Possible Toll Fraud

[davea2]

Hi
After going around in circles, though I would ask here for some expert input!
We have a legacy system we have inherited, on R5.
Customer thinks they have been 'hacked' and the call records from the line provider seem to support that.
I am trying to find out if and how.
System does not have defaulr passwords for Manager access, and audit trail shows nothing untoward anyway.
Some extension (one being a PDQ!) show evidence is User Short Codes of having had diverts on at some point to the international numbers being dialled (Serbian, Bosnian and Israeli)
The do not have a call logger, but do have delta server (!) running, which has entries such as

14/06/2014 06:12 00:00:05 7 4852 O 38762333900 38762333900 0 6225 1 E4852 WebStart T9162 Line 5.2 19 0
14/06/2014 06:12 00:47:05 0 O 38762333900 38762333900 0 6225 0 T9164 Line 5.4 T9162 Line 5.2 0 0

They do have VM Pro. The extensions that have had these diverts on show the MB as Never Accessed.
So could anyone shed any light on how the system may have been compromised from the outside? Customer is adamant it is not an 'inside job'
Any help appreciated!!!

Dave

http://www.ipofficeforum.co.uk

UK Based IP Office Discussion

Twitter twitter.com/davea66
MSN davea123ATlive.co.uk
____________________________________
beauty is in the eye of the beer holder

 

[amriddle01]

They have used phone manager to forward the phones, the system must have an external/public IP...that's a bad idea, now they know why

 

[kyle555]

I'm not sure what the "webstart" means - but is it possible "never accessed" means via telephone and someone managed to get in to the VMPro web client and login the extension with a default/simple password and setup a mailbox redirection?

Anyone off-hand know if the web access to VMPro for users will mark the mailbox as "accessed" - I have a funny feeling it wouldn't and that only relates to dialing in. And are they lazy and expose things to the web without a VPN?

 

[davea2]

I have tried the public IP address of the site, and cannot connect via Phone Manager.
I will ask if they have any other publics that could have been used...

http://www.ipofficeforum.co.uk

UK Based IP Office Discussion

Twitter twitter.com/davea66
MSN davea123ATlive.co.uk
____________________________________
beauty is in the eye of the beer holder

 

[amriddle01]

You cannot forward a mailbox offsite. They will have entries in their user source numbers I'd wager, this means the handset was forwarded, they use Phone Manager/ the phone manager interface to do this

 

[davea2]

If they were using a divert, would the delta server SMDR show an inbound and outbound call with the same Call ID?
The logs for the whole day this happened (a saturday) show only outbound calls...

http://www.ipofficeforum.co.uk

UK Based IP Office Discussion

Twitter twitter.com/davea66
MSN davea123ATlive.co.uk
____________________________________
beauty is in the eye of the beer holder

 

[amriddle01]

Not if they used phone manager or TAPI, they initiate the call then transfer it to themselves so that's 2 outbound calls

 

[BigPoppaMo]

Got nipped by this one myself once.
Try setting passwords for each user on the User page.
I came up with a strong, yet memorable, password.
Typed it into notepad, then copied it and pasted it into each user.
It you know how to use the config.cvs, you can do it even quicker there.

I noticed in the latest release of software you now get an error if you don't set a password here.

 

[Gunnaro]

Dave,

1) Can you connect Monitor and/or Manager from the outside?
If so, shut the doors properly and change all default password, that goes for Monitor too.

2) Have a look at the "IP routes", anything opening to the outside? (they might have added 0.0.0.0's, or someone tech did this in the past)

3) Are you sure all "Auto Create Extn" has been disabled? (incl. LAN1/LAN2> SIP Registrar tab)

And the "WebStart" could be OXP


Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[davea2]

Thanks for all the input, much appreciated!

For clarity WebStart is just the name of an extension.
I have asked the customer for a list of external addresses so I can probe the firewall.

Cheers

Dave

http://www.ipofficeforum.co.uk

UK Based IP Office Discussion

Twitter twitter.com/davea66
MSN davea123ATlive.co.uk
____________________________________
beauty is in the eye of the beer holder

 

[davea2]

Hmmm

I cannot connect from the outside with Phone manager, Manager or Monitor.
Auto create extension is off on LAN1 and LAN2 (and additionally, the fraud seem to have come from a legity extension - the one called WebStart.)
No evidence in the Audit Trail of unauthorised programming.

Most of the users are DECT phones though....

I am at a loss as to how they could have been compromised! Inside job???


Dave

http://www.ipofficeforum.co.uk

UK Based IP Office Discussion

Twitter twitter.com/davea66
MSN davea123ATlive.co.uk
____________________________________
beauty is in the eye of the beer holder

 

[IPGuru]

1 option is the user setting their divert form the handset (*07*N#)

is it alwasy the sanme destination throughout the night or does it change?

if the fraud is going to different destinations in the same ooh period then it is probably not the user.

it could possible be being hacked through the VM

are you rinning in intuit mode or IP Office mode? do you have any "Personal Options Menu" actions in the CFG

& if you have a "Dial extn number now" type option on your AA how have you set the destination in the transfer action, this can easily be used for fraud if not correctly configured.

capturing a System status log & replaying a suspect call may be usefull

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear