Numbers Called
Numbers called is a list of numbers called by an attacker after they have managed to compromise a system. The purpose of listing the numbers here is that I believe that
attackers are calling numbers under their control to test whether or not the account they've leveraged can place calls. This information is based off of the visibility in
an attacker placing multiple calls to distinct numbers and then tweaking their dialplans. For example, the following calls were attempted by an attacker who compromised
an account on my honeypot:
Number Dialed DD/MM/YY-HH:MM:SS
------------- -----------------
00038972673399 21092010-10:14:54
000038972673399 21092010-10:14:55
101138972673399 21092010-10:14:56
38972673399 21092010-10:14:58
901138972673399 21092010-10:14:59
938972673399 21092010-10:15:00
14138972673399 21092010-10:15:01
9938972673399 21092010-10:15:03
0138972673399 21092010-10:15:05
110138972673399 21092010-10:15:07
138972673399 21092010-10:15:08
001138972673399 21092010-10:15:09
601138972673399 21092010-10:15:12
Notice the trend? To an attacker leveraging an account on my system, they would be under the impression that a call went through. This is because in my dialplan, the
account rings an extension on the PBX (costs me nothing) and ends up in voicemail. It appears to them as a normal, valid call. Under normal circumstances nevertheless, it
is a completed call. So why is the attacker trying multiple ways to make this phone ring? Theory? I believe they have access to this number. My notion is, they placed a
call, their end never saw the call and they revised their dialplan to try the call again. I'm willing to be that whomever owns the number 672399011 is actively involved
in a scheme. Why would an attacker call that number 380 times when previously attackers would shoot off incrementing numbers.
Numbers Called
|
