Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fraud calls?

    Last night, we received 180 inbound calls to random extensions from 9:00 pm to midnight.
    Inbound caller IDs are all different but all starts with +601 followed by 8 digits. When I Googled some of the numbers Google came back with China or Malaysia number. Are they trying to hack our system? I checked our logs between those hours and did not see any outbound calls. Most of the calls went to our auto attendant extension. How and where do I check if fraud calls were made from our system?
    Also, what Event ID can I use if our trunks getting full?
    Thanks.

  • #2
    Usually I have seen Toll Fraud on different PBX systems where the hacker either logs into the admin, or they hack another user's voicemail using a default code and using the voicemail follow-me feature to forward calls offsite.
    I looked at my own voicemail system and I could not figure out how to hack the Shoretel system voicemail (since you can't enter a follow-me phone number), but it seems that it is possible using the voicemail call-back feature.
    Here is the basics on how this would work:
    - Hacker finds a voicemail with an easy password (like 1234).
    - Hacker calls back with a spoofed caller ID and leaves a message.
    - Hacker logs into the user's voicemail box and uses the call-back feature to make on off-site call.
    I found an online link that basically said the same thing:
    Last edited by rwensmann; 01-24-2019, 01:24 PM.

    Comment


    • #3
      We have also seen this happen with accounts that have a default password and conference bridge access. They log into the web portal and then set up call me conferences to remote numbers from a fax or conference room login that has been forgotten.

      Comment


      • #4
        Thanks for the reply. That was one of my first stops when I saw the call logs - check the outbound calls including conference bridge access. I have call-back feature disabled. I also have most of my users set to "Phone only" for access license instead of "Connect Client". I reached out to the fraud department of our service provider and confirmed that there were no unusual call activities. It is just alarming knowing that they are trying to hack into our system.
        What Event ID should I use if i want to be alerted if our trunks are maxed out?

        Comment


        • #5
          Originally posted by blanning View Post
          We have also seen this happen with accounts that have a default password and conference bridge access. They log into the web portal and then set up call me conferences to remote numbers from a fax or conference room login that has been forgotten.
          I think I saw this happen to a former customer.

          Comment


          • #6
            Originally posted by LeadAdmin View Post
            Last night, we received 180 inbound calls to random extensions from 9:00 pm to midnight.
            Inbound caller IDs are all different but all starts with +601 followed by 8 digits. When I Googled some of the numbers Google came back with China or Malaysia number. Are they trying to hack our system? I checked our logs between those hours and did not see any outbound calls. Most of the calls went to our auto attendant extension. How and where do I check if fraud calls were made from our system?
            Also, what Event ID can I use if our trunks getting full?
            Thanks.

            You can see on D&M , look at the switches and then calls, you will see call GUID for every call.
            You can see the numbers involved if anything looks out of place.

            If your trunks are getting full again you will get an alert in D&M. And the event ID is 1334
            This will only warn you at the point of an outbound call failing to no trunks available, rather than preemptive warning.

            Depending on your call requirements you can also restrict international calls, or international calls to certain countries based on their country code under Class of Service.

            Comment


            • #7
              What type of trunks do you have connected on your system T1 or SIP?

              Comment


              • #8
                We have T1s

                Comment

                Working...
                X