BCM400 being actively exploited to make international calls 1

[mrbean2766]

Hello all.

We have a BCM400 ver. 3.7 that is currently being hammered by external callers who are then able to somehow divert their incoming calls to use outgoing lines to make international calls. I'm a total novice when it comes to PABX programming, but need to do something urgently to stop this fraudulent callers. We've had close to 3000 international calls in the last 2 weekends so I'd really appreciate any tips in identifying the issue and resolving it.

Brief history:
When we came into the office on Monday morning, and the PABX was switched out of night switch mode at 8:30am, we were inundated with incoming calls that when answered resulted in audible, morse-code like sounding tones (definitely different from FAX tones). It later became apparent that this is how they were/are instructing the PABX to make these calls. Unfortunately, I cannot block international dialing as it is used for offsite message notification to international locations.

What else can I do to stop this shenanigans? The exploiters are aware of our business hours and they appear to start the onslaught at 7pm every Friday and stop at 6am Monday morning. We have activated Malicious Call Tracing but that hasn't been fruitful in stopping the exploit. I've also set the outdial type for all mailboxes to none; all to no avail!

I beg anyone with expertise to come to my rescue ASAP.

Cheers,
tkb.

 

[Firebird Scrambler]

You might need to check out your remote packages in case you have trunk to trunk enabled. It could be that your Call Pilot voicemail is secure, but not your actual lines.

If the office doesn't get many calls over the weekend, then power the BCM down or unplug your PRI link. Sounds drastic, but that will stop them!.

All the best

Firebird Scrambler
Meridian 1 / Succession and BCM / Norstar Programmer in the UK

http://www.linkedin.com/in/davidbromley

If it's working, then leave it alone!.

 

[mrbean2766]

Thanks for the quick response, firebirdscrambler.

Unfortunately, I cannot switch the PABX off at all as we provide a 24/7 support service to our customers.

How do I go about checking if trunk to trunk calling is enabled? I have full access to the PABX despite not knowing why the heck they gave me this access without any know-how; could be very dangerous!

Cheers,
tkb.

 

[Firebird Scrambler]

It might be wise to load up the BCM Monitor tool as this can be very useful when checking out trunks. I think you can downlod the tool from within your Mntce section where you log in for the 3.x versions.

All the best

Firebird Scrambler
Meridian 1 / Succession and BCM / Norstar Programmer in the UK

http://www.linkedin.com/in/davidbromley

If it's working, then leave it alone!.

 

[telcodog]

They're doing it through users voicemail boxes!

First thing to do is remove access to any trunks to the PSTN from your VM ports. In fact, assign a restriction table to each one and set the restrictions to any any any. Don't let them dial SFA!

Second, turn on the trivial password checking in the vm properties, and then, if you're up to it, reset everyone's password to the default, access them all and change it to whatever you want and then force all employees to change it again to whatever they want. The trivial check will make sure they can't use the obvious.

Then, make sure that you initialize and change the password of your administration mailbox. You need to do this in case someone on the inside is not able to get into anyone's mailbox and set up the outbound transfer. I had one last month where the contact's own mailbox was set up was set up to transfer out to a 1010 carrier where these cockroaches would then dial to Sri Lanka to the tune of over 400 calls a night. The contact didn't even know his box had been compromised. You can pretty much guess what his password was set to.

I did all of the above for them and they haven't had one hacked call since so good luck with it.

 

[mrbean2766]

Thanks for responses.

@firescrambler:
I already have the BCM Monitor installed, and I can see them dialing in and out but not sure if that tool can disable anything, can it?

@telcodog:
Unfortunately, you are talking with a real PABX novice and most everything you mentioned above just went over my head. Maybe it's time to call in the specialist; how much to fly you down under - ??? On the other hand, I have access to all the internal BCM400 documentation so any pointers to particular docs would help!

Cheers,
tkb.

 

[telcodog]

It probably is time to call in a vendor who has more time on the system than you do. There isn't any particular document that details everything you can do to put a stop to these scumbags. It amounts to experience more than anything.

just show this thread to the tech who comes out and they'll have no trouble making the changes for you. If you want to give it a shot yourself, come back on here and we'll go through it step by step.

 

[mrbean2766]

Thanks telcodog.

I'd like to know how to do it as we are a small company and the group that installed it charge an arm and a leg for maintenance! So we opted for the much higher, but only when we need them, call out charge.

As long as you don't believe what we'll be doing won't interfere with the functioning of the call center (we promise 99.99% - four 9's response SLA to our customers), then I suppose I can attempt to do it with your guidance.

Let me know when and how you'd like to proceed and I'll make time to fix it.

Cheers,
tkb.

 

[Firebird Scrambler]

Can you force all of the mailbox's to change their passwords and remove the ones that aren't used much.

All the best

Firebird Scrambler
Meridian 1 / Succession and BCM / Norstar Programmer in the UK

http://www.linkedin.com/in/davidbromley

If it's working, then leave it alone!.

 

[Firebird Scrambler]

Also put in a deny for international calls on all of your lines for the time being, which means that no one can dial out.

This will hopefully cause the hackers to move on.

All the best

Firebird Scrambler
Meridian 1 / Succession and BCM / Norstar Programmer in the UK

http://www.linkedin.com/in/davidbromley

If it's working, then leave it alone!.

 

[telcodog]

Nothing I am suggesting you do will interfere with the call centre operation.........as long as you're careful and take your time.

The first thing to do is restrict those voicemail ports from any line pool access. To do that, go into Element Manager and look under the Configuration Tab>Telephony>Sets>Active Application DNs. Most of those listed there will be your vm ports. Select each one under the Line Access tab. In the lower screen, look under both Line Assignment and Line Pool Access tabs and if there are ANY entries in there, delete them. Do this for each DN listed, even the modem, MeetMe conerencing DN etc etc.

To further restrict them, select the Restriction tab in the upper screen. Once again, select one DN and in the bottom screen you will see a box that has 2 columns in in labelled Schedule and Use Filter. Start at the top and select a filter number (There are 100 in the list and you can use whatever one you want but stick to a higher number as it's likely it won't be in use for something else). For this purpose, let's use 20. Just double click the entery and type in 20 over top of whatever is assigned now (We'll set up filter 20 in a minute). Once you enter 20 for all the entries in there (I think there are 6 0r 7), click the copy button on the upper screen just below the DN list. Now select another DN. When it comes up, click the paste button. Another window will pop up with a bunch of boxes you can check off. Check the Restrictions box only and hit OK. Repeat this for all the DNs in that list (Once you check that box, it will stay checked for the duration of your session so you don't have to repeat that part. It will already be checked when you click the paste button).

Once you're done that, go to the the Navigation Pane on the left and click the plus sign beside the Call Security Heading, Select Restriction Filters. The list will come up, so click on the one you selected earlier (in this case, 20). There should be nothing in that table. If there is, you will need to select a different one so you might want to pick one before you assign it to the DNs. All you have to do is click the ADD button. Another small window will pop up asking you what digits you want to add. Type AAA then click OK. That's it! The AAA means any any any so that restriction filter disallows any digits to be dialed on any trunk.

It sounds a lot more complicated to do than it actually is. It shouldn't take you more than a half hour to do all of this, and that's if you take your time.

Once you're done that, come back on here and we'll do the actual voicemail part. If I'm getting too detailed in the instructions, let me know and I'll provide less. I'm just not sure of your skill level.

 

[mrbean2766]

Thanks all for responses; much appreciated.

@telcodog:
This Element Manager you talk about is not present on my system. I'm using Unified Manager and has somewhat similar options to those you mention above. I'm attaching a screenshot of one voicemail DN expanded to show all available settings.

I'm not sure the procedure you mention above will work with the topology given in the screenshot word for word. However, I have enough 'kidneys' to know what you mean - LOL.

Also, I might mention that since I set the 'Outdial Type' to 'none' in the voicemail settings per DN, it seems that the perpetrators have not been able to dial out. I see just single attempts and nothing else.

For instance, I would see this before making that change:

*071811 045041 0329 0086 393101750 UNKNOWN U T

*071811 045047 0329 294119100 UNKNOWN U G

*071811 045047 0329 294119100 [protect the innocent] U D

*071811 045048 0329 9047 294119100 UNKNOWN U A

*071811 045052 0329 0085 294119100 UNKNOWN U T

*071811 045106 0329 0089 294119100 UNKNOWN U R

-------- 07/18/11 04:40:59 LINE = 0329 STN = 9047
CALLING NUMBER 294119100
NAME UNKNOWN
UNKNOWN
DNIS NUMBER [protect the innocent]
BC = SPEECH
00:00:00 INCOMING CALL RINGING 0:00
LINE = 0064
00:00:02 HOLD
00:00:05 TRANSFERRED

-------- 07/18/11 04:41:04 LINE = 0329 LINE = 0089
00:00:00 FROM TRANSFER
00:00:00 UNHOLD
00:10:02 CALL RELEASED

-------- 07/18/11 04:41:01 LINE = 0089 STN = 9047
BC = SPEECH
00:00:00 OUTGOING CALL
DIGITS DIALED 14560011263774932146
00:00:03 TRANSFERRED

-------- 07/18/11 04:41:04 LINE = 0089 LINE = 0064
00:00:00 FROM TRANSFER
00:10:03 CALL RELEASED

As seen above, the line was used for 10 minutes.

After making the changes to 'Outdial Type' the dialog now looks like this:


*073011 231324 0329 287533300 UNKNOWN U G

*073011 231324 0329 287533300 [protect the innocent] U D

*073011 231325 0329 9047 287533300 UNKNOWN U A

*073011 231446 0329 0090 287533300 UNKNOWN U T

*073011 231455 0329 0090 287533300 UNKNOWN U R

-------- 07/30/11 23:13:25 LINE = 0329 STN = 9047
CALLING NUMBER 287533300
NAME UNKNOWN
UNKNOWN
DNIS NUMBER [protect the innocent]
BC = SPEECH
00:00:00 INCOMING CALL RINGING 0:01
LINE = 0061
00:01:18 HOLD
00:01:21 TRANSFERRED

-------- 07/30/11 23:14:46 LINE = 0329 LINE = 0090
00:00:00 FROM TRANSFER
00:00:00 UNHOLD
00:00:09 CALL RELEASED

-------- 07/30/11 23:14:43 LINE = 0090 STN = 9047
BC = SPEECH
00:00:00 OUTGOING CALL
DIGITS DIALED 1456001116506236900
00:00:03 TRANSFERRED

-------- 07/30/11 23:14:46 LINE = 0090 LINE = 0061
00:00:00 FROM TRANSFER
00:00:09 CALL RELEASED

As seen, it looks like they are attempting only once and although it seems they are dialing out, the connection breaks after at most 3 seconds!! What could this mean?? Are they just testing to make sure the connection is available but they have no calls to make? Or are they truly unable to make the connection despite it looking like they are able to dial out?

Cheers,
tkb.

 

[mrbean2766]

@telcodog:

After reading through your instructions and finding the equivalent settings in Unified Manager, it seems to me that simply adding a evening filter with an "A" then adding overrides for off premise notifications will do!

Am I correct in making this assumption?

Cheers,
tkb.

 

[telcodog]

That will do part of it. The problem is that you have to guard against internal parties getting into the system as well. That's why I always remove all the default user accounts, immediately change the nnadmin password, initialize both the system manager and general delivery mailboxes and change their passwords as well. I lock these things down so tight, the customer is lucky they can make external calls. LOL.

In all seriousness though, you can't give these low lifes any chance of getting into the system in the first place. Password control and trunk group access are the first things to lock down. These dirtbags are not stupid. They know exactly how to exploit systems that are lacking in security measures and if you give them half a chance, they'll take it. With most places using auto attendants it's easy for them to call in repeateadly until they find a mailbox they can manipulate.

Good Luck with it.

 

[madwok]

You can also add one more sec layer : authorization code for inter call.
Either implement an internal scheme with BCM but in your case , it is easier to ask your LEC to provide you the codes . It is a pain but all our users would eventually will copy with it as long as you explain to them what is going on.

I also would turn off station call forward off net .