Attackers who are in possession of correct SIP account credentials can quickly cause tens of thousands of euros in damage by calling expensive service numbers abroad. But how do attackers get valid access data? Attackers can, for example, extract them from already configured terminal devices or from malware-infected or stolen PCs. Depending on their technical possibilities, they can also extract them from unencrypted SIP connections. Occasionally, attackers also manage to pretend to be one of your end devices and have access data transmitted to them as part of an autoprovisioning process. Or they inject JavaScript code into websites, which logs on to the telephone system with the known access data when the pages are opened and makes a call. Fluxpunkt AntiFraud detects unusual call attempts and protects even if the security of your SIP passwords has been compromised. If an unusual call attempt is detected, the caller is asked for a password to be entered on the phone. The call is only executed if the caller is authenticated successfully. After three incorrect authentication attempts, the call is aborted and a warning e-mail is sent. The password is configurable by the administrator and can be communicated to employees. Once the module has been activated, the password must be entered once on each terminal device for the first call. The module learns certain terminal device properties (terminal device IP address, firmware, telephone type, ...). If a property changes, the password must be entered again. As long as the parameters remain the same, no password entry is required for subsequent calls - convenience is not impaired. In the event of anomalies, the module begins with multi-stage countermeasures: - Step: Ending the outgoing call
- Step: Blocking the conspicuous IP address in the STARFACE firewall
- Step: Deactivation of the conspicuous SIP account
- Step: Deactivation of STARFACE autoprovisioning
|