Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!uwm.edu!bionet!hayes.ims.alaska.edu!accuvax.nwu.edu!nucsrl!telecom-request From: BRUCE@ccavax.camb.com (Barton F. Bruce) Newsgroups: comp.dcom.telecom Subject: Mysterious LD Fraud Message-ID: <14270@accuvax.nwu.edu> Date: 2 Nov 90 18:56:35 GMT Sender: news@accuvax.nwu.edu Organization: Cambridge Computer Associates, Inc. Lines: 73 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 10, Issue 785, Message 2 of 6 The Oct 29 issue of {Network World} has a front page article titled: "Users paying big price for PBX fraud" It goes on to describe NYC street hawkers peddling DISA phone numbers and account codes. It further mentions that some offenders are PBX hopping (dialing out from a different PBX (in the same company) from the one they called in to as a way to further obscure what they are doing. MCI is specifically mentioned, and calls to Dominican Republic (amoung other places) seem to be popular. I have a situation where a customer is an ATT SDN user (all calls default to 10732 rather than 10288), and 10xxx routing is definitely blocked from all but a few managment phones. All, and I mean ALL including brief aborted misdialed sequences, outward dialing is captured on the SMDR log. NO DISA is enabled on their switch, and the maint. port is on an internal PBX extension that has INCOMING CALLS LOGGED. No database changes have been made - there have been NO calls to this extension in MONTHS (this is a Hotel and their configuration is quite static). Their NET&T bill showed MCI calls on their LDN. Curiously, that new LDN, though defaulting to 10732, is not in AT&Ts SDN database, so will default to vanilla AT&T service. Virtually all their other trunks, including oneway outgoing HOBIC trunks, give their own WTN as the ANI number. There are two trunks that do give a former LTN (their new LTN is a 8000 that they prefer to list rather than the old one that was quite nondistinctive) rather than their actual WTN, but none of these old numbers are involved in the MCI calls. There is NO WAY anyone could have routed calls 10222, and even if they had, they would have shown up on the SMDR log. Also the trunks are in a rotary hunt group outgoing that always picks another trunk on successive calls. The chance of anyone getting even a few, let alone all these calls, onto THE ONE TRUNK that ANIs as xxx.8000 is impossible from behind the PBX. The 8000 number was 'acquired' less than a year ago, and had been on an intercept for SEVERAL YEARS. Apparently a dentist's office had gotten it and it had before that belonged to a candy factory. The dentist kept getting too many calls for the candy folks, so changed numbers. Somehow it was on that intercept recording for several years when we found it. There is a shortage of x000 numbers so we grabbed it. The reason I am giving this history is that it seems unlikely that through all those many months of unuse, that another WTN, possibly giving the 8000 number for ANI, could have existed without someone noticing that there was noone paying the bill for that number. I suspect that something is screwed up in the CO, or that someone has tapped the line outside this building and explicitly dialed 10222 before these calls. Another curious thing is that the bill shows one call every few days to a different NPA.555.1212 (and that is all there was during that time period), and then a flurry of EXPENSIVE offshore calls, a few more DA calls, and more offshore calls. There were just a few Dominican Republic numbers called, and the same numbers were repeated WEEKS apart. The DA calls may have been 'test' calls... Something is DEFINITELY wrong here, and I am fishing for suggestions on HOW it is being done. I want to stop it COLD. NET&T has been told these are being refused, and they are kicking it all back to some special department, and MCI. I havn't heard anything else, yet. Anyone have any bright ideas? [Moderator's Note: Could we please have a little more information about the use of '10732' for routing of calls? Thanks. PAT]