Image source: www.itechfreak.com After analysing some logs we got, it was obvious that the calls that had been made were successful attempts in placing calls to expensive and exotic numbers, and the biggest one was Sierra Leone. one of the most common places these thieves dial. What was involved: 1) Two PaBXes, one PBX A and the other was Asterisk running FreePBX 2) TollFree number, e.g. 1800XX Please note, this attempt was NOT via SIP (or hacked extensions) but pure PSTN and therefore can happen to anyone who connects to an Asterisk box or for that matter any kind of PaBX. What happened?
- Thief dials tollfree 1800XX for example and realises there are a full PaBX in there
- Received by PBX A which just forwards to PBX B
- PBX B creates a forwarding number (via follow-me) to a queue. Because of this, the context which this user rides on is “from-internal”, therefore changing the entire context of “from-trunk” to “from-internal” or commonly known as the “ALLOW ANY” rule
- Then while reaching the destination of the forward, (upon answer or ring), the caller does a blind transfer in Asterisk/FreePBX by dialing ##
- Dials a new destination, therefore the arbitrary user created, e.g. 1000 is the source and whatever destination the thief dials is the destination.
Notes about this attack
- Thief dials to 1800XX few hundreds of times wanting to do reconnaissance over which equipment you use
- Once they find out, they will go up and research about the equipment you use, in this particular case it was Asterisk/FreePBX
- They then attempts the call as per the flow chart above and successfully make calls
What you should know about this method
- It is do-able on any Asterisk/FreePBX if you have a forwarded context that’s not secure, e.g. from-internal or any kind of follow-me done on extensions or a particular extension itself, inheriting that extension’s context
- It is normally done with TollFree numbers so the attempts and calling from the thief for actual calls or reconnaissance is free for them
What should you do? – And make this a habit when deploying any Asterisk/FreePBX solution for your customers!
- Block international calls to exotic numbers (i have a list of numbers of very commonly used numbers for these kind of hacks and also very expensive calling routes)
- Change the from-internal-xfer context restricting it to calling internal extensions only
- Enable pin based dialling for International calls on your Outbound Routes
- Monitor international calls, always
- Inform your telco to monitor your calls and put a cap on the maximum amount of calls that can be made by you