provided by Star2Billing S.L.

Hi All,

I've noticed recently that one of the accounts on my server is getting hacked via callerid spoofing. One one account, it is enabled for simultaneous calls, and also access is granted based off of the callerid since we offer the PINless service. It is only one account getting hacked, and they are calling from only one DNID. How would I be able to prevent this situation?

I have only Asterisk and A2Billing at this time. I'm thinking of writing in the dialplan that when a call comes in from that callerid with the matching DNID, make the call play obsenities or something. Any idea as to how I would go about doing this? I have disabled simulanteous calls for now off of this account (its the only account that has it) and have deleted the callerid. It is not possible for me to enable PINs systemwide, as my customers are prepaid long distance clients who LOVe not having to enter a PIN.

Thanks!

Hi

If your system is a Calling Card only platform, you should ensure that only calls from only your DID providers are allowed. This will prevent people from calling your DID without paying their own provider, which makes it a little less attractive.

I would also suggest that your DID are only published to your customers, not to the world, this will reduce your exposure to only people who have purchased your service.

Joe

Hi Joe,

I can definately remove my access numbers off the net. How would I " ensure that only calls from only your DID providers are allowed" I have straight Asterisk (got hacked WAY too many times with FreePBX, so I deleted the web interface, however, all the configs are intact) and A2Billing.

Hi

What I mean is that you only publish your calling card numbers to your customers, e.g. on printed their calling card, or on an email to them, don't publish access numbers on publicly accessible web pages.

You can use iptables to block access to port 5060 from anywhere but your DID providers, but this pre-supposes you are only running calling card services, you could not do this if you are running VoIP services to your customers as well.

Yours

Joe

We have the same problem. Caller ID spoofing has gone up significantly this year and there is no way to stop it. Not posting access numbers on the web doesn't help as it could very well be an existing customer. Only solution is to PIN verify each call but a2billing PINS are minimum 10 digits which is too much. On our legacy system we use a shorter password after the CID validation. Is this possible in a2billing?

I am still getting this issue. How can we resolve it please? There has to be something that we can do.

Hi

You can demand a PIN number via the agi-conf, and you can set the length of the PIN to as low as 5 digits from the default of 10.

I'd reiterate the advice given earlier in that you should only publish numbers to your customer, not on your website, and you should only allow access via SIP from your DID provider, so that those who try and spoof cannot address your platform directly.

Joe

What's the key name?
The only PIN key I see is "cid_auto_create_card_len" where I can set the card number as 5 digits but that would limit the number of cards possible.
Then there is "callerid_authentication_over_cardnumber" which as I understand it means that card numbers are validated by matching callerID when we want the reverse i.e. matching callerID verified by a PIN (card number).

Hi

callerid_authentication_over_cardnumber

This means that the callerID and the PIN have to belong to the same customer.

Try it, and you will see what I mean.

Joe

Hi Joe,

Thanks for the recommendations. I do use VoIP services on my server as well. How would I go about this? I have already taken down my access numbers. I also have Fail2Ban and IPTables installed and configured on my server so I am at a greatttt loss as to what I should be doing. I see that both Fail2Ban & IPTables are working correctly in that they both are blocking and jailing IP addresses.

Any help would be most appreciated. This is for a reseller and I would like to make sure that this never happens again.

Hi Joe,

Thanks for the recommendations. I do use VoIP services on my server as well so I can't block port 5060, however, could I change it? Would this work better? How would I go about this? I have already taken down my access numbers. I also have Fail2Ban and IPTables installed and configured on my server so I am at a greatttt loss as to what I should be doing. I see that both Fail2Ban & IPTables are working correctly in that they both are blocking and jailing IP addresses. Also, when I checked logs of when this happened, it was using the same account number that belonged to the callerid. How were they even able to find out what the callerid was in the first place? I have secure database and login usernames and passwords...

Any help would be most appreciated. This is for a reseller and I would like to make sure that this never happens again.

Hi

A customer contacted us for some paid support who had the same problem in that they were suffering from caller ID spoofing, which meant I needed to analyse the problem further.

On inspection, we realised that the call was not coming from the DID provider, but directly through SIP, e.g. 12345@IP-of-A2Billing.

Because of the way that the customer's sip.conf and dialplan was set up, with default SIP context as follows...



...this meant that any number was matching, making it very easy to do spoofing, as the spoofer did not have to know the access number to attack the platform. They just had to dial <<any-number>>@<<IP-of-A2Billing>> from any IP in the world, and keep testing different callerID's until a valid one was found.

So the first part of the solution was to modify the code only to allow their actual DID to go through, and hangup anything else, and add some more dial-plan to grab the source IP to log spoofing attempts. With a bit of imagination, you could add these to an IPTables block list.

But if they know your access DID, they could simply dial 1234567890@IP-of-customers-server from anywhere, and they could begin attempting spoofing again.

So the next step was to use IP authentication, so if the call was from one of your DID provider's IP address, we send it into your calling card context, then check the right number has been called, and if it's from any other address, and is not otherwise authenticated via username / password or IP in A2Billing's VoIP settings, then the call gets sent to a context that logs the IP and simply hangs up.

These steps should make it uneconomic for the CLID spoofer, as they have to call the access number directly via the PSTN, which will cost them real money. Furthermore, giving your customers the access numbers via email or printed on the calling-card and not announcing them on your web page will further reduce your attack surface area especially if you are running your calling card service on a toll-free number.

If you need help to set this up on your own platform then contact us at [email protected]. The exact solution will depend on the existing set-up of your platform.

Joe