A new customer called me and mentioned he was being billed for calls that he wasn’t making on his Asterisk based PBX system. I knew right away that his system had likely been compromised, and this wasn’t anything out of the ordinary for us to tackle. As I dug in, it looked to be an unpatched version of Elastix that had a simple compromise, and someone was using it to make phone calls. The system was reconstructed, and is now back in working order.

However, what I also found during the investigation is the asterisk configuration was set to record inbound and outbound calls on all extensions. So I listened to see what this person who had hacked the Elastix PBX was up to. Surprisingly these were just normal phone calls — mostly to area code 605 and 712. I found over 300+ recordings. One of which was a bank leaving a voicemail to a client, a board of directors discussing dividends and bonus structure for the CEO, event planning, church prayer groups, and the list goes on and on.

Because most of the calls were to freeconferencecall.com, I contacted the CTO Eugene Tcipnjatov and let him know what I found. After a few minutes, and me trying to let him know I wasn’t selling anything and I was just trying to understand how I came to hold 300+ recordings of his customers conference calls — he helped me understand what had likely happened. He mentioned they have no control over the originating call, and the issue was not with his service.

I am no expert in this area, but as I understand from Eugene at freeconferencecall.com, Least Cost Routing (LCR) is likely to be the culprit here. When you dial a phone number, you as the end user really have no idea how it will be routed to the destination. In this case — a provider may be advertising a cheaper rate to area code 605, and the way they are accomplishing this is to use hacked PBX servers to make the final connection. My only guess is they are pocketing the difference, and making money this way.

Here are a few edited excerpts for reference — These calls were records between June 30th and July 1st.

I only publish this so you may understand that your phone calls aren’t only being intercepted by a government agency, but are very possibly traversing through compromised Asterisk systems as part of another scheme.

Another interesting thought for a honey pot of sorts — leave your PBX vulnerable, enable call recording, and see what you capture!

If anyone has more detail on this type of fraud, a deeper understanding of how it is happening, or would like to communicate about this please reach out directly to me at nick.wilkens@mnxsolutions.com