I will use parts of the original article posted on NY Times to describe this security issue
Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time.
“I thought: ‘This is crazy. It must be a mistake,’ ” Mr. Foreman said.
It wasn’t. Hackers had broken into the phone network of the company, Foreman Seeley Fountain Architecture, and routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives. It would have taken 34 years for the firm to run up those charges legitimately, based on its typical phone bill.
This is the scheme as described in the article
The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.
Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer.
How the hackers can break into phone system?
It is not that difficult if the box is allowing guests and not rejecting every registration attempt by authentication failure. This is critical when discovering which extensions are active in the system.
Often the test extensions like 1000 are left in the system with default settings and this doesn’t make it any more difficult to use the routes in the system.
Some companies install Asterisk just as is following the tutorial on the web, leaving guests option on, live routing and trunking in the same context. Imagine a guest within the default context calling international routes in several simultaneous instances.
Another method is to break into the system via telnet. Some billing applications and dialers are using Asterisk Manager Interface (AMI) to perform actions necessary for their operation. These accounts might be using default login and password accessible from outside, without proper deny/permit configuration. The door is wide open and nothing stands between the attacker and telnet originate action command. This can happen without any notice, however the trace stays in the logs.
Good practise to keep the Asterisk box secure are
1. Device naming.
2. Separating users from extensions and extensions from devices.
3. Not mixing inbound, outbound, internal routing and contexts.
4. Secure passwords.
5. Carefully using insecure parameter.
6. Limiting dialplan.
7. Limiting daily usage.
Asterisk Consulting provides security audit of Asterisk and Vicidial systems, if you wish to be informed about the security of your Asterisk PBX or Vicidial call center, please contact us.
original article: http://www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html?_r=0