Dial Through Fraud possibly over VOIP- over £700 in one day !

yimpster

yimpster

yimpster

Associate
Joined
9 Dec 2002
Posts
622
Location
in a hole in the ground
https://community.bt.com/t5/BT-Infi...ly-over-VOIP-over-700-in-one-day/td-p/1242307

We have a dedicated BT Infinity line installed with a BT hub attached. There is NO phone attached to the socket !!



Over the Easter break BT claim that over £700 of calls were made from a building that was entirely vacant.



There is one CCTV device connected to BT Hub and port forward rule is in place. I have personally checked the setup and cannot see anything that is incorrect. The BT Fraud team have advised that the problem is ours and it was likely an automated attack. They also advised it was possibly done over VOIP.



Our BT account manager is also confused by this too. As VOIP calls would apparently appear on a broadband bill not a landline bill.



I have searched the logs on the hub during that time and cannot see anything that looks odd.



Does anyone have any ideas what might have happened?


07:50:13, 20 Apr. ath0: STA 00:ac:54:e5:07:da IEEE 802.11: WiFi registration failed
07:50:01, 20 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client associated
07:50:01, 20 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client disassociated
07:45:22, 20 Apr. ath0: STA 00:ac:54:e5:07:da IEEE 802.11: WiFi registration failed
07:45:10, 20 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client associated
07:39:25, 20 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client disassociated
07:39:15, 20 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client associated
08:48:21, 18 Apr. ath0: STA 44:a7:cf:b8:cd:7f IEEE 802.11: Client disassociated
07:29:17, 20 Apr. (6875243.070000) OpenWiFi_1 IPSec connection is down
07:12:22, 20 Apr. (6874228.930000) OpenWiFi_1 IPSec connection is up
02:04:16, 20 Apr. (6855742.380000) CWMP: session completed successfully
02:04:16, 20 Apr. (6855742.170000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
02:04:06, 20 Apr. (6855732.090000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
02:04:06, 20 Apr. (6855732.090000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
02:04:02, 20 Apr. (6855728.910000) WAN operating mode is Ethernet
02:04:02, 20 Apr. (6855728.910000) Last WAN operating mode was Ethernet
02:04:02, 20 Apr. (6855728.860000) PPPoE is up
02:04:02, 20 Apr. (6855728.390000) PPP IPCP Receive Configuration ACK
02:04:02, 20 Apr. (6855728.380000) PPP IPCP Send Configuration Request
02:04:02, 20 Apr. (6855728.380000) PPP IPCP Receive Configuration NAK
02:04:02, 20 Apr. (6855728.380000) PPP IPCP Send Configuration ACK
02:04:02, 20 Apr. (6855728.370000) PPP IPCP Receive Configuration Request
02:04:02, 20 Apr. (6855728.370000) PPP IPCP Send Configuration Request
02:04:02, 20 Apr. (6855728.370000) CHAP authentication successful
02:04:02, 20 Apr. (6855728.350000) CHAP Receive Challenge
02:04:02, 20 Apr. (6855728.320000) Starting CHAP authentication with peer
02:04:02, 20 Apr. (6855728.320000) PPP LCP Receive Configuration ACK
02:04:02, 20 Apr. (6855728.320000) PPP LCP Send Configuration ACK
02:04:02, 20 Apr. (6855728.320000) PPP LCP Send Configuration Request
02:04:02, 20 Apr. (6855728.320000) PPP LCP Receive Configuration Request
02:04:02, 20 Apr. (6855728.230000) CHAP Receive Challenge
02:04:02, 20 Apr. (6855728.230000) Starting CHAP authentication with peer
02:04:02, 20 Apr. (6855728.230000) PPP LCP Receive Configuration ACK
02:04:02, 20 Apr. (6855728.220000) PPP LCP Send Configuration Request
02:04:02, 20 Apr. (6855728.220000) PPP LCP Receive Configuration Reject
02:04:02, 20 Apr. (6855728.220000) PPP LCP Send Configuration ACK
02:04:02, 20 Apr. (6855728.220000) PPP LCP Receive Configuration Request
02:04:02, 20 Apr. (6855728.220000) PPP LCP Send Configuration Request
02:03:33, 20 Apr. (6855699.310000) CWMP: session closed due to error: Could not resolve host
02:03:32, 20 Apr. (6855698.110000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
02:03:32, 20 Apr. (6855698.110000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
02:03:31, 20 Apr. (6855697.710000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
02:03:31, 20 Apr. (6855697.270000) PPP LCP Send Termination Request [PPPoE PADT received]
02:03:26, 20 Apr. (6855692.600000) PPPoE is down after 1370 minutes uptime [Disconnected]
02:03:24, 20 Apr. (6855690.410000) PPP LCP Send Termination Request [Peer not responding]
01:10:21, 20 Apr. (6852507.070000) OpenWiFi_1 IPSec connection is down
00:55:19, 20 Apr. (6851606.030000) OpenWiFi_1 IPSec connection is up
22:32:34, 19 Apr. (6843040.490000) OpenWiFi_1 IPSec connection is down
21:48:11, 19 Apr. (6840377.350000) OpenWiFi_1 IPSec connection is up
20:52:16, 19 Apr. (6837022.300000) OpenWiFi_1 IPSec connection is down
20:37:09, 19 Apr. (6836115.260000) OpenWiFi_1 IPSec connection is up
20:28:48, 19 Apr. (6835614.610000) OpenWiFi_1 IPSec connection is down
20:00:23, 19 Apr. (6833909.570000) OpenWiFi_1 IPSec connection is up
 
The most simple explanation assuming no one was in the building was someone did what is known as "phreaking" and tapped into the line externally to make calls at your expense.
 
i understand about phreaking. but surely if it was done outside our building then it would not be "our" problem or expense?

I also understand about how they might redirect a number via forwarding your voicemail.
 
Rroff said:
The most simple explanation assuming no one was in the building was someone did what is known as "phreaking" and tapped into the line externally to make calls at your expense.
Click to expand...

we checked the CCTV - quite handy. There was no one there. I just wondered if there was anything telling in the logs?

Not my strongest skill :(
 
Will still have to go through the whole investigation procedure with BT, etc. - worth checking external CCTV if you have coverage incase they literallly physically exposed the cables and tapped in.

EDIT: I see you addressed that in the post above.
 
If there is anything in the logs its deeper buried away than anything in the logs show - got various wifi connection attempts and handshaking but no more information on what went on there - a couple of connections from BT to the modem kernel (looks like alcatel management system but don't really know enough to tell but assume its part of the normal reconnection system with that setup) but again no information as to what actually happened and can only assume they were normal BT operations.
 
Last edited:
As above, nothing apparent in the log files.

I'd be more inclined to believe that line has been tampered with further down the line

I've seen a case locally where the line was spliced into by the green cabinet & was only discovered when the openreach engineer attended the cabinet
 
This just sounds weird to me, 1st find out what the number was that was rang and what number rang it, ie find out 100% if it was using the bt voip system. Im with those above I think error or someone has been tampering with wires.
 
very interesting. i will keep pushing BT. last time we got hit by DTF in our office the fault was down to staff using default PIN's on their voicemail. we got stung for a couple of thousand pounds. But the fault was clearly at our end. Many of our landlines had missed calls from various international numbers so it was very obvious we had been hit.

this setup was designed purely to give secure access to CCTV and no phone call usage at all.

This situation is more perplexing and i'm really hoping the problem is outside of our premises.

Thanks for your ideas and feedback so far. Keep them coming :)
 
meandu229 said:
This just sounds weird to me, 1st find out what the number was that was rang and what number rang it, ie find out 100% if it was using the bt voip system. Im with those above I think error or someone has been tampering with wires.
Click to expand...

I have the number that was called. It called out at exactly 1am on Easter Sunday for exactly 10 minutes 1 sec then dropped the call. Then repeated 21 times every 30-50 minutes. It appears automated and originates from "our" number. Stopping at 6:24am
 
Rroff said:
Will still have to go through the whole investigation procedure with BT, etc. - worth checking external CCTV if you have coverage incase they literallly physically exposed the cables and tapped in.

EDIT: I see you addressed that in the post above.
Click to expand...

We are going to double check the CCTV more closely now and see if anyone was outside the building around that time. Previously we were looking for someone entering the building.
 
From the automated nature you described in that last post it sounds more like BT has something mixed up somewhere - I was thinking more along the lines of someone taking advantage of a quiet period to make tap into the line to make a few long distance calls to Australia or something.
 
Interestingly. We have a black van pull up outside our location at 12:58. No one gets in or out. They leave a 01:22.

There are 3 calls during this time
01:00
01:10
01:21

Possibly someone waiting to check the automated system was working before driving off?

I checked around 6-7am to see if they return to collect anything and they did not.

Though, BT detected this as fraud around that time and put a block on all outbound numbers - so perhaps if there is a "device" it may not have been planned to be collected until later.
 
If you have a phone line with a BT Hub on the end of it and the connection is through the Infinity modem or the VDSL modem socket then it's just not physically possible to actually dial a number and hold a voice line open.
 
Have you checked that all the computers that are connected to your network havn't got any strange dongles or usb devices plugged into them ?
I'm thinking of the attempted hack on a computer in a Barclays branch a couple of years ago.
 
kitfit1 said:
Have you checked that all the computers that are connected to your network havn't got any strange dongles or usb devices plugged into them ?
I'm thinking of the attempted hack on a computer in a Barclays branch a couple of years ago.
Click to expand...

there are no computers on the network. Only a CCTV system. It is locked in a case and there is no physical access without a key.
 
When BT say it could a VOIP call, don't they have a system where you login to the BT Broadband account associated with a line and you can then make VOIP calls that are charged as if you are calling from the land line itself.

THIS is what I am referring to.
 
Myshra said:
If they are claiming it's VOIP can you ask for the SIP header? Would help with your diagnosis at least.
Click to expand...

yep. that is what i was hoping i would see in the log. I had asked them to provide me with something that proves it's VOIP.

i'm thinking it's to do with the suspicious vehicle. this building has double yellow lines outside and not another parked car in sight. other than a few passing vehicles as you'd expect.

this vehicle parks right outside 1 minute before the first call. coincidence? i think not :)
 
I'd raise an escalation request, you don't have the truth in any of this.

They already know the source, the CDR BT have includes the details of the call which is why this is so confusing, there is no ambiguity on their side. If it was a VOIP call then it would have the SIP 100 INVITE details in the CDR I'd wager. This is still ignoring the other technicalities of it (call would need to cross their IPX to be chargable surely?). Was the B a premium rate line?
 
You must log in or register to reply here.
Back
Top Bottom