Hacking attempts on MICS/VMail System

[mbelanger]

Greetings all,

After 5 years of smooth sailing, we've been the targets of someone trying to abuse our system. Someone has been making calls to Saudi Arabia and the Philippines remotely (yes, because of the destinations, I did notify the FBI). To confirm that we're squarely in their sites, I got a call this morning from "Sheila," a woman with a heavy Asian accent, from "Asian Technologies" asking what our 800 # was. The CLID came from a 213 number and when I called back, it said it wasn't a real number. Despite the pathetic Social Engineering effort, I'm quite concerned.

I want to know is how they managed to do it.

I assume they're getting in through a weak vmail password and using call forwarding to redirect calls overseas. If I'm wrong, is anyone aware of any security holes in either MICS 4.1 or VMail 4.0? Assuming I'm right, is there a way for me to check all the passwords and call forwarding settings other than manually walking through each account?


Thanks much,
MB

 

[aragon]

The easiest way to see how voicemail is configured to redirect callers is to use the reporting feature in NVM 4.0.
The NVM should have shipped with a documentation CD.
On the CD is an application you may install called Norstar Voicemail Manager.
If you install this you may manage the NVM through the NVM manager software via the default IP address of the NVM.
192.168.110.10
There is a reporting application there.
You can view the system config and each mailbox individually to see if things are being forwarded.
You can also edit class of service values using this tool to deny OPN and outbound transfer.

 

[VencomRob]

I would take a good look at your restrictions. I would deny 0 on all filters. That will fix 011 and others like it. Not sure what other codes to deny.

 

[aragon]

Creating a filter will not restrict the mail from completing long distance conference transfers. You MUST edit the COS values using Norstar Voice Mail Manager!
NVM 4.1 has a feature enhancement to allow COS edits through a telephone, however only NVM manager will generate the required reports to identify this problem QUICKLY.
Norstar Voice Mail Manager is free and will easily identify the mailbox or AA in question if you suspect the mail.
Filters are a good way to deny long distance to internal telephone users.
Also make sure you change all default passwords on the mail and KSU, especially for the system admin mailbox and general delivery. NVM 4.0 also includes a password expiry feature to force a password change every 90 days. This may have been turned off. Use NVM manager to confirm and re-instate this rule if you are being defrauded.

 

[mbelanger]

I found the NVM Manager and sure enough, someone was getting into someone's VMail account.

Interestingly, I started tracing the other direction too and found out that the "social engineer" called me from an LA telco's line, so it looks like they're jumping through a couple of different systems. Clever bastards, I hope they get them.

Thanks for the advice,
MB

 

[aragon]

FYI

I assume you are using analog lines not PRI.
If you are toll frauding via Norstar you are essentially creating a conference transfer by bridging two lines.
If these lines are analog there is a signifcant degradation in voice quality so it would not be practical to "hop" through many systems.
This would not be the case if PRI lines are used.

 

[mbelanger]

No, they're PRI on our side.