toll fraud.. how'd they do it?

[jsaad]

Customer has old R1T1 Mics with Flash 2. It was hacked. I added toll restriction filter to Flash 2 voicemail port with restriction to be * (all calls blocked, No overrides, for night mode and modes 2 -6 etc). To test and verify, I put that filter on an office phone and cannot make any calls. Admin mailbox password was changed to something hard. Somehow caller still gets into that mailbox and still is able to setup outbound notification to 10 11 159 + 1 XXX XXX XXXX US number. VM port was 324 and B2 was 388 but I cannot apply the filter to that. Had I made a mistake in my setup allowing calls out?

As an added layer I made a filter for the trunks to block 10 1X XXX dial around so I am hopeful.

 

[curlycord]

Voicemail does not pay attention to "set" restrictions so using "line" filters was the correct method.
You can test it when your on site by setting up a test mailbox and use your mobile as the notification destination, then by leaving a message and watch to see when it dials out, the line should be grabbed then dropped right away based on the line restriction.

For toll fraud I use:
Filter 10 for lines
*72 (carriers forward feature)
10
0 (if the client is sure they never make oversea calls)

For all others such as 976, 411 etc I use "Set" Filters

I did a FAQ on this here for more.

So somebody setup a mailbox to call a 10XX number but what could possibly happen except to be charged for a 1010 service?
What does the hacker have to gain?
I wonder if it's the hacker that actually owns the particular 1010 service then hacks mailboxes to call it so they get paid?

As for how they are hacking the good password, that is something new.
Looks like COS on a Flashtalk does not offer mailbox lockout after X amount of attempts.

If you are not worried about internal users then it is best to leave the admin mailbox (assuming you meant "system manager" such as 12 or 102) at the default 0000 since they cannot access it from outside with that password.

Make sure the mailbox uses COS 5 to disable Off Prem Notify.

Use MBOX, CHG , DIR and go through all mailboxes and set to COS 5 if need be.
Hidden mailboxes:
Unfortunately on the Flashtalk you cannot view mailboxes under CHG/DIR if the mailbox is set to Directory: No
The same might be for Callpilot in telset but web browser will show all mailboxes regardless.
So take some time and MBOX/CHG and try every DN you can.
If there is none listed in the DIR then at the Admin (Mbox AA Other) press 4 and look to see if directory is set to Yes.

=----(((((((((()----=

http://www.curlycord.com

Toronto, Canada

Add me to LinkedIN

 

[jsaad]

Thank you. My guess is customer changed admin mailbox password to 1234 which allowed hacker access. Otherwise i don't see how they could have gotten in the mailbox.

 

[Qzwsa]

Way way WAAAAYYYYY back I used to carry around an old laptop that ran Win3.1 and had a trackball embedded where the touch pad is on current hardware. The only thing I used it for was a serial connection to Flash VMs as I wasn't experienced enough to be assigned a proper laptop to work on our BCM customers.

All that to say that there is a way through a hyperterm/putty connection to pull a list of mailboxes, even those not in the directory or uninitialized, from a Flash. I can't remember how, but you can and a Google search might give you the commands to do it.

- Qz