This blog post is the second of a series discussing the latest call fraud and hacking schemes we have observed. We spoke previously about the use of weak credentials in Don’t be “THAT” guy Vol.1. We will now focus on the juicy part that they are typically after: “free” calling through your SIP trunks.

What's the hacker's ultimate goal?

Depressed man reading a document

Once they gain access to a user device or extension, the attackers will typically sit tight until it’s night or weekend. They will wait until no one is at the office, and then attempt to place test calls toward foreign destinations. Once they identify one that works, they will place calls in bulk towards that destination. This is the basis of call fraud.

The destinations called are premium and over-charged ones that connect to automated IVRs playing pre-recorded messages and they will try to let the calls run as long as possible towards these. And now you’ll ask, what’s the point in doing so?

Well, the hackers will have money gain out of this: they are the ones who set these numbers up in the first place through online premium numbers brokers and will get a commission per call established and/or per minute spent on the line. The extra charge will be paid automatically by your VoIP provider to the premium service provider, who will pay a commission to the number's owner and keep the rest. In the end, you will get billed for the total cost by your VoIP provider at the end of the month, when it’s already too late.

Some background information

This type of call fraud is called an International Revenue Share Fraud (IRSF) scheme, and it’s something that has been out there for at least 30 years now in the telecoms world. However, it has become industrialized and automated with the advances of VoIP and is estimated to be causing billions of losses each year. The Communications Fraud Control Association (CFCA) estimated it to be the top fraud type costing $5.04 Billion in their 2019 Fraud Loss Survey. No doubts that it has raised even more in the COVID ages.

The bottom line is, if your system is subjected to call fraud, you may be required to settle a huge invoice that can count in the hundreds of your local currency if lucky, but more often than not in the thousands and more.

What leads to call fraud?

In short, multiple factors and bad practices that we will now detail further.

Sloppy outbound rule configuration

3CX Outbound Rule Screenshot

First, you should not have “loose” outbound rules. A good practice is to have separate rules for international numbers and national/local numbers, with the international one being the one to restrict the most.

An international number, as per ITU standards, starts with an exit code such as + or 00 for most countries. Others like the USA have a different one, which is 011. So you can have a rule for those with criteria of prefixes separated by commas: “00,+” and define strictly who can place calls through this rule, either by listing extension numbers separated by commas, or extensions groups.

A local number in many countries starts with 0 or has fixed lengths which can be used as criteria as well.

A lax allowed countries list

Second, the list of allowed country codes under the “Security” page should be strict and adjusted to the needs of each customer. You should never enable all countries out of ease or think that you will adjust them later on. By default, this is restricted to the country where you installed the 3CX System for the purpose of reducing call fraud.

When dialing an international number, the system will then check if there is a matching outbound rule and if the country code is allowed before letting it through.

Careful, however, with international numbers being dialed in non-international format. Let me explain, some providers will allow placing international numbers without the leading exit code, e.g. 33123456789 would be connected to France by some providers. You will need to see if that is the case with your VoIP provider and adjust the rules accordingly.

A note for endpoints using US providers

3CX Outbound Rule US Screenshot

Third, there is a similar situation with the NANP dial plan which is largely abused in call fraud schemes to place calls towards the Caribbeans: all US providers allow placing calls towards those territories as local area codes. So, for example, you can connect to the Dominican Republic with 18091234567, which will not be checked against the Allowed Country Codes as it is interpreted as a local number. +18091234567 and 01118091234567 would, however, get blocked in case the country code is disallowed.

To cope with this, you will need to add an outbound rule, on top of all others with Prefix criterion = the list of NANP territories to block, comma-separated, and for Routes: BLOCK CALL.

A few last lines of defense

Finally, additional controls exist in the fight against call fraud. The user control panel of many VoIP providers should be configured when available, such as:

  • Countries restrictions to configure to match the ones in 3CX,
  • Max simultaneous calls allowed outbound,
  • Credit limits, avoiding unlimited auto-refill,
  • Mail notifications / Account blocking after suspicious calling activity has been detected.

Watch out for the next episode and in brief… Don’t be “THAT” guy!