Ghost Calls = You Should be Worried!

Are you getting random, or perhaps even persistent calls from a caller ID of 100, 1000, or some random number; but when you pick them up nobody is there? These are known as ghost calls. Ghost calls are unwanted and silent calls that reach your phone, often leading to frustration due to their frequent occurrence and mysterious origins. These calls typically come from phantom numbers and can indicate potentially intrusive or damaging actions, such as port scanning or automated attacks on phone systems. It is crucial to seek assistance from your phone provider to manage and prevent these ghost calls. This article will help you understand why you need to be concerned about them, and possible avenues for stopping them.

Many attackers in the world specifically look for phone systems to exploit. I set up an unprotected Cisco CME device one time, and left port 5060 exposed on a public IP, just to see how long it would take to get attacked. It took exactly 48 minutes for somebody to discover it and start attacking. It took them another 10 minutes to break the weak password I placed on an extension, and then another 2 minutes to figure out how to dial out. That’s right, in 60 minutes with my machine exposed, attackers had figured out how to make outbound calls through my equipment.

If an attacker figures out how to exploit your equipment they can cause a lot of damage. First, and most likely, they will try to make international calls, which you will be held liable for, and can cost you tons of money. Second, they can disrupt legitimate calls you are trying to make and/or receive on your system, thus hurting your ability to do business. Third, they can try to commit toll-fraud and let you get blamed for it. Finally, they have a vector from which to attack other devices on your network. There are other risks, but I hope these points have driven home why you should be concerned.

To mitigate your risk to these kinds of threats you need to do the following (at a minimum). First, use strong passwords on your extensions, as well as all accounts that allow you to login to the PBX. Second, you should lock your signaling port (typically 5060 for SIP), to only accept traffic from the IP addresses of your provider. Third, you should disable routes which allow international calling on your PBX if you don’t use them, or consider route passwords and/or authorized country code routing if you do need international calling. Fourth, try and limit all connections to your system to a LAN address, or authorized IP’s if possible. Finally, do not leave any ports which lead to system configuration access, open to the internet (if you need access to configure your PBX from anywhere and you cannot set-up a VPN on your firewall, buy a different firewall or at least get a VPN from a hosted provider (but seriously, buy a different firewall)).

Lastly, there are ways to “block” calls from scanners (a common tool used by attackers which generate ghost calls) by modifying your dial-plan on your PBX. I will not point you to those articles because most people who do this neglect all of the mitigation I outline above. I equate this to hearing a tornado siren, and then putting in ear-plugs because the siren annoys you. If this is your provider’s first solution to “ghost calls” and they have not asked you a litany of questions, and are not willing to at least run a network scan for you, fire your provider. There may be a specific use-case for “blocking” ghost calls through dial-plan routing, but it should NEVER be the first solution.

What are Ghost Calls?

Ghost calls, also known as phantom calls, are a type of unwanted call that can occur on both landlines and Voice over Internet Protocol (VoIP) networks. These calls are characterized by their lack of caller ID or unusual phone numbers, and they can be a sign that your phone system is under some kind of scam or attack. Ghost calls can be frustrating and annoying, especially if they occur frequently, and they can also pose significant risks to your VoIP system and business operations.

Causes and Characteristics of Ghost Calls

Ghost calls can be caused by various factors, including misconfigurations, network issues, or malicious activity. One of the primary causes of ghost calls is Session Initiation Protocol (SIP) scanning, where automated bots or malicious actors attempt to identify vulnerable VoIP systems by sending out SIP messages to random or sequential IP addresses. SIP ports act as gateways in and out of the network, allowing calls to be made or received, and weak ports can be exploited by hackers to gain access to phone lines and potentially other devices within the network.

The Risks of Ghost Calls

Ghost calls may seem harmless, but they can pose significant risks to your VoIP system and business operations. The primary risks associated with ghost calls are toll fraud and disruption of VoIP system performance. Hackers and malicious actors can use phantom calls to gain unauthorized access to your VoIP system and place international calls or premium rate calls at your expense. These fraudulent calls can result in substantial financial losses if not detected and prevented early. Additionally, ghost calls can overload your system with unnecessary call traffic, leading to call quality issues, dropped calls, and overall degraded performance.

How to Stop Ghost Calls

Stopping ghost calls requires a proactive approach that combines robust security measures, regular updates, and strategic configuration of your VoIP system. Here are some effective strategies:

• Implementing robust security measures, such as firewalls and intrusion detection systems.

• Regularly updating your VoIP system and its components.

• Configuring your VoIP system to block suspicious calls and traffic.

• Using specialized hardware or software solutions to detect and block ghost calls.

• Implementing a call-blocking app or service to block ghost calls.

• Changing your SIP port to a non-standard port to make it harder for hackers to find the specific ports.

• Enabling call filters to eliminate communications from unknown Internet Protocol (IP) addresses.

• Maintaining firewall protections to monitor incoming transmissions and block bad actors.

How to Protect Your VoIP System from Ghost Calls

Protecting your VoIP system from ghost calls requires a combination of proactive measures and effective response strategies. Here are some best practices to help you stop phantom calls effectively:

• Regularly reviewing and updating your VoIP system’s security measures.

• Implementing robust security measures, such as firewalls and intrusion detection systems.

• Configuring your VoIP system to block suspicious calls and traffic.

• Using specialized hardware or software solutions to detect and block ghost calls.

• Implementing a call-blocking app or service to block ghost calls.

• Changing your SIP port to a non-standard port to make it harder for hackers to find the specific ports.

• Enabling call filters to eliminate communications from unknown Internet Protocol (IP) addresses.

• Maintaining firewall protections to monitor incoming transmissions and block bad actors.

• Reporting ghost calls to your hosted or landline provider to help effect strong, multi-tiered protections.

• Reporting the attack to the Federal Communications Commission (FCC) to help prevent future attacks.