For some very strange reason my own portal for remote support is named “Asterisk Management Portal”. This title is the name of an out-of-box flash and php based management portal for the Asterisk SIP / IAX VoIP system.
This has the side effect that I see incoming traffic for exploiters or SIP VoIP fraudsters searching for exploitable Asterisk Management Portal setups. Even though my page has no VoIP services linked on it, hosted on the IP or relating to it.
This morning it seems that an Arabic VoIP scammer must have stumbled across my site but also gone as far as running my VNC based remote support application.
Helpfully he has given me a screenshot / snapshot of his desktop. I thought it might be interesting to post here to aid anyone else searching or researching how SIP fraud works.
From the screenshot (click it to enlarge it) it seems that.
-They have multiple tabs open with what appears to be a search for Asterisk Management Portals, something to do with Polycom and FreeSwitch.
-They are using Shodan Search which is a page for searching more in-depth than Google. This was recently used by a security researcher to discover that MacKeeper had exposed all their customer database to the internet!
-They also have 10 copies of what I believe is a SIP / VoIP application open along the bottom of their screen. I am going to surmise that each one of these must be connected to a compromised SIP system and will be used or is being used for making calls to premium rate numbers.
-They also have several bookmarks for searches at Shodan to do with Polycom, Omegadial and Aastra.
-They use Avast antivirus, currently broken or disabled.
-They are on a laptop that isn’t currently connected to the power.
It seems that the scammer who ran the remote support tool has the name “Raednahal” and had a Skype conversation or call open with someone called “Ahmed S”.
One of their bookmarks is for callstats.biz which appears to be some sort of premium rate number list where you can sign up, make calls to it and get paid:
a lot of good access
on time payment!!
Work watch premium numbers and sites,
It seems that most of the UK numbers listed on the site charge the caller around 40 pence per minute (£0.40). Some are as high as 54 pence per minute. This revenue is then likely shared with the people who run callstats.biz who then further pass a share onto the original VoIP scammer.
None of the numbers I tested calling accepted calls.
At some point “sarah.webb933” was also a skype name associated with the payout “company”. Somehow also related is “call2you.eu”.
Quite interesting seeing how well catered the VoIP scam world is with intermediate revenue sharing companies etc.