Toll Fraud

Forums › VoIP › Toll Fraud

sofistek

95 posts

Master Geek
+1 received by user: 8

#204719 14-Oct-2016 11:43

I've recently had my 2talk automatically block international calls a couple of times. There have been occasions when multiple calls were apparently made to odd locations at, sometimes, odd times (for either the destination or the source). Many of the numbers seem to be doubtful valid numbers (in one case two were the same apart from one had a country code prefixed).

2talk are claiming it's tall fraud but I just don't see it. most calls didn't cost anything and a couple, that did connect, overlapped, from and to the same numbers. Most that connected were very short and the rapidity with which the calls were made just didn't seem possible (except maybe with software, but to what end?).

Does it seem reasonable that 2talk's explanation is valid, or is it more likely that their call record system is going bananas every so often?

They've suggested I get a new router, but for what reason I don't know.

Discussions ongoing, but all comments welcome.

Tony

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1650979 14-Oct-2016 11:59

What sort of hardware are you using and is it configured securely? You don't have anything like port forwards enabled that have your ATA or phone exposed to the internet and this is being used to relay calls?

sofistek

95 posts

Master Geek
+1 received by user: 8

#1651177 14-Oct-2016 16:49

sbiddle:

What sort of hardware are you using and is it configured securely? You don't have anything like port forwards enabled that have your ATA or phone exposed to the internet and this is being used to relay calls?

Thanks for responding. I have a Netcomm NF4V. As for whether it's secure or not, well, I had unwittingly left a couple of the default user names and passwords unchanged (I didn't realise they were accessible from outside) but have since corrected that, though anyone connecting wouldn't necessarily know that I'm using an NF4V. The ports 8080 and 5060 are apparently open from the outside but no others. 8080 gives access to the router (I'm using 80 for port forwarding, from time to time, which doesn't access the router, is rarely available anyway and requires user password to get to the service that provides). 5060 is also open but I can't yet figure out the firewall rules to block that (and block 8080, as I don't need access to the router from outside). I may raise another topic to ask about firewall rules if I can't figure it out.

However, as I say, the pattern of fraud calls seems almost random but occasionally apparently connects with an expensive location, so I've lost a few dollars so far, even though connections aren't long enough for a conversation or even some kind of data transfer. Although 2talk say this kind of thing is a common precursor to later expensive abuse of my account, I just don't know for sure if these are bona fide fake calls or a glitch with 2talk itself.

Tony

old3eyes

9158 posts

Uber Geek
+1 received by user: 1364

Subscriber

#1651216 14-Oct-2016 17:12

You could also set an expensive location PIN back on as a safe guard until you sort this..

Regards,

Old3eyes

sofistek

95 posts

Master Geek
+1 received by user: 8

#1651218 14-Oct-2016 17:19

old3eyes:

You could also set an expensive location PIN back on as a safe guard until you sort this..

That's on (though I don't recall ever setting it on). I can't remember if it was on before or if 2talk have set it on for me but that probably won't help if someone got access to my 2talk password (now changed, again), since that PIN is visible in the settings.

I've set on voice recording for outbound calls to check what is actually said on connected calls, if this happens again.

Tony

old3eyes

9158 posts

Uber Geek
+1 received by user: 1364

Subscriber

#1651222 14-Oct-2016 17:25

sofistek:

old3eyes:

You could also set an expensive location PIN back on as a safe guard until you sort this..

That's on (though I don't recall ever setting it on). I can't remember if it was on before or if 2talk have set it on for me but that probably won't help if someone got access to my 2talk password (now changed, again), since that PIN is visible in the settings.

I've set on voice recording for outbound calls to check what is actually said on connected calls, if this happens again.

I think the OIN is set on by default. Good idea to record the calls..

Regards,

Old3eyes

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1651271 14-Oct-2016 19:59

Thanks for responding. I have a Netcomm NF4V. As for whether it's secure or not, well, I had unwittingly left a couple of the default user names and passwords unchanged (I didn't realise they were accessible from outside) but have since corrected that, though anyone connecting wouldn't necessarily know that I'm using an NF4V. The ports 8080 and 5060 are apparently open from the outside but no others. 8080 gives access to the router (I'm using 80 for port forwarding, from time to time, which doesn't access the router, is rarely available anyway and requires user password to get to the service that provides). 5060 is also open but I can't yet figure out the firewall rules to block that (and block 8080, as I don't need access to the router from outside). I may raise another topic to ask about firewall rules if I can't figure it out.

However, as I say, the pattern of fraud calls seems almost random but occasionally apparently connects with an expensive location, so I've lost a few dollars so far, even though connections aren't long enough for a conversation or even some kind of data transfer. Although 2talk say this kind of thing is a common precursor to later expensive abuse of my account, I just don't know for sure if these are bona fide fake calls or a glitch with 2talk itself.

You need to reset your 2talk password.

If you had remote access open on your router (whatever the password) then there's a very good chance that the SIP credentials have been extracted. The attackers will then use those credentials to make calls on your tab (and yes, they use software).

It's a very common attack.

HP

Shop now for HP laptops and other devices (affiliate link).

snowfly

549 posts

Ultimate Geek
+1 received by user: 112

#1651282 14-Oct-2016 20:10

Same thing happened to me, NF4V router.

I just had to port forward 50600 (the port I was using) to a non existent IP, change my 2talk password, and then I was no longer hacked or had fraud calls made.

See thread here: http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=199009&page_no=1#1605057

sofistek

95 posts

Master Geek
+1 received by user: 8

#1651288 14-Oct-2016 20:38

snowfly:

Same thing happened to me, NF4V router.

I just had to port forward 50600 (the port I was using) to a non existent IP, change my 2talk password, and then I was no longer hacked or had fraud calls made.

See thread here: http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=199009&page_no=1#1605057

I did change my password (each time). The port forwarding idea is good; as I haven't been able to get my firewall rule correct to close that port off, I'm going to use your idea.

Sorry to read that you didn't get replies from 2talk, when you had the issue. Did you raise a ticket?

Thanks again.

Tony

sofistek

95 posts

Master Geek
+1 received by user: 8

#1651314 14-Oct-2016 20:56

Well, I added port forwarding for the SIP port using TCP/UDP, forwarding to a non-existent address and it still shows as open from canyouseeme.org. I have forwarding for port 80 to a machine that is off and that port cannot be seen externally, so I'm not sure why the SIP port can still be seen. Any ideas?

Tony

ubergeeknz

3344 posts

Uber Geek
+1 received by user: 1041

Trusted

Vocus

#1651366 15-Oct-2016 01:03

sofistek:

Well, I added port forwarding for the SIP port using TCP/UDP, forwarding to a non-existent address and it still shows as open from canyouseeme.org. I have forwarding for port 80 to a machine that is off and that port cannot be seen externally, so I'm not sure why the SIP port can still be seen. Any ideas?

Don't need to block the SIP port, you just need to turn off remote administration. Blocking the SIP port would stop the built in ATA from working...

Management > Access Control > Services Control

Turn off WAN for everything (you can leave ICMP on if you really want it to be pingable)

Apply/Save

And then reset your 2Talk password

sofistek

95 posts

Master Geek
+1 received by user: 8

#1651640 15-Oct-2016 16:49

OK. The phone seems OK with port forwarding for the SIP port to a non-existent internal host and I'd already turned off all access except ICMP and HTTP (now turned off). I'd only just changed my 2talk password and don't think I need to change it again, since that was after I removed default known userids for the router and the main ID I use already had a fairly safe password.

So, I think I'm safe again but we'll see if it happens again.

Thanks for the suggestions.

Tony