Jump to content
Hak5 Forums

Recommended Posts

Is there any real world resources out there, non-vendor or vendor specific, that addresses PBX fraud? How it is done, how to prevent, how to detect early? I am encountering too many end users with cracked CPE. I am wondering the best way for me to intelligently talk about it with them.

I am seeing most of the vendors to be Cisco, NEC, ShoreTel (who have been difficult to work with, they claim their solution to be infallible), and a surprising number of Yeastar implementations (as there are so few out there). It is not limited to these, I also see most other vendors out there too but not as often. I understand a number of SIP hacks but I think I need to know more. Also looking when the only external access is the auto-attendant. White, grey, or black-hat, I do not care the source.

Share this post


Link to post
Share on other sites

There's a few basic strategies, some hardware based and some software based. Normally a special type of firewall called a session border controller is placed in front of the PBX. They're designed to address issues like toll fraud. Other things can be done too though. General PBX hardening best practices should be enforced, like strong SIP account passwords, limiting SIP sessions to only your authorized private subnets, not allowing outgoing international calling, not allowing outgoing calling to offshore US territories, turning off call transfer feature codes for incoming calls, not exposing your PBX directly to a public IP, etc. On top of that, you must monitor logs regularly. 

 

Here's a presentation that's FreePBX based but includes general best practices.

https://player.vimeo.com/video/130328541

Share this post


Link to post
Share on other sites

Open ports is a big issue here. It's the main access path for many hackers. 3CX deals with this quite well but ports are still 'open' in that they can be accessed from other site locations, if needed. Obscuring your ports (e.g. using something other than default) helps a bit, using hard passwords that make no sense whatsoever to anyone can help as well. A good firewall with all ports blocked save the ones needed (don't open any RDP ports - if you need remote-access use something like RD Gateway - these ports some are the most commonly hacked) is the way to go.

With your PBX admin accounts, I would only make one Admin account - having that one the only one to access any of the more dangerous settings which you should manage. These settings would include things like whether international calls should be allowed, whole-number redirects (redirecting your main number to another main number), inter-state calls etc. Anything that might cost you ridiculous amounts of money. Also, with the Admin account, maybe naming it something obscure that doesn't make it look like an Admin account at first glance? Just generic like the others.

I'm assuming you've had a Google around for answers? You might've seen these pages:

PBX Hacking: How it works
WHAT IS PABX FRAUD & WHY DO YOU NEED TO KNOW ABOUT IT?
PBX Fraud Information

There's tonnes out there on this stuff - which is only logical because it does cost hundreds of thousands of dollars if it does happen (usually, depends on what the hacker is trying to do).

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×