Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Thu Mar 28, 2024 12:06 pm
VoIP Billing solution


All times are UTC




Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: Fraud with paypal!!
PostPosted: Wed Jun 09, 2010 4:25 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
stanke wrote:
Yeah, we also got hit by some Chinese guy, he used 2.5hrs of time within 1 hour. He had up to 9 simultaneous calls.
And he was also calling Sierra Leone. And what is even stranger, he was calling consecutive phone numbers.
+23222289186
+23222289185
+23222289184
+23222289183
+23222289155
+23222289151

@hellbound, out of curiosity, are the above the same numbers called from your system by the attacker?

Pls, tell what happened with disabling simultaneous calls?

BRGDS to all.



Hi Stanke,

Are you by any chance using Betamax?

Cheers


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Jun 28, 2010 3:01 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
We've found who is behind this damn scam:

http://ephonepremium.com/rate.html

They have a route table in which providing expensive route,
I tried tens of major telecom worldwide are being routed to these damn people.

We gotta do something against these people.

Joe, you're in England maybe you can report their prefix list to the British Police?

TAKE THIS SERIOUSLY:

We have to block all these prefixes:

Code:
Country
Prefix   
Weekly Payout
Be Weekly   45 EOM   Currency
Austria   43820    0.11    0.12    -    USD
Bulgaria   359881    0.1150    0.12    -    USD
Bulgaria   359882    0.12    0.13    -    USD
Liechtenstein   423662    0.15    0.16    -    USD
Liechtenstein   423663    0.15    0.16    -    USD
Liechtenstein   423667    0.15    0.16    -    USD
Liechtenstein   423668    0.15    0.16    -    USD
Eritrea   2913    0.09    -    -    USD
Somalia   2522    0.09    -    -    USD
Taiwan   88    0.0200    -    -    USD
Zimbabwe   263 913    0.10    -    -    USD
Sierra Leone   232222    0.13    0.14    -    USD
Ascension   247    -    -    0.15    USD
Austria   43810    -    -    0.04    USD
Burkina Faso   226    -    -    0.14    USD
England   
4487128
0.0550    -   0.07    USD
England   4487129    0.0250    -    0.03    USD
England   4487136    0.0450    -    0.05    USD
England   4487145    0.0450    -    0.05    USD
England   4487161    0.0450    -    0.05    USD
Germany   49157    -    -    0.04    USD
Kiribati   68687    -    -    0.16    USD
Libya   218    -    -    0.09    USD
Lithuania   3709    0.14    0.15    0.1450    USD
Madagascar   261    0.20    0.21   0.34    USD
Niger   227    -    -    0.45    USD
Qatar   974    -    -    0.12    USD
Romania   4033    -    -    0.16    USD
San Marino   378    -    -    0.21    USD
Sao Tome   239    -    -    0.30    USD
Togo   228    -    -    0.45    USD
Tokelau   6905    -    -    0.15    USD
Tuvalu   688    -    -    0.15    USD
Vanuatu   678    -    -    0.15    USD
Uk   44870    0.0150    0.02    -    USD
Albania   3556    0.0350    0.04    -    USD
Antarctica   8823    0.40    0.41    -    USD
Austria Mobile 4   43820    0.10    0.11    -    USD
CAR   23687    0.12    0.13    -    USD
Dutch Mobile   3165    0.02    -    -    USD
Emsat   88213    0.19    0.20    -    USD
France Sat 2   3364    0.07    0.08    -    USD
Georgia   9957    0.06    0.07    -    USD
IT Mobile 2   3931    0.02    -    -    USD
Ivory Coast   2252    0.10    0.11    -    USD
Latvia 2   3716    0.10    0.11    -    USD
Nauru   6747    0.08    0.09    -    USD
Oration 2   8823    0.19    0.20    -    USD
Zaire Kinshasa   2431    0.19    0.20    -    USD
Zaire Short   2434    0.19    0.20    -    USD
Spain peak TDM   34    0.0150    0.02    -    USD
Estonia   372    0.09    0.11    -    USD
Congo    24342    0.22    0.23    -    USD
Switzerland   41773    0.04    0.05    -    USD


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 1:49 am 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
Hello all,

I would like to report I have experienced the exact same type of scam on my system. This scammer makes many repeat calls that show in the CDR as 0 or 1 seconds. Somehow they found a way to make simultaneous calls (even though that's disabled) and somehow transfer or put the call on hold so that the system thinks it's been hungup but my provider is charging me for multiple calls at the SAME time from the same scammer.
All of the numbers are prefixes that were listed above. They are using a SIP softphone (Xlite.) Also they seemed random numbers in a row, like 0024, 0025, 0026, etc.

I have blocked all of those prefixes, but I am still baffled at how exactly they tricked my system. Min_duration_2bill is set to 0, but still about half of the calls show up as 0 seconds and status ANSWERED but NOT charged by A2Billing.

Does anyone know of a way to lock down A2Billing to prevent this type of abuse? I have checked everything I know, such as canreinvite is off on all trunks and customers. I am just baffled as to how they are getting away with this, that somehow simultaneous calls are being dialed by the system but NOT being billed, or even noticed for that matter, and then somehow transferred to music on hold and I am getting stuck with huge charges which don't show up in my logs.

Regards,
-Steve


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 6:51 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
thewoose wrote:
Hello all,

I would like to report I have experienced the exact same type of scam on my system. This scammer makes many repeat calls that show in the CDR as 0 or 1 seconds. Somehow they found a way to make simultaneous calls (even though that's disabled) and somehow transfer or put the call on hold so that the system thinks it's been hungup but my provider is charging me for multiple calls at the SAME time from the same scammer.
All of the numbers are prefixes that were listed above. They are using a SIP softphone (Xlite.) Also they seemed random numbers in a row, like 0024, 0025, 0026, etc.

I have blocked all of those prefixes, but I am still baffled at how exactly they tricked my system. Min_duration_2bill is set to 0, but still about half of the calls show up as 0 seconds and status ANSWERED but NOT charged by A2Billing.

Does anyone know of a way to lock down A2Billing to prevent this type of abuse? I have checked everything I know, such as canreinvite is off on all trunks and customers. I am just baffled as to how they are getting away with this, that somehow simultaneous calls are being dialed by the system but NOT being billed, or even noticed for that matter, and then somehow transferred to music on hold and I am getting stuck with huge charges which don't show up in my logs.

Regards,
-Steve



one reason they don't show up could be they are using callback to the extension, check your rates, they might be loophole.
to prevent this we used

1. paypal email verficiation to make sure the owner of the paypal is verifying this payment.

2. we verified the user's phone number by sms to make sure we know which country does he living. if his phone number is verified in china but he is using paypal from US, then the payment is blocked

Regards


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 1:28 pm 
Offline
Moderator
User avatar

Joined: Tue Jun 06, 2006 12:14 pm
Posts: 685
Location: florida
I too, just got nailed with this short calls that appeared to hang up, but connected to my carrier (myself on another A2B box) and that box shows the calls continuing.

Bottom line, I just got nailed for about $300 in the past 24 hours of fraudulent calls. And only cause I nailed the bastards quick and blocked their IP.

I noticed that there were several calls that were stuck in "*98" checking for voicemail, which ends in an endless loop when you enter invalid passwords. So it seems they need someway to keep the call on the line, and since I just now read the above post, I think it must have something to do with callback, even though I SWEAR I disabled callback on this line.

I'm going to check now and insure that callback is disabled. But I suspect several will get nailed with this soon, as it seems like someone found a loophole.

I'd love to find the forum where these hackers share our website informations and probably share their hacking methods so we can find out what they are doing and how.

KK


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 3:23 pm 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

Do you have an "i" in your dial command parameters?

Joe


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 7:32 pm 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
Hello,

I think the 'i' variable may be the culprit. It's not the callback, it's not a rate loophole (the rates chosen for the calls were correct, but at 1 second or less they didn't get charged by A2Billing, except my provider of course charged me for several minutes.)

After re-studying the Asterisk Dial command, I am fairly certain that not having that 'i' was the reason they were able to redirect these calls.

I sure do wish we could find out where these scammers swap secrets! But anyway the post a few pages up mentions the ephonepremium website, which has a list of prefixes that these scammers are dialing. Almost all the countries and prefixes listed there have shown up in my logs.

-Steve


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 8:59 pm 
Offline
Moderator
User avatar

Joined: Tue Jun 06, 2006 12:14 pm
Posts: 685
Location: florida
Joe,

The "i" parameter which disallows forwarding is implemented by default in the a2billing.conf file.

I checked anyhow just to make sure that I didn't have it removed for some odd reason, and yes, its there. The server I encountered this issue with is a PBIAF box. I don't need to place that parameter in the dial of FreePBX because the A2B overrides and does its own dial strings I believe.

If you want to take a peak to see if you see what it was doing, drop me a PM.

KK - Randy


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 9:10 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
thewoose wrote:
Hello,

I think the 'i' variable may be the culprit. It's not the callback, it's not a rate loophole (the rates chosen for the calls were correct, but at 1 second or less they didn't get charged by A2Billing, except my provider of course charged me for several minutes.)

After re-studying the Asterisk Dial command, I am fairly certain that not having that 'i' was the reason they were able to redirect these calls.

I sure do wish we could find out where these scammers swap secrets! But anyway the post a few pages up mentions the ephonepremium website, which has a list of prefixes that these scammers are dialing. Almost all the countries and prefixes listed there have shown up in my logs.

-Steve


can u post the numbers they were dialing? I think they have only certain providers bound to this and we might be able to block them permanently by adding thos prefixes into a ratecard n trunk that is not routed


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 10:21 pm 
Offline
Moderator
User avatar

Joined: Tue Jun 06, 2006 12:14 pm
Posts: 685
Location: florida
Sure,

I was getting nailed mostly dialing Tonga:

67658835
67658837

Libya Mobile:

218928699006

Somalia:

25230230318
25230230324
25230230334
25230230332

Now what kills me, is like even on the mobile calls, there are several successive within seconds of each other, and this "mobile" ends up with I think over 5 concurrent calls at one time.

The other item, as someone described that I still don't quite understand ... is that the calls on the server that the fraudster originated the call from, only shows a very short period of time (couple seconds) ... yet the call continued ??


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 10:31 pm 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
Hello hellbound,

Yes here are the numbers they dialed (this is all from the same individual):

Code:
Date                         Prefix   Number
------                         ------   ---------
08/26/10 04:58 PM   252   25230230330
08/26/10 04:59 PM   252   25230230336
08/26/10 05:00 PM   850   85099922379
08/26/10 09:24 PM   252   25230230330
08/27/10 07:59 AM   252   25220230330
08/27/10 08:20 AM   676   67658835
08/27/10 08:20 AM   677   6777498782
08/27/10 08:21 AM   39   393453838258
08/27/10 08:22 AM   4475   447589000427
08/27/10 12:30 PM   252   25230230330
08/27/10 02:52 PM   4476   447640007865
08/27/10 02:53 PM   44872   448721990145
08/27/10 02:54 PM   44872   448721990145
08/27/10 03:35 PM   252   25230230330
08/27/10 03:36 PM   252   25230230330
08/27/10 03:36 PM   676   67658835
08/27/10 03:37 PM   39   393453838258
08/27/10 03:38 PM   252   25230230332
08/27/10 03:44 PM   252   25230230330
08/27/10 04:06 PM   850   85099922379
08/27/10 04:40 PM   23222   23222287500
08/28/10 10:27 AM   252   25230230331
08/28/10 10:27 AM   504   50487306760
08/28/10 10:29 AM   504   50487306760
08/28/10 10:31 AM   504   50487306667
08/28/10 10:39 AM   504   50487306760
08/28/10 10:40 AM   504   50487306760
08/28/10 10:42 AM   504   50487306760
08/28/10 10:43 AM   504   50487306760
08/28/10 10:43 AM   504   50487306666
08/28/10 10:44 AM   504   50487306834
08/28/10 10:45 AM   504   50487306669
08/28/10 10:45 AM   504   50487306760
08/28/10 10:46 AM   504   50487306760
08/28/10 10:47 AM   504   50487306834
08/28/10 10:48 AM   504   50487306666
08/28/10 10:59 AM   504   50487306666
08/28/10 11:03 AM   504   50487306666
08/28/10 11:05 AM   504   50487306760
08/28/10 11:06 AM   504   50487306834
08/28/10 11:07 AM   504   50487306760
08/28/10 11:07 AM   504   50487306836
08/28/10 11:08 AM   504   50487306837
08/28/10 11:08 AM   504   50487306834
08/28/10 11:10 AM   504   50487306837
08/28/10 11:10 AM   504   50487306784
08/28/10 11:11 AM   504   50487306838
08/28/10 11:11 AM   504   50487306784
08/28/10 11:12 AM   504   50487306783
08/28/10 11:13 AM   504   50487306838
08/28/10 11:13 AM   504   50487306782
08/28/10 11:14 AM   504   50487306835
08/28/10 11:15 AM   504   50487306780
08/28/10 11:15 AM   504   50487306780
08/28/10 11:16 AM   504   50487306838
08/28/10 11:17 AM   504   50487306837
08/28/10 11:17 AM   504   50487306783
08/28/10 11:18 AM   504   50487306784
08/28/10 11:19 AM   504   50487306780
08/28/10 11:19 AM   504   50487306838
08/28/10 11:20 AM   504   50487306835
08/28/10 11:20 AM   504   50487306838
08/28/10 11:21 AM   504   50487306784
08/28/10 11:22 AM   504   50487306784
08/28/10 11:22 AM   504   50487306784
08/28/10 11:23 AM   504   50487306836
08/28/10 11:23 AM   504   50487306784
08/28/10 11:24 AM   504   50487306784
08/28/10 11:24 AM   504   50487306760
08/28/10 11:25 AM   504   50487306760
08/28/10 11:26 AM   504   50487306760


I have already blocked all of these prefixes to a Blackhole destination. Almost all of them are premium destinations (high $$$).
Also as krzykat posted I have also had lots of calls to Libya and Somalia. The way they are getting these calls through without A2B noticing I think is by manipulating transfers/conferencing, although I still can't figure out how they do it exactly. But blocking all those prefixes and locking down the SIP settings seems to prevent it.
Hope this helps.

Steve


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Aug 29, 2010 10:41 pm 
Offline
Moderator
User avatar

Joined: Tue Jun 06, 2006 12:14 pm
Posts: 685
Location: florida
This must be a new one that they just found a hole in, and I suspect others will be hit soon as well. Interesting that we both got hit on the same day. You got their IP info?

This is the IP that was registered doing the damage on my side 217.203.80.177


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Aug 30, 2010 3:30 am 
Offline

Joined: Tue Aug 24, 2010 9:14 am
Posts: 14
krzykat wrote:
This must be a new one that they just found a hole in, and I suspect others will be hit soon as well. Interesting that we both got hit on the same day. You got their IP info?

This is the IP that was registered doing the damage on my side 217.203.80.177


The IPs I got are similar:
Code:
217.203.187.13
217.201.153.68
95.74.231.172
95.75.65.4
79.36.173.207
79.36.173.160
79.36.173.132
79.36.173.91
79.36.173.175
79.136.173.79
79.136.173.28


Most of them I checked and they're all in Rome, Italy. I didn't realize how many different IPs they were using until just going through the logs! I suspect they're mostly dynamic IPs, but who knows it could be a group. Anyway watch out for any activity from that neighborhood.

-Steve


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Aug 30, 2010 4:58 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
We were hit by the same guy ,
we have sms verification therefor we have this guy's phone number if u can file a police report in italy to catch this guy.


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Aug 30, 2010 3:54 pm 
Offline
Moderator
User avatar

Joined: Tue Jun 06, 2006 12:14 pm
Posts: 685
Location: florida
OK - read this snippet from my full file. So to me, it seems like somehow this guy is saying to put this on hold, transfer to voicemail. A2B then stops the billing of it, even while the original call to 67658835 was going on.

[2010-08-28 19:30:56] VERBOSE[4800] logger.c: -- Called Carrier-GSMcall/67658835
[2010-08-28 19:30:56] VERBOSE[4800] logger.c: -- SIP/Carrier-GSMcall-00000002 answered SIP/78654389-00000001
[2010-08-28 19:30:56] VERBOSE[4800] logger.c: -- Started music on hold, class 'default', on SIP/Carrier-GSMcall-00000002
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: -- Stopped music on hold on AsyncGoto/SIP/Carrier-GSMcall-00000002<ZOMBIE>
[2010-08-28 19:30:57] VERBOSE[4805] logger.c: -- Executing [*98@from-internal-xfer:1] Answer("SIP/Carrier-GSMcall-00000002", "") in new stack
[2010-08-28 19:30:57] VERBOSE[4805] logger.c: -- Executing [*98@from-internal-xfer:2] Wait("SIP/Carrier-GSMcall-00000002", "1") in new stack
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:1139 - -> dialstatus : ANSWER, answered time is 1
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1:
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:1143 - [USEDRATECARD=0]
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:820 - ft2c_package_offer : 0 ; ; 0
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:899 - [CC_asterisk_stop QUERY = INSERT INTO cc_call (uni
[2010-08-28 19:30:57] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:902 - [CC_asterisk_stop 1.1: SQL: DONE : result=1]
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:920 - [CC_asterisk_stop 1.2: SQL: UPDATE cc_card SET cred
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:925 - UPDATE cc_trunk SET secondusedreal = secondusedreal
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.RateEngine.php - line:929 - UPDATE cc_tariffplan SET secondusedreal = seconduse
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:a2billing.php - line:312 - [a2billing account stop]
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:a2billing.php - line:172 - [CHANNEL STATUS : 6 = Line is up]
[2010-08-28 19:30:58] VERBOSE[4805] logger.c: -- Executing [*98@from-internal-xfer:3] NoOp("SIP/Carrier-GSMcall-00000002", "app-dialvm: Asking for mail
[2010-08-28 19:30:58] VERBOSE[4805] logger.c: -- Executing [*98@from-internal-xfer:4] Read("SIP/Carrier-GSMcall-00000002", "MAILBOX|vm-login|||3|2") in
[2010-08-28 19:30:58] VERBOSE[4805] logger.c: -- <SIP/Carrier-GSMcall-00000002> Playing 'vm-login' (language 'en')
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:a2billing.php - line:173 - [CREDIT : 9.6658][CREDIT MIN_CREDIT_2CALL : 0.02]
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.A2Billing.php - line:676 - 0 && && 8&& 1
[2010-08-28 19:30:58] WARNING[4800] file.c: Failed to write frame
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: -- <SIP/78654389-00000001> Playing 'prepaid-enter-dest' (language 'en')
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.A2Billing.php - line:683 - RES DTMF : -1
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.A2Billing.php - line:701 - DESTINATION ::> -1
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: a2billing.php|1: file:Class.A2Billing.php - line:703 - RULES APPLY ON DESTINATION ::> -1
[2010-08-28 19:30:58] VERBOSE[4800] logger.c: -- Playing 'prepaid-invalid-digits' (escape_digits=#) (sample_offset 0)
[2010-08-28 19:30:58] WARNING[4800] file.c: Failed to write frame
[2010-08-28 19:30:59] VERBOSE[4805] logger.c: -- User disconnected
[2010-08-28 19:30:59] VERBOSE[4805] logger.c: == Spawn extension (from-internal-xfer, *98, 4) exited non-zero on 'SIP/Carrier-GSMcall-00000002'
[2010-08-28 19:30:59] VERBOSE[4805] logger.c: -- Executing [h@from-internal-xfer:1] Macro("SIP/Carrier-GSMcall-00000002", "hangupcall") in new stack
[2010-08-28 19:30:59] VERBOSE[4805] logger.c: -- Executing [s@macro-hangupcall:1] ResetCDR("SIP/Carrier-GSMcall-00000002", "vw") in new stack
[2010-08-28 19:30:59] DEBUG[4805] app_macro.c: Executed application: ResetCDR


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Auto Dialer Software


All times are UTC


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group