Caller to Make / Return calls from within the Voice Mail system," which I've now disabled. Unfortunately, I didn't think to check the extension in question before I deleted it (as that extension isn't in use anymore).
-
Yup, standard DISA (Dial In Service Out) toll fraud.
-
The curious thing is I think I see something similar for another extension, but it's not configured with that option. Regardless, we might need a system-wide everyone-make-a-new-voicemail passcode, as I know there's no policy available in this Altigen system to automatically expires stuff.
-
I think I understand the basic process of the scammer.
They call us toll-free. During that toll-free call, they use the compromised extension to make a long-distance call.
