Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


329 posts

Ultimate Geek
+1 received by user: 38


Topic # 199009 31-Jul-2016 19:58
Send private message

I've been using a business voip plan of 5 lines with 2Talk for a few years now, without issue, but in the last week I've had multiple "FRAUD ALERT" emails from 2talk (which appear to be automated) saying one of my lines has been making suspicious calls. Had this happen to 3 different lines.

 

Sure enough, check the 2talk portal, and a bunch of calls to overseas, some to the UK, and some to 'Tigo Senegal Mobile'.
Today I've been charged $24.15 alone!!!

 

Anyway, the automated emails from 2talk say they have blocked all overseas calls (except AU NZ) from the number, that is fine.

 

However, each time I got this fraud/hack email, I did this:

 

     

  1. Change my 2talk password, using a completely randomly generated alphanumeric password, 20 length
  2. Check that my 2 voip devices aren't exposed via any port forwarding rules in router. (3 lines are using grandstream desk phone, 1 line on NF4V router, checked router isnt available via WAN)
  3. Enabled "Authorisation PIN Code" on all lines via 2talk portal, so any overseas calls need to enter PIN code.

 

BUT each time, it appears to be hacked again, fraud calls made, and get another automated email from 2talk.

 

And strangely enough, the "Authorisation PIN Code" option has been turned OFF??? Has the hacker managed to do this??

 

I've tried calling 2talk for further info (but get sick of holding after 30 minutes), sent multiple emails (no response).

 

I even asked 2talk to check SIP logs to see who the offending IP address was, as I have a static IP, and pretty sure its not my devices making these calls, it must be someone who has managed to get hold of the SIP password.
And with my SIP password perhaps they are logging into the 2talk portal, and disabling the "Authorisation PIN Code", because how else would that get turned off? (star code?)

 

I've also run multiple virus/malware scans on my PC, in case there was some key logger or backdoor, or something suspicious running.

 

What else can I do?

 

As 2talk themselves are not helping at all.


Create new topic
Meow
7900 posts

Uber Geek
+1 received by user: 3926

Moderator
Trusted
Lifetime subscriber

  Reply # 1601879 31-Jul-2016 20:18
Send private message


329 posts

Ultimate Geek
+1 received by user: 38


  Reply # 1601883 31-Jul-2016 20:23
Send private message

michaelmurfy:

 

Have you got a port forward to any of your SIP devices?

 

 

No, see my point 2 in OP.
Only port forwarding I have set up on the NF4V are for an L2TP/IPSEC VPN to a QNAP NAS (UDP 500+1701+4500), and 4949/TCP for munin monitoring of the NAS.
I did have port 80 + 443 open to the NAS as well, but closed those a few weeks back as use VPN instead to get to NAS externally.
About to replace NF4V with an edgerouter poe anyway (which works great on UFB during testing I did yesterday), perhaps I should fast track getting my edgerouter poe up and running, to help monitor ports/traffic?

 

 


BDFL - Memuneh
61319 posts

Uber Geek
+1 received by user: 12063

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1601884 31-Jul-2016 20:29
Send private message

I used a FritzBox with two lines - one of the lines had strange phone calls appearing and the provider blocked international calls. Strangely you can't block inbound packets to the VoIP ports on the FritzBox. No forward rules, no firewall rules. Perhaps something like this in you router?





27061 posts

Uber Geek
+1 received by user: 6508

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1601885 31-Jul-2016 20:30
Send private message

Have you checked to see if anything is responding on port 5060 from outside your network?

 

 




329 posts

Ultimate Geek
+1 received by user: 38


  Reply # 1601917 31-Jul-2016 20:52
Send private message

Thanks for the tip, I can see port 50600 is responding externally, this is the port I configured for SIP on the NF4V (for 1 VoIP line), but I didn't open this port manually, the router itself must have?

 

My other 3 voip lines on the grandstream use ports 5060, 5062 and 5064, and none of these ports are accessible externally.

 

Would that open port be all that is needed to somehow get into my config or sniff the password?

 

I've got an unused SPA122 ATA, perhaps I should set that up behind the NF4V router, so the router doesn't do SIP itself?


Meow
7900 posts

Uber Geek
+1 received by user: 3926

Moderator
Trusted
Lifetime subscriber

  Reply # 1601949 31-Jul-2016 22:04
Send private message

Yeah that is what I was meaning sorry - I should have been more clear. I've seen the NF4V expose its SIP port on the WAN interface. Update its firmware for a start and from there set a port forward for 5060 to an non-existent IP address (if you can't close it). As you've stated you've got an Edgerouter so could be worth moving across to that :)





371 posts

Ultimate Geek
+1 received by user: 46


  Reply # 1602449 1-Aug-2016 19:20
Send private message

Don't expect too much help from 2 talk, its very much a do it yourself service, You are saving the config aye? Stupid question but that would explain why the pin code is deactivated when you log back in.



329 posts

Ultimate Geek
+1 received by user: 38


  Reply # 1605057 5-Aug-2016 14:57
Send private message

Since I port forwarded 50600 (the SIP port I was using on the NF4V) to a non-existent internal IP, I have not been hacked since.

 

The authorisation PIN code blocks are still in place on all the lines in the 2talk config, good to see, and have not had any hacked calls made since.

 

Still waiting for 2talk to reply to my multiple support tickets though, I doubt I will ever hear a response, sad.


3234 posts

Uber Geek
+1 received by user: 632

Trusted

  Reply # 1605107 5-Aug-2016 16:52
Send private message

Have you checked that STUN is not being used and the voip devices are not using uPNP to do the port forwarding for you?





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.