BCM Security and International calling threat 1

[VoiceOfJoe]

We were just notified by AT&T Global Threat Management organization that a POTS line connected to one of our BCM50 at a remote office was detected placing international calls to Ethopia and Pakistan? This particular small office has a BCM50 r2, 8 analog lines / phones and used an auto-attendent (allowing for a caller to ** into vmail) AT&T traced the calls which all originated from one of the POTS lines. This incident happened yesterday. The initial and appropriate response was to order AT&T to block all international calling. We did this. And fortunately for us, it still allows for us to call into Canada.
We do not have any contact center operations (skillsets or agents) logged into this system. It is purely a business office. Users have a digital phone and VM capability.

In this situation, the damage was minimal and the response quick.
My question is exactly how did this happen to us. What log information is available for me to examine that would help point which vmail or ext these calls came from. And what safe guards should we put into effect going forward.

Here's a list of items I've identified so far...

- Disable DID access (we only have POTS lines and no DID is available.
- Eliminate remote access to BCM. We have no dial-up access, but do have LAN access for BEM purposes over our internal corp network.
- Do not allow unlimited attempts to access the phone system. We use a COS that allows 3 attempts and a 5min retry interval.
- eliminate trunk-to-trunk transfers. We do not have anything else beyond 8 analog/POTS lines into this system.
- Delete/change all default passwords. We have been known to use a common 1234 pasword to vmail in the past. We have just enabled Trival password checking.
- Change passwords often. We have a COS that requires changing vmail passwords once every 90 days.


The bottom line is that our organization is responsible (not the carrier) for international calls placed by our PBX equipment SO... it is in our best interest to secure our phone equipment as best we can to avoid unnecessary calls/costs.

Any feedback would be appreciated.
VOJ

 

[gberger]

First you should run a "mailbox information" report in call pilot.
From there you should be able to see which mailbox has an outbound transfer number programmed.
In the cases i saw most of the time they were accessing the general mailbox that had an easy password and outbound transfer capabilities in it's class of service.
Basically once they catch one of those mailbox, they access it thru outside and once in mailbox they press 7 and the rest of the digits.
We no longer enable "outbound transfer" on all our installs, we explain how it works to the customer and let the customer program it himself.
Of course we block all voicemail ports from long distance and international calls.

 

[biv343]

You could FTP the CDR records off the system and see if you can find which mailbox initiated the call, assuming the 'hacker' was smart enough to turn off outbound transfer from the mailbox when they were done and the callpilot reports show nothing. As gberger mentioned, assign restriction filters to your voicemail ports. If you need to have OPN or outbound transfer enabled, simply add the numbers you need to have dialed as overrides to the restriction filters.

While it 99% probable the issue was caused by a compromised mailbox, it could also be someone forwarding their phone to an international number, then dialing their extension from the auto attendant. That would be an inside job and pretty unlikely in an office of that size.

 

[VoiceOfJoe]

I checked the CallPilot Manager "Mailbox Information" report and sure enough it identified the ext (224) that has outbound transfer enabled. Interestingly, the Outbound number is set to 91167 ?? I don't recognize this other than it starting with 9 (to get outbound line), then 1 to dial long distance. There aren't digits to fully qualify... but it looks as though it may have been the start of a valid number. I need to speak with this user to see if they had attempted to program an outdial number, if not, then I would rule out a "user" created issue here and have to assume the mailbox was hacked.

I can reach this mailbox by dialing main office number, then entering ##224xxxx I tried unsuccessfully to log into it remotely. After 3 attempts, the AA told me it was exiting the system.


thought?
VOJ

 

[gberger]

Found this;

http://800notes.com/AreaCode.aspx/1-167

I would suggest you to restrict all your voicemail ports from dialing long distance number or completely disable outbound transfer if not needed.

 

[VoiceOfJoe]

We have disabled outbound transfer on all mailboxes. Mgmt is ok with this!
We have enabled Trivial Password checking in CallPilot.
We have changed the log on passwords on all mailboxes.
We have blocked international calling with our LD carrier.

Not sure how to restrict vmail port from dialing long distance numbers. Biv343 above mentioned using restriction filters.

gberger reference above to URL that allows you to look-up unknown caller numbers looks interesting!



Thanks,
VOJ

 

[VoiceOfJoe]

The culprit was "Outbound Transfer" feature. Think twice about enabling it. If you do, be careful.
VOJ

 

[biv343]

If you have outbound transfer and off premise notification shut off, and don't use callpilot fax for outbound faxes then restriction filters aren't needed as the voicemail ports wont ever initiate a call. You can remove access to the line pools on the active application DNs as an extra measure if needed. If using filters, just build a new filter restricting the digits you don't want dialed and apply that filter to the application DNs.