Toll fraud block list

I periodically will get an extension hacked and the fraudsters will try and make outbound calls to certain numbers which allow them to collect money from the connection time. I have created a trunk called “Blocked” and I create an outbound route with dial matching definitions that when there is a match, the call can’t complete because the “Blocked” trunk isn’t connected to anything…so the call fails. I also use the notification section to email and text me when an attempt is made. This is only one of the security things I employ, but it helps a lot from time to time. This week and new number, 16057251933 came up and I added the 605 Area Code to the list.

I’m adding the import file in case some of you may want to use it.

prepend prefix match pattern callerid
7165212543
17165212543
1242xxxxxxx
1246xxxxxxx
1264xxxxxxx
1268xxxxxxx
1284xxxxxxx
133222623XX
13322262XXX
1345xxxxxxx
1441xxxxxxx
1473xxxxxxx
151668523XX
151668524XX
151668525XX
151668526XX
151668528XX
151821628XX
15182162XXX
15189052XXX
156161833XX
1605XXXXXXX
1641793XXXX
1649xxxxxxx
1664NXXXXXX
1664xxxxxxx
1680237XXXX
1701717XXXX
1715689XXXX
17165212XXX
1721xxxxxxx
1758xxxxxxx
1767xxxxxxx
1784xxxxxxx
1809xxxxxxx
1829xxxxxxx
1838210XXXX
1849xxxxxxx
1868xxxxxxx
1869xxxxxxx
1876xxxxxxx
1900xxxxxxx
1900xxxxxxx
19295182XXX
1976xxxxxxx
242xxxxxxx
246xxxxxxx
264xxxxxxx
268xxxxxxx
284xxxxxxx
33222623XX
3322262XXX
345xxxxxxx
441xxxxxxx
473xxxxxxx
51668523XX
51668524XX
51668525XX
51668526XX
51668528XX
51821628XX
5182162XXX
5189052XXX
56161833XX
605XXXXXXX
641793XXXX
649xxxxxxx
664NXXXXXX
664xxxxxxx
680237XXXX
701717XXXX
715689XXXX
7165212XXX
721xxxxxxx
758xxxxxxx
767xxxxxxx
784xxxxxxx
809xxxxxxx
829xxxxxxx
838210XXXX
849xxxxxxx
868xxxxxxx
869xxxxxxx
876xxxxxxx
92951824XX
9295182XXX
976xxxxxxx
1929518XXXX
929518XXXX
1929537XXXX
929537XXXX

So that means you can never call someone in South Dakota right?

1 Like

That’s right, while we assess what is out there in Premium Rate Service numbers in that Area Code. Luckily this weeks breach was caught quickly and we only lost about $80. But with 40ish platforms a hack can get costly. I’ve had that day when we lost $7K in 15 minutes.

Have you ever considered not accepting INVITES sent to UDP/5060 ?

The real question here is, have you considered tightening the security on the systems? Because either the passwords are too easy to hack and simple generators are finding them or the system(s) itself is compromised in someway and that is how they are getting credentials. Which, by the way, wouldn’t matter about the port since they would already know by having access to things.

There is a big difference between “I was listening on 5060 and they used a dictionary attack on me” vs “I was listing on 9050 and they hacked my server and have passwords”. That would leave the follow up of, how are these 40+ boxes being secured and setup? What is being left open to the public on them that isn’t being protected that they could get in through? Have the boxes themselves been compromised?

So your customers pay you to be their provider? They pay you directly for their usage? If so, you do not have the luxury of blocking US destination within the 48 states. It’s illegal. You are not allowed to block destinations because they might cost you (the provider) more than you’d like. Your customers not being able to call a destination because it’s too much for you doesn’t matter. You eat the costs and that’s that.