Voip.ms hacked -- massive overbillings happening

Some details here:

https://www.dslreports.com/forum/r32512300-Voip-ms-Hacked-Voip-ms-accounts

If you use voip.ms, then disable automatic creditcard billing, disable international calling, set very short maximum call durations, and change all passwords (again!).

They did send out a note back in May suggesting people change passwords, but they seem to have leaked them all again since then.

Anyone know of similar alternative services?

Are you sure that the problem lies with voip.ms? Just skimming through the posts on that link, it would appear that "dicodread" might be the only one experiencing a problem at this time, and when he states that his same account has been hacked several times in the past, even after changing passwords multiple times, it makes me wonder whether the problem might be his own security, and not the security of voip.ms.

My VOIP comes as part of a package deal with OOMA. We were one of their very first customers, and are grandfathered in forever at no charge. No problems whatsoever in the last eleven years or so.

tanstaafl.

No, there are quite a few people posting about it there, more since I originally posted as well.

And those are just the few people who know enough to even find that particular obscure forum.

It really appears that there's been a full hack of voip.ms exposing subaccount passwords. One person even posted (since moderated) details to that thread as to how to view account details for somebody other than oneself. Not sure if that method (or a similar method) can also be scripted to reveal passwords.

I'm likely to simply drop voip.ms altogether now -- Jane is the only one of us who ever really uses the "home phone" here, and she'll be gone in a few days.

Cheers

I do use VOIP.MS
Multiple sub-accounts and phone numbers, for two different families in different houses.
Panasonic cordless handsets throughout each house, connected to ObiHai Obi202 ATA boxes.

I have not noticed any unusual billings, charges or call records. I looked back several months.

I will say that actual home telephone service is becoming less compelling as time marches on. The number of people (and the frequency) which I communicate with using genuine telephone calls keeps diminishing.

FaceTime audio calling, or Skype or whatever app, seems to now be the norm for my outgoing ‘calls’. And for many of the people who call me.

For longer duration ‘app calls’ I sometimes use a headset with my iPad or iPhone.

Me neither. Until last night: Balance now -$334.

Which password(s) are suggested to change?
Primarily the VOIP.MS web portal login?

The sub-account passwords: the ones used by the ATA. Whoever is hacking in doesn't seem to be accessing the main portal directly, so they don't seem to be changing settings (or passwords!). But somehow they are acquiring (sub-)account numbers and the corresponding SIP passwords.

But really, yeah, change ALL passwords, and disable their "API" thingie.

Okay, after a 2-day outage, Voip.ms has reverted the fraudulent charges and my account there once again now shows a positive balance, and the ATA is able to register and place/receive calls again.

Still no mass notification to customers about the hack though, so tell everyone you know about it and get them to change all of the various passwords, disable international calling, and (for good measure) rename/delete/recreate sub-accounts.

Curiously, there have been no fraudulent charges on my voip.ms account. I just turned on their 2FA (time-based auth thing) feature, and it appears that my "API configuration" is disabled. I did change my password as well.

All of the reports I have seen indicate that they exploit sub-accounts, and only those for which international calling is enabled: possibly only when enabled for the UK, as mine was.

When they hit an account, it is very abrupt, usually overnight Saturday to Sunday. They hit it hard and continuously (with calls) until Voip.ms belatedly disables the account with a negative balance in the hundreds of dollars.

Mine got re-enabled yesterday, with the fraudulent charges all reverted. So, good.

Cheers

Where/what is the upside for the attacker?

Are they calling numbers that somehow generate revenue for the destination number(s)?

That's my guess. They probably own some "premium numbers" and use the voip.ms account to repeatedly access them, effectively transfefring money to themselves from voip.ms in the process.

Do your VOIP CDR records show the destination phone numbers?

Yes, there are a bunch of mostly UK Mobile numbers shown in there. nothing extraordinary on the rates though, $0.37/minute for the most part. So.. dunno what the exact objectives are there.

Maybe they resell the stolen credit to someone who wants cheap overseas calls...?

As in: pay to use our VoIP service. It's cheap because we've piggy-backed on these stolen Voip.ms credentials.

Apparently part of the hack is to simultaneously initiate a large number of outbound calls. When those calls eventually hang up, the account is suddenly over drawn.

How to coordinate a bunch of cheapskates to all call their UK friends at the same instant?

perhaps it's placing scam calls like the old "Your Social Security is about to be suspended. If you would like to prevent this dial this number: ###-###-####."

Volume.