It seems no one is safe. Every IP Telephony Service Provider [ITSP] I have talked to has suffered an IP PBX hack. End Users of VoIP phones most commonly do not remember or know how to change the password on their PBX or voicemail account. Default passwords for a PBX are usually the last four digits of the phone extension so hackers can easily cycle though to determine a weak or discoverable password. Once into the PBX, they can originate calls from anywhere on the Internet and pump traffic volume to numbers that will realize them fraudulent revenues
Voicemail can be configured to dial out eg when you hear the greeting “please wait while we attempt to reach your party”, of course the voicemail system is making an outbound call which is setup by the hacker to redirect to their intended destination.
The fraudster can resell such phone capacity. One of the nice advantages of VoIP is its built in features for Moves, Adds and Changes. When the time comes to move office, you can just pack you VoIP phone and take it with you. Plug it into the internet or your companies IP cloud and it will register with your IP PBX and you can make calls. If you travel, you can take your VoIP phone with you and plug it into the internet in your hotel room and makes calls as if from your desk. So The PBX has no concept of your physical location or who is using the phone and so fraudsters, once they hack your PBX can make calls from anywhere, using your account.
The Telecommunications industry has annual revenues of $2.1 Trillion. Telecom fraud is calculated to cost the telecom industry $40 Billion each year.
The calls come out of your IP PBX, to your ITSP, offering a SIP Trunking service (i.e. a service that routes calls from a VoIP environment to the PSTN and therefore to any expensive international destination offered. So your ITSP receives an invoice from the International carrier for all these international calls. Fraudsters often choose weekends or other times outside business hours to attack. This way, the attack goes unnoticed and the account is beaten to death whilst no one notices or cuts it off.
“How to lose your year’s profits in 15 minutes!” was the way one of our customers described Toll Fraud. The ITSP receives this rather large bill from the international carrier. If he demands payment from the enterprise which has allowed their IP PBX to be hacked, he will surely loose a customer. Small companies who typically have small telecom bills can afford suddenly to pay up for a $20,000 to $30,000 bill. Many events run into the hundreds of thousands.
Although the ITSP caught in the middle may be to share some of the costs with their customer and the international or long distance carrier, they cannot afford to lose customers and will not often impose the charges on their client. So this is a loss the ITSP usually has to take on the chin.
How can we detect it in real-time and turn it off in real-time to prevent the cost leakage? Advanced monitoring systems are now available which will not only detect the fraud attack in real-time but will also turn if off.