This is not a hypothetical scenario. This happened to a client of mine — a 60-person logistics company in New Jersey. On a Friday evening, someone brute-forced their SIP credentials and made 4,200 calls to premium-rate numbers in Eastern Europe and West Africa over the weekend.
Monday morning, they had a $47,000 phone bill.
How the Attack Worked
Friday 6:47 PM: Automated scanner (likely SIPVicious) probed their public-facing SIP endpoint and found it responding on port 5060.
Friday 7:12 PM: Brute force attack began against extension 1001. Password was "company2019". It took 847 attempts — about 14 minutes.
Friday 7:26 PM: First fraudulent call placed to +371XXXXXXXX (Latvia, premium rate). Duration: 58 minutes.
Friday 7:26 PM through Monday 6:30 AM: 4,200 calls placed across 23 premium-rate destinations. Average duration: 12 minutes. Most calls were to automated answer machines that keep the line open to maximize per-minute charges.
Monday 6:30 AM: IT manager notices the PBX is sluggish. Checks CDRs. Finds 4,200 calls to countries they have never called.
The Damage
| Item | Cost |
|---|---|
| Premium-rate call charges | $41,200 |
| IT investigation time (40 hours) | $4,000 |
| Emergency weekend remediation | $1,800 |
| Total | $47,000 |
The carrier held them responsible because the calls originated from their authenticated SIP credentials. Insurance did not cover it — their cyber policy excluded telephony fraud.
How to Prevent This
1. Strong SIP Passwords (Would have prevented this attack)
| Password Strength | Time to Brute Force | Example |
|---|---|---|
| 6 chars, alpha only | 2 minutes | company |
| 8 chars, mixed case | 4 hours | Company1 |
| 12 chars, mixed + symbols | 200 years | C0mp@ny!2k26 |
| 16+ chars, random | Heat death of universe | xK9#mQ2$vL5@nR8! |
Minimum: 16 characters, random, unique per extension. No dictionary words. No company name.
2. IP Allowlisting
If your employees only use phones from the office and their homes, restrict SIP registration to those IP ranges. Block everything else.
# iptables — only allow SIP from known IPs
iptables -A INPUT -p udp --dport 5060 -s OFFICE_IP -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -s HOME_IP_1 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -s HOME_IP_2 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP
3. Rate Limiting and fail2ban
Block IPs after 5 failed registration attempts:
# fail2ban jail for Asterisk
[asterisk]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 86400
4. Call Spending Limits
Set daily and per-call spending caps:
| Limit Type | Recommended Setting |
|---|---|
| Daily international spend | $100 (adjust for your actual usage) |
| Per-call maximum duration | 60 minutes |
| Concurrent international calls | 3 maximum |
| Weekend international calls | Block entirely |
5. Geographic Call Blocking
Block outbound calls to high-risk destinations unless your business specifically needs them:
Block these country codes (highest fraud risk):
| Country Code | Country | Risk Level |
|---|---|---|
| +371 | Latvia | Very High |
| +375 | Belarus | Very High |
| +233 | Ghana | Very High |
| +234 | Nigeria | Very High |
| +960 | Maldives | Very High |
| +252 | Somalia | Very High |
| +963 | Syria | Very High |
| +882/883 | International Networks | Very High |
If your business only calls domestic numbers, block ALL international dialing and whitelist specific countries as needed.
6. Real-Time Monitoring
Deploy monitoring that alerts on anomalies:
- Alert: More than 5 international calls in 1 hour (if unusual for your business)
- Alert: Any call to a premium-rate number
- Alert: Any call longer than 60 minutes
- Alert: Calls outside business hours to international destinations
- Alert: More than 3 concurrent international calls
What My Client Does Now
After the $47,000 lesson:
- All SIP passwords are 20+ characters, randomly generated
- SIP registration restricted to office IP + VPN
- fail2ban blocks after 3 failed attempts
- International calling disabled except US, Canada, UK, Germany (their four markets)
- Daily spend cap: $200 (they check if it triggers)
- 24/7 CDR monitoring with automated alerts
Total cost of implementing all six controls: approximately $2,000 in consultant time. That is 4% of what the fraud cost.
providers like VestaCall (https://vestacall.com) that focus on transparency includes toll fraud protection in every plan — spending alerts, geographic blocking, and anomaly detection are built in, not add-ons.
Top comments (0)