Toll Fraud. Please Help.

[EGT]

I have a client whose system has been compromised to the tune of $50K in one month in international calls. We have checked all the obvious places like DISA and outbound voicemail transfers and have not been able to find the breach. Any input, no mater how obvious would be appreciated.

 

[senk1s]

1. search the forum

2. change all the passwords to complex ones
3. stop all the ways to get out of the system

4. if you dont need international calls, stop them completely with the CO

 

[hawks]

Put a restriction filter on the VM DN's.

 

[bkrike]

If you cannot find where it is happening, and it is costing 50K a month, an SMDR setup should be a small price. Maybe it will show what is going on.

 

[twhitten]

Some hackers are brave enough to call into the company's
office and state they are with the phone company testing lines and ask to be transfered to extension 90.
On a PRI system this will give the outside caller an outside operator to dial anywhere.
Train the staff not to transfer anyone to a number starting
with a 9.

 

[NTL555]

HAWKS, you can put restrictions on the b2 channels of the DN by the way.

EGT, you need to put restrictions on the lines themselves. DO not allow 0 and any and 1900/1800/1877/and any other long distant numbers. If you do need to dial international, override 1 number only or the numbers they need to dial. I would actually restrict 0 for the operator.

turn off all remote access to the system.

and finally just cancel international from the telco for the time being.

 

[hawks]

Didn't know you needed to restrict the B2 channels. I thought by restricting the B1 it would take care of it but hey better safe than sorry thanks.

 

[NTL555]

sorry reread my post... you can not put restrictions on a b2 channel. Norstar systems doesnt recognize those DNs as valid DNs.

No problem hawks.

 

[telemarv]

We had this thread before... You can't restrict B2 channels. Filters apply only to B1's. Therefore restricting Voice mail DN will not completely block LD calls. Get an SMDR going and find out who and how the system is being comprimised.

 

[zaidbakri]

don't forget to restrict 1010. and *.

 

[phonebuster]

this fraud is coming out side your office they are hacking your voice mail auto attendant there is a piece of equipment on the internet that allows hacker to access nortel equipment probably made by an ex employee of nortel.they program from your auto attedant they use the default password. you must restrict the vm dns only way to keep them out i already went through this

 

[NTL555]

phonebuster, again, you cant restrict the b2 channels of the voicemail dn. You have to restrict the lines themselves.

 

[ThePhoneGURU]

Would setting up account codes on the CO/TELCO side of things pose a solution?

 

[NTL555]

yup.... the account code should only allow the call once the code has been entered.. But I believe it would be costly for the telco to do this. Dont know for sure.

 

[ThePhoneGURU]

I work for a CLEC out in Canada. We do it all the time for our customers. Not sure of price but it must be pretty respectible. It could have possibly saved 50K for the above company..who knows.

 

[alvarius]

This happened to us. The vmail boxes were breached from the outside. The ones that were breached had easy passwd - 1234. The violator accessed the admin functions of the mailbox and set up calls to transfer to the international operator. The mboxes were initally setup so that the outdial was set to a pool rather than None. This allows one to redirect calls to an external number when a call hits the mbox. Setting to None (F983, Change MBox, last feature change) should remove this ability but there is a feature that is normally inaccessable to regular system programming that our vendor turned off to secure system (sorry, do not know what it is). Also, I would follow the advice of others and set up restriction filters with '011' '1011' as well as the various caribbean country codes that do not require the above prefix.

 

[wnewbert]

Even if you had restricted the voicemail ports and removed outdial capabilities, there is still a way hackers can dial through a Norstar system. If you has a MICS 5.0 or greater, AND the destination code length matches the system DN length, a caller and reach the Automated Attendent and dial a destination code and access an outside line. Make sure that destination codes and DN lengths are different.