A thankfully former colleague of mine loved to tell me about his days exploiting vulnerable PBXs, as well as travelling to India to manually splice cables through premium lines (or something of the sort).
Funny you mention! I asked my buddy who does work in the SIP MSP world, and he said he deals with noticeably different kind of scams - usually it’s dialing to African numbers instead. (Perhaps it’s different once they do have access, and what’s in the article is their probing behaviour.)
As for India: IIRC, there is regulation that VoIP providers can’t offer PSTN access. I’ve heard of having to have two office phones as a result.
I’ve seen attackers using compromised PBXes to make seemingly legitimate calls. As in, they used them as a “free” landline/mobile call service.
When I worked in the wholesale VoIP transit field, I’ve heard about less-than-honest providers using “interesting” termination schemes to cut costs, and I have enough evidence to tell that most of the reports were correct.
For example, a Czech company named 2N used to make GSM gateways that were split into two parts: an actual gateway with GSM modules, and a separate “SIM board” that provided those modules with SIM data over IP. Why would you think anyone would want it? I can think of a few legitimate uses like GSM-based telemetry installations, but I have another guess: when SIM cards are not in the GSM gateway, it’s much easier and safer to manage a network of illegal termination sites.
Some companies would advertise “non-CLI routes” (where CLI stands for Caller Identification). How can the caller ID disappear? There’s only one way that can happen, if the protocol changes to client-side SS7 along the path.
I’ve also seen provider-side fraud. For example, a switch pretending the callee was unavailable using a fake voice message, but in reality responding with 200 Ok and charging the caller for listening to the fake “the subscriber is not available now”.
I’m pretty sure at least some of those shady providers also used compromised PBXes as a “free transit”. More extensive honeypot monitoring can shed some light on that.
If I were to make a honeypot, I’d make it answer all calls and record the incoming RTP.
I’ve also seen provider-side fraud. For example, a switch pretending the callee was unavailable using a fake voice message, but in reality responding with 200 Ok and charging the caller for listening to the fake “the subscriber is not available now”.
I once worked for a company (this was quite some time ago, and they’re out of business, so I don’t feel too uncomfortable sharing) that did almost the opposite.
We were a prepaid MVNO (mobile phone service reseller, basically; buy minutes in bulk from a provider, and sell them to end-users; we handled all of the marketing, client acquisition, buying and programming phones, selling phones and minutes at retail, account managment, etc.). Since it was prepaid, people needed a way to check their balances, and since it was pre-smartphone, and we didn’t have the resources to do custom firmware for every handheld the way Tracfone did, that meant they would have to get it by a phone call or a text message. Our contract with the provider let us send text messages to our subscribers for free, but for them to text us would have incurred some expense. So here’s what we did:
Ordered a toll-free DID, and had it ring to a T1 connected to our PBX.
Waited for the ANI (calling phone number) on an incoming call and captured it.
Terminated the call without answering.
Looked up the account info of the calling number, and sent them a text with their balance.
The user would dial this number (which we pre-programmed into their phone’s memory), the call would boop disconnect, and they would get a text message a second later. Since the number was toll-free (callee-pays), the user didn’t pay any minutes for the outgoing call, and in turn the cell provider didn’t bill us for it. Our toll-free incoming line was billed by the minute, and we never answered a single call, so it accrued 0 minutes every month, so we didn’t pay anything there. And the outgoing text messages to our own subscribers were gratis. So we paid nothing at all except the basic line fee. You might think that the DID provider would take notice of a toll-free number that got thousands of calls a day and never answered any of them, but it ran for years and they never said a word.
Not entirely sure (I didn’t invent the app). Possibly just because nobody there at the time knew how to receive USSD requests, so they came up with this thing instead :)
A thankfully former colleague of mine loved to tell me about his days exploiting vulnerable PBXs, as well as travelling to India to manually splice cables through premium lines (or something of the sort).
Funny you mention! I asked my buddy who does work in the SIP MSP world, and he said he deals with noticeably different kind of scams - usually it’s dialing to African numbers instead. (Perhaps it’s different once they do have access, and what’s in the article is their probing behaviour.)
As for India: IIRC, there is regulation that VoIP providers can’t offer PSTN access. I’ve heard of having to have two office phones as a result.
I’ve seen attackers using compromised PBXes to make seemingly legitimate calls. As in, they used them as a “free” landline/mobile call service.
When I worked in the wholesale VoIP transit field, I’ve heard about less-than-honest providers using “interesting” termination schemes to cut costs, and I have enough evidence to tell that most of the reports were correct.
For example, a Czech company named 2N used to make GSM gateways that were split into two parts: an actual gateway with GSM modules, and a separate “SIM board” that provided those modules with SIM data over IP. Why would you think anyone would want it? I can think of a few legitimate uses like GSM-based telemetry installations, but I have another guess: when SIM cards are not in the GSM gateway, it’s much easier and safer to manage a network of illegal termination sites.
Some companies would advertise “non-CLI routes” (where CLI stands for Caller Identification). How can the caller ID disappear? There’s only one way that can happen, if the protocol changes to client-side SS7 along the path.
I’ve also seen provider-side fraud. For example, a switch pretending the callee was unavailable using a fake voice message, but in reality responding with 200 Ok and charging the caller for listening to the fake “the subscriber is not available now”.
I’m pretty sure at least some of those shady providers also used compromised PBXes as a “free transit”. More extensive honeypot monitoring can shed some light on that.
If I were to make a honeypot, I’d make it answer all calls and record the incoming RTP.
I once worked for a company (this was quite some time ago, and they’re out of business, so I don’t feel too uncomfortable sharing) that did almost the opposite.
We were a prepaid MVNO (mobile phone service reseller, basically; buy minutes in bulk from a provider, and sell them to end-users; we handled all of the marketing, client acquisition, buying and programming phones, selling phones and minutes at retail, account managment, etc.). Since it was prepaid, people needed a way to check their balances, and since it was pre-smartphone, and we didn’t have the resources to do custom firmware for every handheld the way Tracfone did, that meant they would have to get it by a phone call or a text message. Our contract with the provider let us send text messages to our subscribers for free, but for them to text us would have incurred some expense. So here’s what we did:
The user would dial this number (which we pre-programmed into their phone’s memory), the call would boop disconnect, and they would get a text message a second later. Since the number was toll-free (callee-pays), the user didn’t pay any minutes for the outgoing call, and in turn the cell provider didn’t bill us for it. Our toll-free incoming line was billed by the minute, and we never answered a single call, so it accrued 0 minutes every month, so we didn’t pay anything there. And the outgoing text messages to our own subscribers were gratis. So we paid nothing at all except the basic line fee. You might think that the DID provider would take notice of a toll-free number that got thousands of calls a day and never answered any of them, but it ran for years and they never said a word.
The AGI script was named
scamaphone.Well, that’s legitimate loophole abuse, not a scam.
What was the reason you could not use USSD requests for balance checking?
Not entirely sure (I didn’t invent the app). Possibly just because nobody there at the time knew how to receive USSD requests, so they came up with this thing instead :)