VOIP Frauds cause of default logins in equipments

VOIP setup and troubleshooting
Post Reply
pasanm
Posts: 234
Joined: Wed Mar 10, 2010 7:11 pm
Location: Sri Lanka
Contact:

VOIP Frauds cause of default logins in equipments

Post by pasanm » Thu Aug 04, 2011 2:04 pm

Hi All,

very recently we detected high number of fraud attempts through a particular VOIP modem/router cause it has several logins for administrate being left with default logins. Attackers discover this sort of back doors by referring to user manuals and also
once your equipment login is compromised they can easy discover your account passwords by referring to web interface HTML source.

So We strongly advice to turn of all remote administrations / login for your equipments if there's no necessity for keeping remote login open.

Also change default logins not just admin but all login accounts that can be used to gain access to your equipment.

This way you'll be more secure being attack by silly fraudsters.

We from exetel end has put stringent restrictions and protections to minimize any fraud activity , But the most important point is the end points security which we have less control and only we can provide informations/guidelines to secure your endpoints.

Thank you.
Exetel Systems Team

jokiin
Volunteer Site Admin
Posts: 2970
Joined: Mon Feb 02, 2004 10:23 pm
Location: Sydney

Re: VOIP Frauds cause of default logins in equipments

Post by jokiin » Thu Aug 04, 2011 2:35 pm

which make and model of router is it that is vulnerable?

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked

pasanm
Posts: 234
Joined: Wed Mar 10, 2010 7:11 pm
Location: Sri Lanka
Contact:

Re: VOIP Frauds cause of default logins in equipments

Post by pasanm » Thu Aug 04, 2011 2:40 pm

jokiin wrote:which make and model of router is it that is vulnerable?

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked
Mostly detected one is Netcomm NB9W
Exetel Systems Team

jokiin
Volunteer Site Admin
Posts: 2970
Joined: Mon Feb 02, 2004 10:23 pm
Location: Sydney

Re: VOIP Frauds cause of default logins in equipments

Post by jokiin » Thu Aug 04, 2011 2:45 pm

pasanm wrote:
jokiin wrote:which make and model of router is it that is vulnerable?

it is good advice for anyone to secure their hardware, change from default passwords, turn off remote access etc but would make sense to address owners of currently affected hardware models directly so it is not overlooked
Mostly detected one is Netcomm NB9W
don't think it's current but is this a model Exetel used to sell? if it is would it be possible to send a mailer out to the people that have purchased previously to advise them of the problem?

probably worth a mention in the next newsletter regardless for all users to tighten up their security

thecraw
Posts: 31
Joined: Sun Jan 18, 2004 12:43 am
Location: BrisVegas
Contact:

Re: VOIP Frauds cause of default logins in equipments

Post by thecraw » Sat Aug 20, 2011 9:12 pm

fwiw I just got done on my Exetel Voip and MNF account for over 200 bucks of VOIP calls to africa and the middle east. Billion 7404.

I recently did a modem reset to default. I didnt change back the admin login.

Once I saw the calls I logged straight into my modem and bingo the remote access had been switched on and the rest is history.

One point though I did receive an email, that suggested it was automated, and was sent due to the amount of voip calls that had been initiated. This only occurred about 1hr after I emailed support about the calls and in looking in my history it had been happening for a month, including same days of massive calls. You may want to look at the automated fraud detection and what triggers it.

Not complaining in the end it was my stupid fault at not changing my admin pass.

EDIT; Make that a total of >300 bucks between Exetel VOIP and MNF...awesome ! :shock:
Last edited by thecraw on Sun Aug 21, 2011 4:04 pm, edited 1 time in total.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: VOIP Frauds cause of default logins in equipments

Post by Dazzled » Sat Aug 20, 2011 11:18 pm

I suspect that the internal config file (the one that can be saved to a computer and retrieved, via such as TFTP, Trivial File Transfer Protocol) is the weakest link, rather than the HTML user interface, few of which will display VoIP passwords.

IanS
Posts: 268
Joined: Fri Jun 25, 2004 11:32 pm
Location: Newcastle

Re: VOIP Frauds cause of default logins in equipments

Post by IanS » Sun Aug 21, 2011 4:38 pm

Dazzled wrote:I suspect that the internal config file (the one that can be saved to a computer and retrieved, via such as TFTP, Trivial File Transfer Protocol) is the weakest link, rather than the HTML user interface, few of which will display VoIP passwords.
This saveable config file also has your ADSL logon details in it. Which if you drop the "@nsw.exetel.com.au" part of the username, is the logon to your user faclities! - I liked it much better when there was 2 passwords, 1 for ADSL logon & one for the user facalities.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: VOIP Frauds cause of default logins in equipments

Post by Dazzled » Sun Aug 21, 2011 5:26 pm

Keep this in mind if a wireless router isn't secure. Once someone knows the make, a default password allows instant access to the config file. Quickly grab it and disconnect, and then defraud at leisure. Most in-modem logs get overwritten so quickly nobody would know what happened.

thecraw
Posts: 31
Joined: Sun Jan 18, 2004 12:43 am
Location: BrisVegas
Contact:

Re: VOIP Frauds cause of default logins in equipments

Post by thecraw » Sun Aug 21, 2011 6:23 pm

Exetel support confirmed that it was my config file that was taken and no calls were made through my modem, which was a nice bit of follow up.

thomashouseman
Posts: 750
Joined: Thu Mar 18, 2004 12:06 pm
Location: Toongabbie
Contact:

Re: VOIP Frauds cause of default logins in equipments

Post by thomashouseman » Sat May 17, 2014 7:39 pm

So my fathers VOIP/Modem has been hacked remotely somehow I think. We got about 20 emails like this from Exetel:
Please be advised that exetel automatic anti-fraud measures have detected a large number of calls from your voip service 028090**** today.
This has been identified as a suspiciuos behaviour.

Could you please advise if this is expected. If not, it is suggested that you change your VoIP DID password and your members facility password and secure your voip equipments/routers.
It is possible that your service is being compromised. please turn off uncessary remote administrations logins on your router / voip equipments.

Below are the suspicious traffic that our system has detected.


Timestamp Originating_Number Terminating_Number Duration
2014-05-17 09:41:57 028090**** 0011601325485214 00:00:00
2014-05-17 09:41:59 028090**** 0011972598826577 00:00:00
2014-05-17 09:42:08 028090**** 0011601325485214 00:00:00
2014-05-17 09:43:28 028090**** 00116703309086 00:00:00
2014-05-17 09:43:52 028090**** 001168630010086 00:00:00
2014-05-17 09:44:38 028090**** 001140349520153 00:00:00
2014-05-17 09:45:01 028090**** 001140906000847 00:00:00
2014-05-17 09:45:20 028090**** 00116858471922 00:00:00
2014-05-17 09:45:42 028090**** 001148700001503 00:00:00
2014-05-17 09:46:11 028090**** 001148333335533 00:00:00
2014-05-17 09:46:34 028090**** 0011447023815030 00:00:00
2014-05-17 09:46:46 028090**** 0011681614586 00:00:00
2014-05-17 09:47:15 028090**** 00116745592399 00:00:23
2014-05-17 09:48:50 028090**** 001148185210940 00:00:07

He lives on a farm, 500mtrs from any other house so that rules out a Wifi hack.
We did change member / modem and voip passwords only about a week ago. The member services one we left at whatever Exetel auto-generated for us as the forgot password password which was "2DYGMQL165W0 - (now changed)" which I thought would have been pretty un-hackable. The other passwords were non-word 8 character or greater passwords with Caps included and numbers. Not the easiest to guess....

I'm a bit bummed as the modem he's using was Exetel supplied (Netcomm RTA1046VW). So if they supplied us a hackable router.... :evil: :evil: :evil: - not good. I sure hope he's not up for any of the call charges. Looks like quite few went through and were answered. :(

Exetel support have just had me reset all the above passwords again so I hope this time it's fixed. It there any other way of stopping him getting hacked other than turning remote admin of his modem off (I live 400km's away and he's totally modem illiterate so don't really want to do this!) or buying another modem? Is there a firmware patch or something available?

Thanks,

T.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: VOIP Frauds cause of default logins in equipments

Post by Dazzled » Sat May 17, 2014 8:30 pm

Thomas, the Dynalink firmware is quite well secured when locked. I wouldn't get something else.

It is trivial to scan IP addresses for an open port 1050, and bingo, we have a VoIP box! The next step is to look for the remote management port you are using - either web browser or telnet - if either one is open you now have a bull's eye on your forehead. A very simple script can search thousands of IPs in no time and report potential victims.

If the black hat should get in on the management interface he can get your VoIP login and scram pronto. Note that he needs only seconds, and the log will be overwritten before you know what happened.

That VoIP server login data is sufficient for someone anywhere, eg the middle east, at his leisure, to run a phone service, even a commercial mobile setup, at your father's expense.

I would prefer that you disabled remote management, and only enabled it when needed. Can you teach your father to turn remote on and off? It might also be possible to run a script on his machine to do this if he can't; I know that the telnet interface can manage remote access.

The default login particulars of modems are widely known, so it is imperative that you use something strong.

PS Here's a few stunts that can be done - http://www.transnexus.com/index.php/voi ... of-service - it's ATA/modem attack that got your Dad.

Post Reply