Ghost Calls = You Should be Worried!

Are you getting random, or perhaps even persistent calls from a caller ID of 100, 1000, or some random number; but when you pick them up nobody is there? Calls which are unexplained in nature are never a good thing. These specific type of calls are often a sign that someone has found your PBX and is probing it; which is the source of the ghost calls. This article will help you understand why you need to be concerned about them, and possible avenues for stopping them.

Many attackers in the world specifically look for phone systems to exploit. I set up an unprotected Cisco CME device one time, and left port 5060 exposed on a public IP, just to see how long it would take to get attacked. It took exactly 48 minutes for somebody to discover it and start attacking. It took them another 10 minutes to break the weak password I placed on an extension, and then another 2 minutes to figure out how to dial out. That’s right, in 60 minutes with my machine exposed, attackers had figured out how to make outbound calls through my equipment.

If an attacker figures out how to exploit your equipment they can cause a lot of damage. First, and most likely, they will try to make international calls, which you will be held liable for, and can cost you tons of money. Second, they can disrupt legitimate calls you are trying to make and/or receive on your system, thus hurting your ability to do business. Third, they can try to commit toll-fraud and let you get blamed for it. Finally, they have a vector from which to attack other devices on your network. There are other risks, but I hope these points have driven home why you should be concerned.

To mitigate your risk to these kinds of threats you need to do the following (at a minimum). First, use strong passwords on your extensions, as well as all accounts that allow you to login to the PBX. Second, you should lock your signaling port (typically 5060 for SIP), to only accept traffic from the IP addresses of your provider. Third, you should disable routes which allow international calling on your PBX if you don’t use them, or consider route passwords and/or authorized country code routing if you do need international calling. Fourth, try and limit all connections to your system to a LAN address, or authorized IP’s if possible. Finally, do not leave any ports which lead to system configuration access, open to the internet (if you need access to configure your PBX from anywhere and you cannot set-up a VPN on your firewall, buy a different firewall or at least get a VPN from a hosted provider (but seriously, buy a different firewall)).

Lastly, there are ways to “block” calls from scanners (a common tool used by attackers which generate ghost calls) by modifying your dial-plan on your PBX. I will not point you to those articles because most people who do this neglect all of the mitigation I outline above. I equate this to hearing a tornado siren, and then putting in ear-plugs because the siren annoys you. If this is your provider’s first solution to “ghost calls” and they have not asked you a litany of questions, and are not willing to at least run a network scan for you, fire your provider. There may be a specific use-case for “blocking” ghost calls through dial-plan routing, but it should NEVER be the first solution.