BRUCE@ccavax.camb.com (Barton F. Bruce) (11/03/90)
The Oct 29 issue of {Network World} has a front page article titled:
"Users paying big price for PBX fraud"
It goes on to describe NYC street hawkers peddling DISA phone numbers
and account codes. It further mentions that some offenders are PBX
hopping (dialing out from a different PBX (in the same company) from
the one they called in to as a way to further obscure what they are
doing.
MCI is specifically mentioned, and calls to Dominican Republic (amoung
other places) seem to be popular.
I have a situation where a customer is an ATT SDN user (all calls
default to 10732 rather than 10288), and 10xxx routing is definitely
blocked from all but a few managment phones. All, and I mean ALL
including brief aborted misdialed sequences, outward dialing is
captured on the SMDR log. NO DISA is enabled on their switch, and the
maint. port is on an internal PBX extension that has INCOMING CALLS
LOGGED. No database changes have been made - there have been NO calls
to this extension in MONTHS (this is a Hotel and their configuration
is quite static).
Their NET&T bill showed MCI calls on their LDN. Curiously, that new
LDN, though defaulting to 10732, is not in AT&Ts SDN database, so will
default to vanilla AT&T service. Virtually all their other trunks,
including oneway outgoing HOBIC trunks, give their own WTN as the ANI
number. There are two trunks that do give a former LTN (their new LTN
is a 8000 that they prefer to list rather than the old one that was
quite nondistinctive) rather than their actual WTN, but none of these
old numbers are involved in the MCI calls.
There is NO WAY anyone could have routed calls 10222, and even if they
had, they would have shown up on the SMDR log. Also the trunks are in
a rotary hunt group outgoing that always picks another trunk on
successive calls. The chance of anyone getting even a few, let alone
all these calls, onto THE ONE TRUNK that ANIs as xxx.8000 is
impossible from behind the PBX.
The 8000 number was 'acquired' less than a year ago, and had been on
an intercept for SEVERAL YEARS. Apparently a dentist's office had
gotten it and it had before that belonged to a candy factory. The
dentist kept getting too many calls for the candy folks, so changed
numbers. Somehow it was on that intercept recording for several years
when we found it. There is a shortage of x000 numbers so we grabbed
it.
The reason I am giving this history is that it seems unlikely that
through all those many months of unuse, that another WTN, possibly
giving the 8000 number for ANI, could have existed without someone
noticing that there was noone paying the bill for that number.
I suspect that something is screwed up in the CO, or that someone has
tapped the line outside this building and explicitly dialed 10222
before these calls.
Another curious thing is that the bill shows one call every few days
to a different NPA.555.1212 (and that is all there was during that
time period), and then a flurry of EXPENSIVE offshore calls, a few
more DA calls, and more offshore calls. There were just a few
Dominican Republic numbers called, and the same numbers were repeated
WEEKS apart. The DA calls may have been 'test' calls...
Something is DEFINITELY wrong here, and I am fishing for suggestions
on HOW it is being done. I want to stop it COLD. NET&T has been told
these are being refused, and they are kicking it all back to some
special department, and MCI. I havn't heard anything else, yet.
Anyone have any bright ideas?
[Moderator's Note: Could we please have a little more information
about the use of '10732' for routing of calls? Thanks. PAT]kaufman@neon.stanford.edu (Marc T. Kaufman) (11/04/90)
In article <14270@accuvax.nwu.edu> "Barton F. Bruce" <BRUCE@ccavax. camb.com> writes: >There is NO WAY anyone could have routed calls 10222, and even if they >had, they would have shown up on the SMDR log. >I suspect that something is screwed up in the CO, or that someone has >tapped the line outside this building and explicitly dialed 10222 >before these calls. My guess (based on an actual occurrance with my residence line) is that your line is bridged to another drop pair in one of the phone company's cable termination boxes. It is not uncommon to leave a drop connected to a trunk pair when switching service -- presumably the drop pair will get disconnected and reconnected to another trunk when new service is ordered for it. The phone company just assumes that no one will check the demarc for dial tone. Marc Kaufman (kaufman@Neon.stanford.edu)
gutierrez@noc.arc.nasa.gov (Robert Michael Gutierrez) (11/04/90)
BRUCE@ccavax.camb.com (Barton F. Bruce) writes an article in which he is attempting to trace some fraudulent calls coming from his lines. The PBX is programmed to dial out on AT&T's SDN network (10732) [I will explain the use of 10732 below]. > Their NET&T bill showed MCI calls on their LDN. Curiously, that new > LDN, though defaulting to 10732, is not in AT&Ts SDN database, so will > default to vanilla AT&T service. Virtually all their other trunks, > including oneway outgoing HOBIC trunks, give their own WTN as the ANI > number. There are two trunks that do give a former LTN (their new LTN > is a 8000 that they prefer to list rather than the old one that was > quite nondistinctive) rather than their actual WTN, but none of these > old numbers are involved in the MCI calls. [BTW ... is this a chain hotel??? That would explain how they can get/afford AT&T SDN.] In another article, somebody offers that a drop hasn't been disconnected, either out of the frame (C.O.) or a B-box down the line (one of those telco pedistals you see on some street corners). To be exact: Marc Kaufman (kaufman@Neon.stanford.edu) writes: >My guess (based on an actual occurrance with my residence line) is >that your line is bridged to another drop pair in one of the phone >company's cable termination boxes... This could be true, but with common ground-start trunks, it would be hard for the person with a standard 2500 set (or similiar Korean equivalents) to get dial tone out of it. I have myself experienced a multi-drop dialtone, when I was 14 and had just moved to another apartment. I picked up the handset and somebody was talking on it! The other party was none too happy to hear somebody "tapping" into their line, and was going to "call the police" about it. I knew better (being telephone aware by that time) and just waited for somebody on the frame to discover the pair was crossed when we got our own dialtone. Back to the original article: > There is NO WAY anyone could have routed calls 10222, and even if they > had, they would have shown up on the SMDR log. Also the trunks are in > a rotary hunt group outgoing that always picks another trunk on > successive calls. The chance of anyone getting even a few, let alone > all these calls, onto THE ONE TRUNK that ANIs as xxx.8000 is > impossible from behind the PBX. I know I'm going to sound like your mother :-), or your security admin (do you have a security administrator???), but you better make damn sure that nobody has set up a class of service that direct accesses a trunk, and bypasses the SMDR (ie: non-logging). Print out the configuration, DON'T just look at it on the console. Take it to your desk, and with a pencil/pen, mark off all the confirmed configurations for ALL classes and ALL extensions. Sounds tedious, well, it is, but a good admin will cover every angle before pointing fingers. Remember what you mom said, "It's not nice to point," especially when you're wrong... Oh, also one other thing. *All* large PBX's have direct trunk access (I seem to remember Rolm's was **7X, N.T.'s was 72XX, etc). This is an often overlooked class of service, and always a very DANGEROUS one. With direct trunk access, a user can punch one of these up, take the switch out of the line (usually with a #), and the trunk then belongs to them, with no monitoring or logging whatsoever. This class of service has always been the most ignored, and 3-4 large companies I've worked with have proven this ignorance. This class should be looked at *BOTH* globally and on the extension level. Robert Michael Gutierrez NASA Science Internet Office - Network Operations Center. Ames Research Center, Moffett Field, California. USA.
IZZYAS1@oac.ucla.edu (Andy Jacobson) (11/04/90)
In TELECOMecom Digest V. 10 #785: Barton F. Bruce <BRUCE@ccavax. camb.com> writes: Long story deleted >blocked from all but a few managment phones. All, and I mean ALL >including brief aborted misdialed sequences, outward dialing is >captured on the SMDR log. NO DISA is enabled on their switch, and the more story deleted >Their NET&T bill showed MCI calls on their LDN. Curiously, that new more story deleted >There is NO WAY anyone could have routed calls 10222, and even if they >had, they would have shown up on the SMDR log. Also the trunks are in >a rotary hunt group outgoing that always picks another trunk on >successive calls. The chance of anyone getting even a few, let alone >all these calls, onto THE ONE TRUNK that ANIs as xxx.8000 is >impossible from behind the PBX. more deleted >I suspect that something is screwed up in the CO, or that someone has >tapped the line outside this building and explicitly dialed 10222 >before these calls. Well, it sounds like either someone is getting onto that LDN trunk only, and that can either be an inside job, which was not mentioned as a possibility, or an outside job. (Someone in the manhole with a but set or tapping your crossconnect. _A definite_possibility_.) One thing to note, depending on the type of trunk you have and the type of switch that serves it, it is possible that someone "behind the PBX" is dialing one type of CAROT test port on your local switch, signalling it to disconnect, and getting trunk dial tone. Supervision may not be ended by the local CO on some types of test ports, and a second call can be piggy backed on to the test port call. This would not explain why only one trunk is getting these calls unless that trunk is the only one that can get to those test ports on the right type of switch. Check your log for calls that fall on coincident times, and if any test port numbers are being dialed. Good luck. P.S. I think it's spelled CAROT(?) Someone correct me if I'm wrong. A. Jacobson
jimmy@denwa.info.com (Jim Gottlieb) (11/05/90)
In article <14303@accuvax.nwu.edu> Robert Michael Gutierrez <gutierrez@noc.arc.nasa.gov> writes: >but you better make damn sure that nobody has set up a class of >service that direct accesses a trunk, Very true. This is one of my favorite ways of making free calls from hotels (combined with letting the receiver time out so that the digits aren't logged).