Eric Klein
2014-02-22 07:40:48 UTC
While I applaud the ideas that to jointly attack fraud, and the various
comments over the past few days about the idea, I have to pour a little
cold water on this thread.
There are 2 aspects I would like to point out and explain:
1. The idea is not new
2. The idea is targeting multiple moving targets
First, there are already 2 lists for telecom fraud available. One is run by
carriers and law enforcement (and is not free to join), the second has more
activity in intercompany collection problems than actual fraudulent callers
or hackers.
So this gives us the CFCA http://cfca.org/ was set up by carriers with the
FBI and the GSM forum to track fraud (the last time I looked they had more
than 50,000 numbers on the list) or the VOIP Fraud Project List:
http://voipfraud.net/ which is community driven but tends to have more
activity about which VOIP provider owes someone money.
Both lists track fraudulent CLIDs (the VOIP Fraud list also includes hacker
IP addresses).
Now for the problems with using these lists - the targets move almost
faster than they can be reported.
In both cases you are trying to respond to rapidly changing attacks when
changing IP addresses or phone numbers can be done within a single provider
within min. plus there are lots of providers. So unless you blacklist full
carriers in response to an attack that happened, even though the attacker
may no longer be using that provider, it is hard to block them. Plus you
need to plan for the fact that today's fraudulent number can be tomorrows
legitimate number.
In my experience it is better to work with blocking types of traffic at the
PBX:
- Off hours calls - most fraud seems to happen over nights and weekends,
does your business or customers businesses need calls when they are closed?
Also these can include "internal fraud" where the cleaning or security
people make otherwise legitimate calls abroad that they are not authorized
to make.
- Unneeded international and premium destinations - do you or your
customer need to call Cuba or Afghanistan? How about 1-900 or satellite
phones?
In both cases you can block 90% of the fraud attempts that we have seen by
setting rules to block these and having a real-time look at traffic that
can notify the PBX admin of unusual traffic changes (repeat calls to one
number in short time, extremely long calls, etc).
Best regards
Eric Klein
VP Sales and Marketing
Humbug Telecom Labs
Mobile: +972-54-666-0933
Mail: ***@humbuglabs.org
www.humbuglabs.org
<http://www.humbuglabs.org>
*Disclaimer*:
This e-mail is intended solely for the person to whom it is addressed and
may contain confidential or legally privileged information. Access to this
e-mail by anyone else is unauthorized. If an addressing or transmission
error has misdirected this e-mail, please notify the author by replying to
this e-mail and destroy this e-mail and any attachments.
E-mail may be susceptible to data corruption, interception, unauthorized
amendment, viruses and delays or the consequences thereof. If you are not
the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing or copying of
this email is strictly prohibited.
comments over the past few days about the idea, I have to pour a little
cold water on this thread.
There are 2 aspects I would like to point out and explain:
1. The idea is not new
2. The idea is targeting multiple moving targets
First, there are already 2 lists for telecom fraud available. One is run by
carriers and law enforcement (and is not free to join), the second has more
activity in intercompany collection problems than actual fraudulent callers
or hackers.
So this gives us the CFCA http://cfca.org/ was set up by carriers with the
FBI and the GSM forum to track fraud (the last time I looked they had more
than 50,000 numbers on the list) or the VOIP Fraud Project List:
http://voipfraud.net/ which is community driven but tends to have more
activity about which VOIP provider owes someone money.
Both lists track fraudulent CLIDs (the VOIP Fraud list also includes hacker
IP addresses).
Now for the problems with using these lists - the targets move almost
faster than they can be reported.
In both cases you are trying to respond to rapidly changing attacks when
changing IP addresses or phone numbers can be done within a single provider
within min. plus there are lots of providers. So unless you blacklist full
carriers in response to an attack that happened, even though the attacker
may no longer be using that provider, it is hard to block them. Plus you
need to plan for the fact that today's fraudulent number can be tomorrows
legitimate number.
In my experience it is better to work with blocking types of traffic at the
PBX:
- Off hours calls - most fraud seems to happen over nights and weekends,
does your business or customers businesses need calls when they are closed?
Also these can include "internal fraud" where the cleaning or security
people make otherwise legitimate calls abroad that they are not authorized
to make.
- Unneeded international and premium destinations - do you or your
customer need to call Cuba or Afghanistan? How about 1-900 or satellite
phones?
In both cases you can block 90% of the fraud attempts that we have seen by
setting rules to block these and having a real-time look at traffic that
can notify the PBX admin of unusual traffic changes (repeat calls to one
number in short time, extremely long calls, etc).
Best regards
Eric Klein
VP Sales and Marketing
Humbug Telecom Labs
Mobile: +972-54-666-0933
Mail: ***@humbuglabs.org
www.humbuglabs.org
<http://www.humbuglabs.org>
*Disclaimer*:
This e-mail is intended solely for the person to whom it is addressed and
may contain confidential or legally privileged information. Access to this
e-mail by anyone else is unauthorized. If an addressing or transmission
error has misdirected this e-mail, please notify the author by replying to
this e-mail and destroy this e-mail and any attachments.
E-mail may be susceptible to data corruption, interception, unauthorized
amendment, viruses and delays or the consequences thereof. If you are not
the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing or copying of
this email is strictly prohibited.
Because none of us want to deal with fraud, and many of us
have fought it, are fighting it, and eventually (like it or
not) will come across it. I am proposing starting up a NON
PUBLIC, TRUSTED mailing list. The purpose of the list would
be to share information on attacks, numbers, dialed, and so
forth. The reasoning for it not being public, would be
obvious, avoid letting a threat actor know they have been
flagged.
The theory behind this list, would be to aggregate KNOWN
fradulent destinations for the purposes of creating some
form of blacklist, or triggering mechanism. For example,
suppose I had a break in, where calls went to 2125551212.
x.x.x.x (IP) | 2125551212 | DATE | CHECKSUM
First field is obvious, you'd want to block this address.
Second field, one can set up a triggering mechanism.
(Pseudo code)
if [ number == 2125551212 ]
then
do something (send_email || generate_phonecall
done
fi
The date, is for historical purposes, and the checksum
would be a variable of which system saw what. For those
who have seen my VABL list http://www.infiltrated.net/vabl.txt
It would look EXACTLY like that. So for anyone who'd
care to share, without disclosing WHO shared the
information, there would be a mechanism to hide your
identity (company info, etc..)
The other reason for it being a NON public list, would be a
matter of trust in the sense that, I would NOT allow any
freemail (Gmail, Hotmail, etc) to be used, in order to
minimize any false positives. The last thing I would want
is for someone to maliciously submit data against a
competitor. (make sense?)
I am willing to start, and maintain such list, however, I'd
need to know whether or not a) others are willing to share
attack data (which will be sanitized) b) other businesses
and peers would find the data useful.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
___________
have fought it, are fighting it, and eventually (like it or
not) will come across it. I am proposing starting up a NON
PUBLIC, TRUSTED mailing list. The purpose of the list would
be to share information on attacks, numbers, dialed, and so
forth. The reasoning for it not being public, would be
obvious, avoid letting a threat actor know they have been
flagged.
The theory behind this list, would be to aggregate KNOWN
fradulent destinations for the purposes of creating some
form of blacklist, or triggering mechanism. For example,
suppose I had a break in, where calls went to 2125551212.
x.x.x.x (IP) | 2125551212 | DATE | CHECKSUM
First field is obvious, you'd want to block this address.
Second field, one can set up a triggering mechanism.
(Pseudo code)
if [ number == 2125551212 ]
then
do something (send_email || generate_phonecall
done
fi
The date, is for historical purposes, and the checksum
would be a variable of which system saw what. For those
who have seen my VABL list http://www.infiltrated.net/vabl.txt
It would look EXACTLY like that. So for anyone who'd
care to share, without disclosing WHO shared the
information, there would be a mechanism to hide your
identity (company info, etc..)
The other reason for it being a NON public list, would be a
matter of trust in the sense that, I would NOT allow any
freemail (Gmail, Hotmail, etc) to be used, in order to
minimize any false positives. The last thing I would want
is for someone to maliciously submit data against a
competitor. (make sense?)
I am willing to start, and maintain such list, however, I'd
need to know whether or not a) others are willing to share
attack data (which will be sanitized) b) other businesses
and peers would find the data useful.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
___________