cybershell@soc-lab:~$
cybershell@soc-lab:~$
cybershell@threat-intel:~$
cybershell@threat-intel:~$
cybershell@honeypot:~$
cybershell@honeypot:~$
← Back to Blog

Honeypot Detection: Sophisticated VoIP Toll Fraud

Sentrypeer + Suricata capture INVITE floods from GoDaddy (AS398101)

SIP INVITE / UDP 5060

Protocol / Port

GoDaddy AS398101

Source ASN

819-byte INVITE

Payload Size

High ($$ Fraud)

Risk

Executive Summary

My T-Pot honeypot observed an aggressive VoIP toll-fraud campaign from 208.109.190.200 (GoDaddy/AS398101). The attacker used legitimate-looking SIP fingerprints (“Cisco-SIPGateway”), sequential international targets, and full SDP negotiation — a hallmark of professional revenue-share fraud targeting misconfigured PBX systems.

Incident Timeline

Detection

Sentrypeer + Suricata triggered on SIP INVITE bursts

T+00:00
  • Flagged anomalous volume to 5060/UDP
  • Correlated User-Agent + SDP length
  • Enabled packet capture

Attribution

Source 208.109.190.200 (GoDaddy/AS398101) — likely compromised VPS

T+00:08
  • ASN + geo lookup
  • Checked Abuse/Whois contacts
  • Searched for prior fraud reports

Analysis

Confirmed toll-fraud tradecraft and premium-rate targets

T+00:15
  • Parsed full SIP/SDP; verified SDP codecs and call intent
  • Recognized sequential premium number patterns
  • Classified as professional toll-fraud campaign

Response

Shared IOCs; tuned throttling and decoy behavior

T+00:25
  • Rate-limited INVITE handling at sensor
  • Filed abuse report to provider; submitted to AbuseIPDB
  • Wrote detection notes for PBX defenders

Attack Profile

  • SIP INVITE floods over UDP/5060
  • Persistence via varying source ports (50352, 52392, 56775)
  • Target numbers with sequential international patterns (0075346850780296, 76000046850780294)
  • Spoofed User-Agent: “Cisco-SIPGateway” to mimic legitimate equipment
  • Full SDP negotiation; established bidirectional UDP flows

Methodology & Intent

  • International premium route abuse: 760/007 indicate high-tariff destinations
  • Compromised/misconfigured PBX sought for unauthorized call placement
  • Signature evasion using legitimate vendor fingerprints
  • Systematic dial of sequential number ranges to find billable routes
Financial exposure can reach six figures before business hours on Monday.

Real-World Impact

  • Toll fraud can generate $50k-$200k in hours — carriers often hold victims liable.
  • Legit infrastructure abuse (GoDaddy VPS) complicates IP-based blocking.
  • Whitelisted vendor strings (“Cisco-SIPGateway”) help bypass naive defenses.

Recommendations

  • Disable unauthenticated SIP on the public internet; restrict by IP where possible.
  • Enforce outbound call rules (destinations, max concurrency, price caps).
  • Alert on vendor strings in unexpected contexts and sequential international dialing.
  • Deploy honeypot SIP listeners (e.g., Sentrypeer) to surface fraud early.

Run VoIP infra? Let’s reduce your exposure.

I can help lock down PBX configs and build detections that stop toll-fraud fast.

Get in Touch