Swami Tech Talk Series
This post is provided by Kris Wendt, Unified Communications Engineer
Many people and companies are unaware of Toll Fraud, which is also known as telecommunications fraud. Most don’t even realize how easily they can be taken advantage of, ultimately costing them money.
According to AT&T, “Attackers target businesses in an attempt to compromise customers' phone systems, voicemail, or equipment. Business customers whose equipment has been compromised could potentially have thousands of dollars in fraudulent calls charged to their account within a short period of time.” *
Why does toll fraud occur?
There can be many reasons attackers want to compromise your system. Many are simply looking for a way to call international or long distance numbers at no cost to them. In more extreme cases, attackers will use your system to carry out a scam or for telemarketing purposes.
Depending on the severity of the attack, a company many never even know it happened, just adding to the billions of dollars a year lost to this type of fraudulent activity.
Keep in mind that your telecom provider is generally not held responsible for these attacks, and may take the stance that it is the responsibility of the customer (you) to ensure that their system is properly configured to protect against fraud. We will list preventative measures later in this article.
How does toll fraud occur for Mitel MiVoice Connect users?
Two of the easiest targets for fraud on the MiVoice Connect System is voicemail and conferencing. Depending on their configuration, both of these systems can be used to dial an outbound number of your choosing to establish a connection.
Here are possible examples below.
Voicemail Attack:
This sort of attack is all about gaining access to someone else’s voicemail.
An attacker will call a person’s voicemail box in an attempt to guess or test their password. If the user can gain access to the voicemail, then they will have the ability to listen to voicemails, change the password, and access other management functions for this box.
If the voicemail box is allowed the ability to call back a caller, then the attacker can use this feature as a way to dial the number who left the voicemail (valid or spoofed caller id).
For example, the caller will provide another user information on leaving a voicemail on this system. Then, any person with this voicemail password can call into the voicemail, check the message and request to call back the number who left the message.
This will connect the two parties indirectly through the voicemail system and any applicable charges to dial the outbound number would now belong to the Mitel MiVoice customer. The person leaving the message, requesting the call back may not even realize what is going on.
Conference Bridge Attack:
This attack usually takes advantage of easily guessed or previously used active conference bridges IDs that can be used to connect multiple parties into a conference.
In some cases, if the attacker also has access to the web portal associated with the conference, they may also have the ability to have the system call them back at the number of their choosing.
This is usually the costliest type of conference attack, as it involves outbound calls from the system. For example, an attacker can have the bridge call them back and also have the bridge call an international number.
The two (or more) parties will be conferenced together, once again, at the expense of the MiVoice customer. The cost of this attack can quickly add up if the URL is shared or several multiple-party conferences are initiated.
How to prevent toll fraud as a Mitel MiVoice user
Now that you are aware of toll fraud, prevention can be the best course of action.
Most of the following recommendations will help prevent fraud for any telecommunications system, but for the purpose of this blog, we will be specifically focusing on the Mitel MiVoice Connect system.
Here are several recommendations to help protect your phone system from unwanted access:
- Remind users not to write down passwords where other people have the opportunity to see them.Ex. Do not leave PC or voicemail passwords written on a Post-it.
- Encourage or force users to use strong voicemail passwords that do not match the extension and do not have repeat digits or reoccurring numbers. Ex. 1234, 4321, 1111, 7777.
- Encourage or force users to change their voicemail and client passwords frequently (at least every 90 days).
- Encourage or force users not to repeat previously used passwords.
- Delete users from the system as soon as they no longer require access. Do not leave old accounts active, especially without changing the passwords.
- Do not use the default passwords for voicemail, client, and other administrative features on the MiVoice system.
- Make sure Trunk Groups are properly configured to allow dialing where needed (Local, Long Distance, 911, International, 411, & Operator calls). Many companies no longer need to pay to dial 411 and operator calls with the ability to use the internet to look up phone numbers.
- Turn off or limit user access to the Voicemail system call back feature within the MiVoice Voicemail Class of Service groups.
- If Voicemail callback is never used, remove or restrict the outbound Trunk Groups the voicemail and conferencing systems use from within their User Groups.
- Disable the ability for a web conference user to request a call back completely or limit it to having a conference host present.
- Encourage users not to leave unneeded conference bridge IDs active.
- Remove the ability for conference hosts to modify the participant and host IDs. This will eliminate simply guessed IDs like 7777 and 1234.
- Review phone bills for unusual activity. Ex. Calls after hours, an unusual amount of long-distance or international calls, a large volume of calls to the same number.
- Review Mitel call reports for unusual activity.
- Encourage users to alert administrators if they notice an unusual amount of wrong numbers or otherwise invalid voicemails.
- Set Mitel Event ID email notifications to monitor improperly entered voicemail passwords.
- Talk with your Telecom providers about available fraud monitoring tools they have to offer.
If you are currently a MiVoice customer and are looking for a Mitel partner to help you with any questions or want to have your configuration reviewed to prevent such activity on your system, please contact us at 877-328-7767 or contact us online.
*https://www.att.com/att/fraud/en/