We just had our long distance service frozen by XO FRAUD PREVENTION because someone has found a way to HIJACK the link transfer used by the POTS lines in our INBOUND hunt group. The CCR on these lines conditionally transfer callers offsite using link/hookflash/centrex transfers.
It APPEARS to work something like this:
CCR prepares to transfer call offsite, LSDS card generates a link/hookflash on POTS loop. Telco awaits DTMF tones from Norstar for destination phone number. Norstar attempts to send DTMF tones HOWERVER the calling party (fraudster) generates conflicting audio to prevent the Telco from collecting digits. Calling party (fraudster) then INSERTS dtmf tones inband and calls the party of his or her choice. In our case, to mobile phones in Bulgaria, Nigeria, Somalia.
I have not yet fully verified this exploit method, and I'm in the process of collecting more data. This is not DISA fraud or the calls would have been on our LINE POOL, not our inbound pool. Disa is not even enabled on this system. Is the link-transfer method this a well-known exploit? I didn't think their audio was even patched in yet, howerver it's the only way I can explain the calls originating from this line in particular.
This system (MICS) is running 4.x software and is about one week from being de-installed due to an active migration already in progress. It's ironic that the system is running fine for eight years without change, and then gets hacked just days before tear-out.
Ideas??
It APPEARS to work something like this:
CCR prepares to transfer call offsite, LSDS card generates a link/hookflash on POTS loop. Telco awaits DTMF tones from Norstar for destination phone number. Norstar attempts to send DTMF tones HOWERVER the calling party (fraudster) generates conflicting audio to prevent the Telco from collecting digits. Calling party (fraudster) then INSERTS dtmf tones inband and calls the party of his or her choice. In our case, to mobile phones in Bulgaria, Nigeria, Somalia.
I have not yet fully verified this exploit method, and I'm in the process of collecting more data. This is not DISA fraud or the calls would have been on our LINE POOL, not our inbound pool. Disa is not even enabled on this system. Is the link-transfer method this a well-known exploit? I didn't think their audio was even patched in yet, howerver it's the only way I can explain the calls originating from this line in particular.
This system (MICS) is running 4.x software and is about one week from being de-installed due to an active migration already in progress. It's ironic that the system is running fine for eight years without change, and then gets hacked just days before tear-out.
Ideas??
