Security Advisory: Telephone Voicemail Hacking Leading to Enormous Bills

We have all heard of voicemail hacking, but it appears it isn't just the red top gossip rags after your secrets, but also criminal gangs targeting your company telephone system ... and bills.

While outside our IT support remit, this morning we assisted a customer whose telephone system had been hacked over the weekend, and as a consequence have run up a bill of several thousand pounds in international phone call charges. Not knowing where to start, the customer called us and what we discovered was quite shocking as to just how easily this was effected by hacking of the voicemail system. So much so that I thought a security advisory was wise; suggesting that you raise this matter with your telephone supplier as a preventative measure.

A little background

Not so long ago, a telephone answering machine was as secure as the room it was in. It was, essentially, a tape recorder bolted onto a phone. If you called someone and they were out, the tiny cassette inside would record your message so that the intended recipient could play it back later. The only way to "hack" the message would be to steal the cassette itself. But mobile telephony has changed all that. Users now need access to their messages wherever they are and sometimes from more than one phone. This provided a way in for the phone hackers.
 
For most circumstances there are three common ways a hacker can take control of your phone system and run up huge long distance charges without you knowing:
 

  • Remote voice mail access is BY FAR the easiest way for a hacker to gain enough access to a phone system to do bad things. Employees want to be able to access information (including voice mail) while out of the office, so your "phone guy" may have setup a way to access your voice mail while you're not in the office - a convenient but hackable feature.
    Hacking a voice mail system is quite easy. Once a voice mail system has the capabilities to be accessed by dialling in from an outside line - this also makes it available to be hacked by anyone in the world who can call your phone number. Phone Engineers who do installations are unfortunately notorious for leaving system programming and user (voice mail) passwords set to their default password assigned by the manufacturer. Most voice mail systems only allow 4-digit passwords, which means there are 9,999 possible password combinations
  • Remote Programming has become extremely profitable for phone engineers and leaves you less secure.
    Once someone has access to the remote programming, they have complete and full control of all phones, phone lines, call forwarding, voice mail, etc.
  • IP-Phones / Remote Phones have saved businesses tons of money by eliminating long-distance communications costs between offices or remote workers. With newer phone systems, it will use the data network to establish communications with the remote office/worker. If improperly setup/secured, hackers will use the same techniques from items #1 and #2 - default passwords. Once a hacker has successfully registered a remote phone, they act like an extension on your phone system - pick up the phone and start dialling anywhere, any time.

 

What should you do?

 
Speak to your telephone system provider and pose the question; is our telephone system secure? While this is the first incident that we have seen, it is by all accounts becoming increasingly common. The steps we have found suggested are often straightforward and include:
 

  • Restrict the use of phone systems to specific dial codes or block all international calls if not required
  • Ask if your phone systems has a built-in firewall to help prevent your phone system from being hacked
  • Prevent call transferring of international calls through your voicemail system.

 

 

Lindsey Hall

Managing Director - EasylifeIT

Portions (C) Sean Brown of Sleepy Shark. Click here for full article

National Crime Agency issue 2 week warning of virus attack

The National Crime Agency has today issued an unprecedented 2 week warning of a potential virus attach by Ransom ware applications
 
CryptoLocker and GoZeus 

In the past 12 months we have seen attacks of these viruses in our customer base. These are very aggressive; encrypting your files and demanding money so you can access them again. This is a criminal enterprise; so there is no guarantee that your files will be saved or your payment card will not be abused. 

More information from the National Crime Agency 

http://www.nationalcrimeagency.gov.uk/news/news-listings/386-two-week-opportunity-for-uk-to-reduce-threat-from-powerful-computer-attack  

What should you do?

  •  Ensure all machines have antivirus installed and are up to date. Now is not the time to ignore update warnings or alerts
  • Caution your staff to beware any suspicious looking email attachments and be vigilant when on the internet. Antivirus protection is not a guarantee and does not compensate for careless or curious browsing.
  • If your PC is prompting you to install Microsoft or Adobe updates; please do so.

If you need assistance 

You know where we are. Drop us an email or call us on 0800 043 9186

Related items

Google+