Although a rare occurrence, we have seen a few cases of call fraud where several misconfigurations led to the unnecessary exposure and compromisation of 3CX. In this blog post we are going to highlight some common mistakes we’ve noticed that lead to call fraud and what you can do to avoid them.
What is a Call Fraud?
Simply put, a call fraud occurs when untrusted parties place calls through your PBX, at your expense. Usually this happens overnight or when offices are closed, and calls are placed in bulk to various international destinations. And then you get a large bill at the end of the month which you need to pay….
Since the early ages of PBXs, free international calling has been the target of phone phreaks. You might think that it’s something of the past with communication costs having drastically decreased, however in the modern age of VoIP telephony a global threat of organized crime has occurred looking to make big profits in an industrial manner.
Usually, a hacker compromises IP PBX servers in order to establish calls to premium international numbers. His motivation is an indirect financial gain, as he will dial thousands of numbers in an automated manner from premium services under his control, in order to get paid commissions per call or per time spent on the line. This is also known as International Revenue Sharing Fraud (IRSF). Another common way to profit more directly is the simple resale of stolen credentials on the darknet for whoever wants a cheap route to dial out.
3CX Phone System has many inbuilt security features and default settings which prevent such abuses, however, administrators sometimes disable safeties without understanding the risks implied leading to the inevitable.
We will detail below the TOP 5 common mistakes to avoid.
Number 1: Weak Credentials
The first mistake is using weak credentials for your extensions.
When creating an extension in your phone system, default random credentials are generated at all levels, strong SIP Authentication ID and password for SIP, strong password for your web client, for your hard phone web interface, random voicemail PIN, etc. You should stick to those random values which ensure protection against password-guessing attacks, also called brute-force.
Since v15.5 it is impossible to edit and save an extension with credentials that are too short, however, you may have inherited such a setting from previous versions or backups.
We have also made sure to warn admins when they have weak credentials by signaling a warning flag next to extensions names. If you hover over the extension you will get more information on the issue:
By the way, please never set temporary credentials for testing, thinking that you will change them later when going in production as usually people tend to forget these things.
Number 2: Allowing Remote Access
The second most common mistake is to have the option “Disallow use outside LAN” unticked under your extensions when not needed.
This option prevents remote SIP registration on your extension and is ticked by default when creating an extension. You can still use a remote 3CX client or the 3CX Web Client under this condition without being affected, as the client uses the tunnel protocol to connect to the PBX. In effect, the option should be unticked only when using a remote STUN hard phone.
Number 3: Too Many Countries Allowed
When first installing your PBX a screen prompted for the countries to allow in and outbound calls. This list can be later found in Security / Allowed country codes.
It should be restricted to the countries called commonly by the users. By default we restrict to the country of installation only.
A bad practice is of course to allow all countries thinking that it will be adjusted later, usually never.
Note for US customers: the North American Numbering Plan (NANP) allows to dial 25 regions or countries from North America and the Caribbean, without an international dial code. The international dial code would be 011, or + in case of US. The anti-hacking feature will let such numbers go through as local numbers (as per ITU standards). You should therefore have strict outbound rules, with a list of NANP prefixes to block and route 1: Block calls, and ensure this rule is in first position.
Number 4: Lazy Outbound Rules
Another bad practice is to have “lazy” outbound rules, letting any number dialed from anyone in the system go through. A typical rule is one with no criteria other than the DEFAULT extension group.
You should have rules set as strictly as possible, like in firewalls, defining specific prefixes or number lengths, and which extensions or which extension groups will be allowed to dial out.
Number 5: Misconfigured E164 Settings
Under Settings / E164 Processing are standard settings ensuring the replacement of the “+” by your local international dial code. The reference is the country defined at the installation time. For example in most countries you will get “00” as the international dial code, for the US you will get “011”. Those are values as per ITU standards.
This setting is important as it is also used to determine the list of country codes blocked as per the “Allowed country codes” tab discussed above.
For instance, with “00” and Albania blocked, the feature will look for numbers dialed in the form of 00355xxx or +355xxx.
If you misconfigured the international dial code, this can result in a wrong “+” replacement but also in the safety being inoperant.
Note that in most call fraud schemes observed, a cumulation of the previous 5 mistakes resulted in compromisation. One alone would usually not be enough for an attacker to be successful.
In v16 we introduced two major security features improving the security posture of 3CX even more. The first one allows you to restrict management console access based on the IP and is in Security / Security Settings / Console Restrictions. By default all IPs are allowed, if enabled it will let through only local IP subnets and specified public IPs. This option does not interfere with other web services such as provisioning, web client, etc.
The second major improvement is the Automatic Global 3CX IP Blacklist, available in Security / Security Settings / Anti-Hacking. When this is enabled, your PBX will report any blacklist event including the attacker IP, to our centralized server. After evaluation, recurring attackers will be added and spread across all 3CX systems which have this feature enabled so that any malicious traffic will be dropped. To date this global blacklist has already got 1000+ common IPs and ranges which have been reported as scanning or frauding. We encourage you to enable this feature.
If you have any security questions or if you wish to report a fraud for us to review and advise on what may have occurred and how this could have been prevented, feel free to open a Support ticket in our Helpdesk, under the “Security | Fraud” category. Those tickets are treated with High priority.
In case of an incident do not panic. It is important that you gather logs before taking any further actions so that forensics are archived. To do that, go to Support / Generate support information, which will generate a zip file and send you the link by mail. You can then attach this zip file to your ticket for review.
We look forward to receiving your comments on this topic!