prevention will always be cheaper than cure

Preventing PBX Fraud-basic steps to help secure your PBX

David Morrow

1 About the Guide 3

2 What you need to know 3

3 What you need to Do 6

4 If you think you’re a Victim 9

Contents

2 │ FraudFit.com │ Preventing PBX Fraud

1 About the Guide

Data held by Action Fraud shows that PBX fraud is the most commonly reported form ofcybercrime. Recent reports suggest that criminals are now targeting organisations that may beless aware of the risks, particularly charities and schools, so this guide has been published toraise awareness and provide a resource to help protect them and other vulnerable users.

2 What you need to know

2.1 PBXBackground

PBX is a telecoms industry term for a switchboard; it’s an abbreviation for Private BranchExchange and is often used interchangeably with PABX (Private Automatic Branch Exchange).

Switchboards were originally large pieces of manually operated equipment where operatorswould physically connect calls by plugging in leads to complete the circuits between callers.

Over time, the equipment reduced in size and cost and where PBXs were previously only foundin large organisations they are now common. Not only have they reduced in size, they are nowpredominantly software based, giving rise to the term ‘soft PBX’. PBX’s can provide a widevariety of features including:

• Direct Inward System Access (DISA)

• Voicemail

• Remote system management

• Interactive Voice Response (IVR) systems – e.g. “Press 1 for Sales”, etc.

• Call forwarding.

PBXs initially supported circuit switched traffic, but modern PBXs support multiple technologies,e.g. circuit switched, packet, VoIP, etc. A modern PBX is essentially a computer and it’sconnected to the internet; it’s vulnerable to hacking in the same way as any other computer andits also vulnerable to any weaknesses in the connecting technologies.

FraudFit.com │ Preventing PBX Fraud │ 3

2.2HowdoesPBXFraudwork?

In the past, international telecoms services were an expensive commodity and access to freecalls was a real commercial opportunity. Most PBX’s were supplied by large manufacturers andso hackers used ‘war diallers’ (which dialled through number ranges sequentially) to identifyPBXs and try the manufacturer’s default access codes. Hacked PBXs were commonly used forinternational call selling, for illegally boosting premium rate revenue or to anonymise hackingactivity. As the retail cost of telecoms services reduced and telecoms managers became betterat countering security risks, the incidence of PBX fraud was reduced, although it neverdisappeared. Now PBXs have become more affordable and available to organisations withoutthe knowledge or experience of telecoms fraud, the fraud losses have been climbing.

Fraud occurs where fraudsters obtain unauthorised access to a PBX and use it to make calls forwhich the PBX owner will be charged. Fraudsters generally make money from PBX fraud in oneof two ways:

1. Re-selling international calls made through the PBX

2. Generating calls to revenue share numbers, including Premium Rate Services in order tocollect a share of the revenue.

The fraudulent PBX traffic is typically generated at night and/or over a weekend or holidayperiod when there is little or no system supervision. Sometimes the attack is detected andblocked by the communication service provider but victims may remain unaware of the frauduntil they receive an invoice for excessive unauthorised call traffic.

2.3 WhoownstheRisk?

This can be complicated. Is the PBX owned or leased? Is there an installation/maintenancecontract? Do you have more than one communication service provider? Is it a managedservice? If so, does this include fraud prevention/detection? Is someone in your organisationresponsible for PBX security (and has anybody told them)?

2.4 MethodsofAttack

Social Engineering – this is the process of obtaining information or privileges under falsepretences to commit fraud. PBX hackers might call a number within a company and make anexcuse to get transferred back to the operator. On doing so, the operator sees the call as aninternal call and may be persuaded to give help with dialling an international number.Alternatively, employees may be persuaded to give out access codes and PINs, perhaps by a PBXhacker masquerading as a telecommunications engineer. This information will help the hackerto access the PBX.

DISA (Direct Inward Service Access) - this is a feature which allows employees working awayfrom the office to make calls via their company’s PBX as if they were in the office. Hackers cantake advantage of this feature to make calls to international or premium rate numbers. Massivefrauds are possible in a very short time.

4 │ FraudFit.com │ Preventing PBX Fraud

Voicemail - PBX hackers may be able to obtain access to the voicemail system and gainadministrator privileges. This will enable them to take control of the system, make high-costillicit calls, re-record welcome messages and lock out legitimate users.

System maintenance and administration ports – these ports enable engineers to configure theequipment. This may be remotely or on site via a dedicated terminal or console. Most systemshave logical access barriers in the form of a password, PIN, dial back or a combination of these.If the PBX hacker can gain access he may configure the system to provide international lines,seize control of the system or even make the system unusable (e.g. a denial-of-service (DoS)attack).

Call forwarding/divert - this is the ability to forward calls to another location (e.g. home ormobile) when the extension user is absent. PBX hackers, having re-configured the system via themaintenance port, can now set up call diverts and/or conference calls remotely. Alternatively,corrupt staff members, contractors or even cleaners could divert an extension (usually in theevening or over a weekend or holiday period) to an international or premium rate number. Theextension number can then be sold onwards or exploited directly in a revenue fraud.

Automated attendant - as with voicemail systems, it may be possible to dial a prefix to obtain anoutside line, e.g. PBX hackers dial into an automated attendant service, simply dial 9 for anoutside line and can then call externally, including international numbers.

IP-PBX attacks – these use scanning software to attack the SIP-port of the IP-PBX (port 5060). AUDP-flooder is used to destabilise the PBX in a denial-of-service (DoS) attack which overloads IP-PBX and allows hackers to take control.

Those of you familiar with current communication options may regard some of these services asunnecessary and old-fashioned. That doesn’t mean they’re not provisioned in your PBX andpotentially available for exploitation – has anyone looked?

2.5 HowBig istheProblem?

According to the CFCA 2015 Telecoms Crime Survey, telecoms fraud costs US$38 billion everyyear; PBX hacking, at 21%, is the biggest problem. This is the UK fraud recorded by Action Fraud:

FraudFit.com │ Preventing PBX Fraud │ 5

Action Fraud records a average annual loss of £4.4 million and losses of £14.8 million sinceJanuary 2013, however, industry sources suggest this has been significantly under-reported.

Most of the victims are in London, and most are companies. However, there have also beenseveral reports from schools, charities and public sector organisations which have fallenvictim. It’s possible these organisations are being targeted because fraudsters regard them asmore vulnerable but there is currently insufficient data to confirm any trends.

3 What you need to Do

3.1 4BasicSteps

1. Since the PBX is now effectively a computer, it makes sense to protect it in the same way asany other important IT equipment, e.g.:

• Physical security

• Account management

• Password protection

• Secure remote access, etc.

2. Additional countermeasures are described below, however, in practice the most effectivemeasure is to appoint an overall ‘owner’ who has ultimate security responsibility for thePBX system. This is particularly important when responsibility may be unclear, e.g. who isresponsible for fraud prevention when the PBX is not owned but leased, the maintenance isprovided by a third party and connectivity supplied by via several different communicationservice providers? Experience has shown that in the event of a fraud each expects theother to be responsible.

3. Next, disable functionality that is not required and lock down access to ensure thoseservices cannot be re-enabled without system owner authority. If you can’t do thisyourself, use someone with IT Security skills.

4. Finally, monitor PBX traffic and ensure a timely response to alarms or unusual behaviour.

3.2 Prevention inmoredetail

System Architecture – check the system to establish whether the administrative functions areconnected to the PBX on dedicated ports or by the same ports which carry voice and datatraffic. The system vulnerability can be reduced by configuring to restrict admin functions todedicated ports.

Nobody is immune. When Scotland Yard’s switchboard was compromised, the bill was £620,000.

6 │ FraudFit.com │ Preventing PBX Fraud

Hardware – implement adequate physical security to prevent unauthorised access, e.g.:

• prevent unauthorized access to telephone cabinets and PBX facilities. Wheneverpossible, the PBX should be kept in a locked room with restricted access

• critical hardware components should be locked with anti-tamper devices

• conduct periodic integrity checks on critical components.

Maintenance – maintenance procedures are among the most commonly exploited functions innetworked systems, and PBX maintenance frequently requires the involvement of outsidepersonnel. In order to minimise vulnerabilities of maintenance features:

• ensure that remote maintenance access is blocked by default and can only beobtained by requesting local staff to enable the remote maintenance ports

• install strong two-factor authentication on remote maintenance ports - smart-cardbased systems or one-time password tokens make it much more difficult forattackers to breach your system’s security

• keep maintenance terminals in a locked, restricted area

• turn off maintenance features when not needed.

Administration – as previously stated there should be an overall ‘owner’ who has ultimatesecurity responsibility for the PBX system; in large organisations, this owner should be supportedby system administrators who are responsible for PBX features and users on his/her site.Additional controls include:

• admin systems should be password protected and the session should be lockedout after a specified number of failed attempts. The system should timeout aftera specified period of inactivity

• obtain a specific liaison person in the PBX suppliers to consult on security issues

• publish a company phone policy which is communicated to all staff

• unassigned extensions or direct lines should be disconnected. Periodic reviewsshould be used to identify and disconnected unused lines; unused Freefonenumbers should be terminated

• operate a procedure to remove individual staff functionality when they leave thecompany. Change the admin passwords when administrators change

• restrict call forward facility e.g. limit to 6 digits so they can only forward to otherinternal numbers.

• if DISA (Direct Inward Service Access/Dial In System Access, etc.) cannot bedisabled for business reasons, users should be required to enter a personalauthorisation code in addition to the code required to obtain an outside line. ThePBX supplier should be available to provide support on the various features to beenabled, disabled or restricted.

• eliminate the possibility of accessing an outside line by dialling into AutomatedAttendant or Voice Messaging services - there should be no method of accessingdial tone by dialling into your PBX

• specify the minimum features/facilities required by a standard user and onlyprovide these services. Additional facilities should be requested in writing andapproved by an appropriate manager.

FraudFit.com │ Preventing PBX Fraud │ 7

• voicemail should be PIN protected with, if possible a PIN of 6 or more digits; thePIN must be changed from the default number and should be disabled after aspecified number of failed attempts

• outside normal office hours, your PBX system should be set to night service mode.This offers a restricted service and reduces vulnerability to hackers at night andweekends

• perform a periodic security audit to confirm the designated controls areoperational.

Monitoring – sophisticated software tools are available to hackers and fraudsters, which enablepasswords to be broken and which detect unsecured functions in the switch. So even after allreasonable security procedures have been implemented, there is still a risk of PBX compromiseand a need to monitor traffic and events to ensure that any illegal access or system abuse isquickly detected and shut down.

Call Logging Systems will monitor traffic on an individual call basis, tracking parameters such as;calling number, destination, time, duration, frequency, etc., and provide reports in a formatsuitable for fraud analysis. Call logging systems also detect incidents of security significance,such as repeated failed attempts to log in, and repeated short calls. The reports generatedshould be monitored for any suspicious activity such as:

• sudden changes in normal calling patterns

• increase in traffic outside of normal business hours

• calls made from unused extensions

• incoming Freefone lines are busier than can be explained

• increase in calls to international destinations and/or premium rate numbers

• increase in long duration calls

• sudden unexplained increase in the use of call forwarding

• users “locked out” of voicemail or changes to voicemail greetings

• unexplained changes in system software parameters

• increase in incoming “wrong number” calls

• employees unable to get an outside line

A ‘real-time’ alarm facility is strongly recommended. This alerts a nominated person by SMS oremail when suspicious calls are occurring. The rules for this reporting can be created andadjusted by the PBX owner.

Specific IP-PBX Defence Mechanisms include:

• Limit the number of call attempts or attempts to register on an extension

• Blocking of IP address ranges to prohibit connections from internet serviceproviders that are notorious for hosting hacker communities

• Proper router configuration - a well-configured router will generate an alert fromthe internal firewall or Intrusion Detection System (IDS) in the event of an attackon an IP-PBX. Keep firewall logs as evidence of attacks.

• Don’t use port 5060 as the default SIP-port of the server.

8 │ FraudFit.com │ Preventing PBX Fraud

4 If you think you’re a Victim

4.1 StoptheLoss

Your first priority is to identify and disable the service(s) being abused. If you’re unable toaccess the administration module, you can follow manufacturer’s instructions to power downand/or disconnect the PBX. Contact the fraud team at your communication service provider andnotify them of the suspected fraud. Preserve system and firewall logs and any other potentialevidence. Note details of what you’ve done and when – it may be useful later.

Make sure you’ve implemented appropriate preventive and detective measures before you golive again.

4.2 Report theFraud

Action Fraud is the UK’s national reporting centre for fraud and cyber crime and is therecommended way of reporting if you have been defrauded or experienced cyber crime. The

reporting tool is here or you can call on 0300 123 2040.

Conclusion

I hope you found the guide helpful. One last

thing - did you also secure your conference

calling …?

About the Author

David Morrow

FraudFit Ltd

Dave has many years of law enforcement, investigation and fraud management experience, including multiple international assignments. He is a recognised telecoms fraud expert and for a number of years chaired the GSM Association workgroup which was responsible for Security & Fraud Risk Assessments.

http://fraudfit.com/

Contact Us