No matter how seasoned an engineer you are, it’s a magic feeling to reach the end of a Cisco UC upgrade. The systems are up, devices are registered, you've dodged all the bugs in the code that threatened to throw your little upgrade train off the rails of your cut plan and burning into the canyon of despair. Things are working and its time to start testing. Its at this point, that you or more specifically I in this case, noticed an interesting all circuits busy message when I attempted to dial inbound from the outside. After some quick investigation, my curiosity turned to surprise when I discovered that the customer's voicemail system had not only been compromised but, was being used to place hundreds of outbound calls to international numbers per minute. This is toll fraud. A well-known attack among voice engineers who have spent some time in the field but, largely a mystery to victims who only learn about it when they receive massive phone bills for seemingly no reason. In a nut shell, the attack leverages compromised voicemail boxes on your system to allow attackers to make unlimited international calls at your expense. While simple in theory, I thought I would try to share the details and origins of this hack below. Enjoy!
Phreaks n' Geeks
To understand how voicemail toll fraud came to be as we know it today we first have to go back. Back before email or even cell phones, to a time when Hulk-a-Mania gripped the nation and people thought shoulder padded blazers with t-shirts were a good idea. I'm talking of course about the early 80's. It was during this fast and loose era of free flowing cocaine and synth tones that phone hackers or "Phreakers" were quietly wreaking havoc on telecommunication carrier networks. Phreaks used a multitude of home brewed techniques to trick carrier equipment into letting them make free calls anywhere in the world. Phreakin' aint easy though, especially in a vacuum which is why like minded hackers needed a place to share ideas, collaborate on new hacks and exchange secrets for making a great margarita. BBS or Bulleting Board System's were a good start but sometimes hackers needed something more. At first, party lines or bridges seemed like a great choice for this purpose. However, these options offered no privacy of any kind since the line was "open" to listen in on by anyone with the dial-in number. Enter, voicemail mailboxes. Specifically, compromised voicemail mailboxes. Phreaks ?? would find a forgotten voice mailbox on a corporate system which used a simple or default pin to access. Once they had access, they were free to spread the information amongst the phreaker community and use it like their own personal voice based message board. Like super villain's using a mask to protect their real identity, phreaks could freely distribute the number to a compromised voicemail box or system instead of giving out their real phone number. This allowed them to collaborate with others and at the same time keep their real phone number and address secret from the ever encroaching long arm of the law. This practice continued and spread to even the cell phone market until the early 2000's. With the continuing growth of the internet and the creation of VoIP along with a shift in hacking culture and an increased awareness of the practice among corporate and cell phone users caused the practice to all but seemingly fade from the scene.
All your mailbox are belong to us
While the practice of compromising voicemail systems for phreaker to phreaker clandestine messaging faded, a new and more sinister hack grew in its place. Similar to original hack, an attacker will either manually (unlikely) or use automated software, place a number of calls into a company's voicemail system typically during a time of low utilization such as at night or over a holiday. The goal of these calls is to search for voicemail boxes that are secured using only simple passwords. Once a voicemail box is compromised, attackers then change the call forwarding settings to point toward either a national or international numbers and are then able to make free calls to the configured destination. To add insult to injury, attackers will typically sell the phone numbers to access the voicemail box to "customers" looking to pay a cheap one time payment for unlimited international calls (at the expense of the business). So, how much money are we talking here? To put things in perspective, in a 2011 survey of telecom carriers the Communications Fraud Control Association (CFCA), which is an industry group created to reduce fraud against carriers, concluded that Compromised PBX/Voicemail systems accounted for $4.96 BILLION dollars in lost revenue. Yes. You read that correctly. Nearly $5 billion lost from this attack type alone.
Protect yourself before you wreck yourself
While a voicemail toll fraud attack can be at a minimum disruptive to your business in terms of having all your inbound or outbound lines tied up it can also result in a massive phone bill from your carrier(s). While no system is un-hackable I've outlined some simple steps below you can take to protect your system from attackers looking for low hanging fruit in terms of easily compromised voicemail boxes.
- Review Authentication Rules - Ensure the following have been set for your users:
- Phone PIN set to be a minimum of 6 digits
- PIN must be changed every 180 days
- NO trivial PINs allowed (i.e. 1111, 1212, 1234, etc.)
- Store at least 5 previous PINs
- Configure Restriction Tables
- Block any outbound calls from the voicemail system to international destinations
- Restrict outbound national calls from the system to only known destinations
- Class Of Service
- Assign users to a class of service that does not have the option enabled to "Allow Users to Use Personal Call Transfer Rules"
- Housekeeping
- Delete any unused mailbox that does not belong to an active employee.
If you're concerned you might be a victim of toll fraud or would like more tips on prevention or to schedule a voicemail system audit with us please contact sales@lookingpoint.com.
Written By: Dustin Kaplan, LookingPoint Consultant Services Engineer
Sources
https://www.fcc.gov/consumers/guides/voicemail-system-hacking
https://en.wikipedia.org/wiki/Phone_fraud
http://www.ciscopress.com/articles/article.asp?p=2218297&seqNum=10