Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




79 posts

Master Geek
+1 received by user: 6


Topic # 204719 14-Oct-2016 11:43
Send private message

I've recently had my 2talk automatically block international calls a couple of times. There have been occasions when multiple calls were apparently made to odd locations at, sometimes, odd times (for either the destination or the source). Many of the numbers seem to be doubtful valid numbers (in one case two were the same apart from one had a country code prefixed).

 

2talk are claiming it's tall fraud but I just don't see it. most calls didn't cost anything and a couple, that did connect, overlapped, from and to the same numbers. Most that connected were very short and the rapidity with which the calls were made just didn't seem possible (except maybe with software, but to what end?).

 

Does it seem reasonable that 2talk's explanation is valid, or is it more likely that their call record system is going bananas every so often?

 

They've suggested I get a new router, but for what reason I don't know.

 

Discussions ongoing, but all comments welcome.


Filter this topic showing only the reply marked as answer Create new topic
27270 posts

Uber Geek
+1 received by user: 6698

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1650979 14-Oct-2016 11:59
Send private message

What sort of hardware are you using and is it configured securely? You don't have anything like port forwards enabled that have your ATA or phone exposed to the internet and this is being used to relay calls?

 

 




79 posts

Master Geek
+1 received by user: 6


  Reply # 1651177 14-Oct-2016 16:49
Send private message

sbiddle:

 

What sort of hardware are you using and is it configured securely? You don't have anything like port forwards enabled that have your ATA or phone exposed to the internet and this is being used to relay calls?

 

 

Thanks for responding. I have a Netcomm NF4V. As for whether it's secure or not, well, I had unwittingly left a couple of the default user names and passwords unchanged (I didn't realise they were accessible from outside) but have since corrected that, though anyone connecting wouldn't necessarily know that I'm using an NF4V. The ports 8080 and 5060 are apparently open from the outside but no others. 8080 gives access to the router (I'm using 80 for port forwarding, from time to time, which doesn't access the router, is rarely available anyway and requires user password to get to the service that provides). 5060 is also open but I can't yet figure out the firewall rules to block that (and block 8080, as I don't need access to the router from outside). I may raise another topic to ask about firewall rules if I can't figure it out.

 

However, as I say, the pattern of fraud calls seems almost random but occasionally apparently connects with an expensive location, so I've lost a few dollars so far, even though connections aren't long enough for a conversation or even some kind of data transfer. Although 2talk say this kind of thing is a common precursor to later expensive abuse of my account, I just don't know for sure if these are bona fide fake calls or a glitch with 2talk itself.


 
 
 
 


7912 posts

Uber Geek
+1 received by user: 801

Subscriber

  Reply # 1651216 14-Oct-2016 17:12
Send private message

You could also set an expensive location PIN back on as a safe guard until you sort this..





Regards,

Old3eyes




79 posts

Master Geek
+1 received by user: 6


  Reply # 1651218 14-Oct-2016 17:19
Send private message

old3eyes:

 

You could also set an expensive location PIN back on as a safe guard until you sort this..

 

 

That's on (though I don't recall ever setting it on). I can't remember if it was on before or if 2talk have set it on for me but that probably won't help if someone got access to my 2talk password (now changed, again), since that PIN is visible in the settings.

 

I've set on voice recording for outbound calls to check what is actually said on connected calls, if this happens again.


7912 posts

Uber Geek
+1 received by user: 801

Subscriber

  Reply # 1651222 14-Oct-2016 17:25
Send private message

sofistek:

 

old3eyes:

 

You could also set an expensive location PIN back on as a safe guard until you sort this..

 

 

That's on (though I don't recall ever setting it on). I can't remember if it was on before or if 2talk have set it on for me but that probably won't help if someone got access to my 2talk password (now changed, again), since that PIN is visible in the settings.

 

I've set on voice recording for outbound calls to check what is actually said on connected calls, if this happens again.

 

 

I think the OIN  is set on by default.  Good idea to record the calls..





Regards,

Old3eyes


3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1651271 14-Oct-2016 19:59
Send private message

 

 

 

Thanks for responding. I have a Netcomm NF4V. As for whether it's secure or not, well, I had unwittingly left a couple of the default user names and passwords unchanged (I didn't realise they were accessible from outside) but have since corrected that, though anyone connecting wouldn't necessarily know that I'm using an NF4V. The ports 8080 and 5060 are apparently open from the outside but no others. 8080 gives access to the router (I'm using 80 for port forwarding, from time to time, which doesn't access the router, is rarely available anyway and requires user password to get to the service that provides). 5060 is also open but I can't yet figure out the firewall rules to block that (and block 8080, as I don't need access to the router from outside). I may raise another topic to ask about firewall rules if I can't figure it out.

 

However, as I say, the pattern of fraud calls seems almost random but occasionally apparently connects with an expensive location, so I've lost a few dollars so far, even though connections aren't long enough for a conversation or even some kind of data transfer. Although 2talk say this kind of thing is a common precursor to later expensive abuse of my account, I just don't know for sure if these are bona fide fake calls or a glitch with 2talk itself.

 

 

You need to reset your 2talk password.

 

If you had remote access open on your router (whatever the password) then there's a very good chance that the SIP credentials have been extracted.  The attackers will then use those credentials to make calls on your tab (and yes, they use software).

 

It's a very common attack.


329 posts

Ultimate Geek
+1 received by user: 38


  Reply # 1651282 14-Oct-2016 20:10
Send private message

Same thing happened to me, NF4V router.

 

I just had to port forward 50600 (the port I was using) to a non existent IP, change my 2talk password, and then I was no longer hacked or had fraud calls made.

 

See thread here: http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=199009&page_no=1#1605057




79 posts

Master Geek
+1 received by user: 6


  Reply # 1651288 14-Oct-2016 20:38
Send private message

snowfly:

 

Same thing happened to me, NF4V router.

 

I just had to port forward 50600 (the port I was using) to a non existent IP, change my 2talk password, and then I was no longer hacked or had fraud calls made.

 

See thread here: http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=199009&page_no=1#1605057

 

 

I did change my password (each time). The port forwarding idea is good; as I haven't been able to get my firewall rule correct to close that port off, I'm going to use your idea.

 

Sorry to read that you didn't get replies from 2talk, when you had the issue. Did you raise a ticket?

 

Thanks again.




79 posts

Master Geek
+1 received by user: 6


  Reply # 1651314 14-Oct-2016 20:56
Send private message

Well, I added port forwarding for the SIP port using TCP/UDP, forwarding to a non-existent address and it still shows as open from canyouseeme.org. I have forwarding for port 80 to a machine that is off and that port cannot be seen externally, so I'm not sure why the SIP port can still be seen. Any ideas?


3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1651366 15-Oct-2016 01:03
Send private message

sofistek:

 

Well, I added port forwarding for the SIP port using TCP/UDP, forwarding to a non-existent address and it still shows as open from canyouseeme.org. I have forwarding for port 80 to a machine that is off and that port cannot be seen externally, so I'm not sure why the SIP port can still be seen. Any ideas?

 

 

Don't need to block the SIP port, you just need to turn off remote administration.  Blocking the SIP port would stop the built in ATA from working...

 

Management > Access Control > Services Control

 

Turn off WAN for everything (you can leave ICMP on if you really want it to be pingable)

 

Apply/Save

 

And then reset your 2Talk password




79 posts

Master Geek
+1 received by user: 6


  Reply # 1651640 15-Oct-2016 16:49
Send private message

OK. The phone seems OK with port forwarding for the SIP port to a non-existent internal host and I'd already turned off all access except ICMP and HTTP (now turned off). I'd only just changed my 2talk password and don't think I need to change it again, since that was after I removed default known userids for the router and the main ID I use already had a fairly safe password.

 

So, I think I'm safe again but we'll see if it happens again.

 

Thanks for the suggestions.


Filter this topic showing only the reply marked as answer Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.