After blocking them, I redirected incoming calls to this DID to a recorded explanation and apology. Then I sent a broadcast to the 281 logged out-dial numbers with a similar message.
So, heads up.
FWIW, I was hit by these IPs:
84.126.205.1
78.157.193.103
It would seem that we all might gain from cooperative work here. Also, can we share the FBI contact? I was going to call the FBI, but figured it would be a waste of time just getting through the bureaucracy to the right person.
I didn't capture the audio. Did the verbiage contain a spoken return call #? I was getting responses based on caller ID, and I'm wondering if the perpetrator expected to take return calls via the bogus SIP registration or via another channel.
Matt Gibson wrote:
Same here, but about 3 months ago. Luckily I was able to stop it after about 30 minutes, but they still got about 100 calls out, I got a lot of calls back from little old ladies wanting to give me their credit card info, scary stuff.-----Original Message----- From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz- bounces@lists.digium.com] On Behalf Of C. Savinovich Sent: Friday, February 27, 2009 4:18 PM To: 'Commercial and Business-Oriented Asterisk Discussion' Subject: Re: [asterisk-biz] Fraud alert It seems to be the same pattern of people who attacked 3 of my servers in a 3 week period a couple of weeks ago. The calls were made mostly to area codes 252 and 818 and indeed they showed the caller-id of the phones. My customer claims he received a call from the FBI saying that the calls were credit card solicitations. The point is, whoever is doing this, is doing this massively. CS -----Original Message----- From: asterisk-biz-bounces@lists.digium.com [mailto:asterisk-biz-bounces@lists.digium.com] On Behalf Of voip-asterisk@maximumcrm.com Sent: Friday, February 27, 2009 4:04 PM To: Commercial and Business-Oriented Asterisk Discussion Subject: Re: [asterisk-biz] Fraud alertI'd suggest to everyone to ban that IP, it's been scanning ournetworksfrom time to time, in a sequential manner by IP.I've had really good luck with this: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+AsteriskBasically, it automatically blackhols via IPtables any host thatfails acertain number of registration attempts in a given period.Yeah we're actually rolling it out on all of our production servers, it's a great application to run. I'm working on some scripts to propagate the bans to the firewall so that all of the servers get protected as soon as possible.[default] ; Send any unauthenticated calls to the local FBI office context=local-fbi-office I've got a honeypot server that pretty much accepts any calls thatcomethrough, and plays a "Thank you for calling the TelecommunicationsFraudhotline. Please stay online for the next available representative."If theystay online for more than 20 seconds, it connects them to an agent attheFBI that we have been working with. I've been meaning to add some code in that pulls out the originatingIPaddress of the call and tells it to the agent when we call. :)That would be great to have! _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
Posts
No comments:
Post a Comment