hacking voicemail

[azrael2000]

Hi All.

Need some more ideas, and hopefully someone can help.

A customer says that their voicemail has been hacked (they have an ip office 500 v2 8.1.73).

I checked the voicemail, and no outdialling is allowed anywhere.

I have been logging, but currently don't see any strange logs to weird phone numbers, and am taking a snapshot of ssa.

My attempts to get through the system by hitting their auto attendant, and trying different options gets me nowhere but to the invalid extension.

Checking google for "phreaking ip office" doesn't seem to give me any good information.

Has anyone had this happen and found any good testing that might show me what is happening?

Regards

 

[mforrence]

Ask the customer for more information: what symptoms do they see that led them to this conclusion? It is possible that the customer is mistaken or that something other than VM was hacked.

 

[IPGuru]

VM Pro is normally secure from toll fraud unless they have been programmed in a way that will allow it.

the most common ways that this security can be compromised (I wont say only in case someone finds another) are:-

1) an AA option to dial by Extn where the DTMF digits are ??? (or how ever many needed) with a transfer to $key, the easiest way to reduce the risk is to specify the 1st digit explicitly (2??) adding a short code of 2XX feature busy will then block any attempt to break out.

2) routing calls to a Personal options menu which will enable the caller to set divert on an Extn. these actions need a secure password.

More likely is SIP fraud if they have sip trunks, See Avaya's recent security bulletin for advise on how to secure.


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[azrael2000]

Hi there.

Thanks for the responses.

I found out about the toll fraud from a department we have that has software to notify if a "strange calling pattern" starts. The calls that flagged were half way around the world, not something the customer would call.

I did find out a couple of things after speaking with the customer.... sometimes shaking vigorously gets you what you need...

The customer had set themselves up so that they could forward their calls to night service. However, one night for some reason, the night service didn't answer and after so many rings the main hunt group voicemail picked up. Someone might have gone in, set the outcalling on it, and then everytime they called the extension, they got to mars (joke).

I turned all of the unused voicemails off, verified that outcalling was disabled on all of the voicemail boxes, made sure there were no new extensions created, put overseas blocking on calls to 01 / 011 (just in case something INSIDE was trying to get out another way).

Now it is a watch and wait.

Regards

 

[amriddle01]

There has been lots of hacking gong on, but none has been voicemail related. The hackers either exploit a system on the web and create SIP extns that they dial with or they actually use Manager/Web Manager to forward extns and/or DDIs or they use Phone Manager to initiate calls and then transfer to the desired number.

So check it's not those too, as mentioned unles you specifically open it up VM Pro will not allow dial through and embedded can't

 

[azrael2000]

Thanks for the response, amriddle.

I didn't see any sip extensions created, or any new extensions of any kind, so I don't think they can get in that way.

But I might put up the firewalls the user had me take down earlier.

Regards

 

[JayNEC]

Another voicemail "hack" method that I've heard of only requires access to a mailbox and re-recording the greeting. Change it to "Yes I accept the charges"...

Then, make a collect call and charge it to that DID. When they call to verify, and the voicemail says "Yes I accept the charges", your call to wherever you wanted gets billed there.

This is pretty old school though - can you even make a collect call anymore?

New England Communications

http://www.necomm.com

 

[amriddle01]

Collect call is only to the destination that accepted the charge though, not to say Peru and then they call Detroit for permission to charge the call to them, so that hack is crap as you can only talk to a hacked mailbox

 

[amriddle01]

azrael2000, that still leaves Phone Manager/One X which is a favourite as it leaves no trace, next is Manager but that leave an audit trail event

 

[Nortel4Ever]

We've had a couple of incidents recently where someone was able to exploit the WAN port that's exposed to the internet and use the default Operator account to gain access. At that point all they did was to program a user with Unconditional Fwd to an overseas number. We have now begun to delete all unused admin accounts from the IPO and make sure the Administrator account is secure.

 

[intrigrant]

It is advisable to disable all interfaces and admin users not used as well in the security settings and give all users in manager a secure password and a voicemail code.
Can be a lot of work but it hardens the system ( besides a good firewall ).

 

[nbfd731]

My office has had 3 customers who's offices has been hacked. They were all behind a FW. 2 of the 3 had SIP trunks. All had default passwords accessible. Remove your default passwords people. It may or may not stop them but don't make it easy for them.

ACSS SME

 

[IPGuru]

We've had a couple of incidents recently where someone was able to exploit the WAN port that's exposed to the internet and use the default Operator account to gain access
{/quote]
Please stop this practice
none of the IP Office network interfaces should ever be exposed directly to the internet, either by direct connection or forwarding all ports . for simple SIP trunks no port forwarding is required. for one-x mobile only forward the ports necessary for service & enforce strong passwords on the handsets.

as a simple test if manager can see the IPO on a public IP Address they you have installed it WRONG.

back to the original post, you cannot normally set out calling on VM Pro by accessing the Mailbox remotely, something else must be happening.

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[IPGuru]

having just been playing with our in house system I may have overlooked intuity mode
this does enable user to set out calling so all mailboxes should have a secure password


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[DavidJ1013]

The most common way into IPO units I have seen is the customer or installer not changing the security settings password from default. If you can get into security login you can change admin logins. I would say 70% do not change this log in info as I see it on out of service equipment all the time. Change all your defaults! Even if it is a simple password it is better than having login info that is readily available for anyone who takes the 5-10 mins to google defaults.