atcomsystems.ca/forum
Posted By: Jordan Toll fraud on my meridian - 07/17/06 10:49 AM
This morning we had a voice mail from someone that said they were with AT&T fraud. They were calling to inform us that they detected steady calls to the Philippines from Saturday July 15th at 12:20 AM for the whole day and that we needed to secure our PBX system. I called the number 800 xxx-xxxx that they left and referenced the case number ####### and they said that they were now blocking the calls and we needed to contact our vendor to secure the system.

We already have blocks on our PBX to prevent 1010xxx calls and usually everyone has left the building by this time so I am uncertain how these calls might have been made. During the conversation with the person at the 800 number above, they asked what type of system we had which I found to be odd ( I did not say the type ). I suspect that some type of fraud is going on however we don’t know if we had already been a victim of toll fraud as the caller said or if the caller was trying to attempt call fraud when I returned their call.

Is there a list of items I need to check to be sure that my Meridian system with 6.1 software and NAM with 4.0 software will not be used to make calls for theives?
Posted By: telemarv Re: Toll fraud on my meridian - 07/17/06 11:57 AM
Typically toll fraud is a result of the voice mail system not being properly secured.

Toll Fraud prevention 101:
Only those mail boxes that actually use outdialing be allowed to.

Easy passwords should be avoided (1111, 1234 etc) especially in the GD and the Admin mailboxes and passwords should changed periodically.

Toll restrict all voice mail ports. Or better yet toll restrict lines and provide COS passwords to override restrictions to those who must call long distance (a pain but could save you $$$).

If anyone call you about fraud or any other thing that makes you suspicious, ask for a phone number and call them back.
Posted By: Jordan Re: Toll fraud on my meridian - 07/17/06 06:43 PM
I believe I tracked it down to the GD mailbox. It seems the receptionist favored 1111 for the password. AHHHHH!!!!

Also, the system installer during the last upgrade seemed to have turned on the outbound transfer for that mailbox. Double AAAAHHHH!!!

OK, so I did the following:

1. Changed the password on the GD mailbox (100) to something tough.
2. Changed the password on the System Manager mailbox (102) to something tough.
3. Checked all known mailboxes including 100 and 102 to be sure the outbound transfer was changed from POOL to NONE if it was set.

A couple of questions:

1. I don't have a RAD hooked up to the system (Norstar Meridian with 6.1 software and 4.0 NAM) so could any other part of the system be vunerable to remote programming?

2. If I set up a restriction to stop 1010 just as I have a filter for 900 will this also apply to the voice mail ports?

3. If the hackers just went and dialed through via my regular carrier I might have some leverage in getting these calls squashed but they setup the transers to dial 10-10-ATT and Verison and probably other carriers. When something happens like this, what is the liability for these charges?

4. One thing that the AT&T said when they were informing me of the fraud is that the hackers may have setup more mailboxes. Is this possible to do remotely on the Meridian system without having a RAD hooked up?

5. Lastly, is there a way to just see each mailbox that exists without having to do F983 and try each mailbox number?
Posted By: Danny_Ocean Re: Toll fraud on my meridian - 07/17/06 07:01 PM
There is a way to view a voicemail list in a NAM via laptop. Check in the Nortel FAQ's section for the procedure to connect to a NAM
Posted By: Old blond hippity hopping Bunnie Re: Toll fraud on my meridian - 07/17/06 07:08 PM
If you had SMDR hooked up to the system, you would pinpoint the extension (vm port) making the calls.
Posted By: Jordan Re: Toll fraud on my meridian - 07/18/06 07:06 PM
I guess the details of where they were calling or where they were dialing in from to hack does not matter any longer because I doubt that anyone I call is going to do anything about it. I just have to make sure that I have everything setup so it cannot happen again.

Things done:

1. Turned off outbound transfer on all mailboxes.
2. Placed restriction on set 280 and 281 to prevent all 4 ports of the NAM from being able to dial anything by restricting 0,1,2,3,4,5,6,7,8,9.
3. Also added dial restriction for 00 for the filter that is on all the other phones to prevent contacting the International Operator.
4. Got everyone to change their mailbox passwords to 6 digits just incase.
5. Changed all password listed in Feature **CONFIG from the defaults to new (I wrote them down and secured them)

Since I have no RAD hooked up is there anything else I need to do to secure the system?

Also, is there a way to list all the mailboxes that are on the system. I tried to use Feature 983 an use the directory to cycle through them however I noticed that in one of my tests I created a mailbox with out entering a name and it did not show up as I cycled through the directory. I am worried about the possibility of there being a mailbox where the only way I can find it is to go through all possible numbers.
Posted By: JimmyT Re: Toll fraud on my meridian - 07/19/06 11:01 AM
Also build a Filter blocking 1010 and put that Filter on the lines. One more step I do here is if you are not using 1010 codes let your carrier know and they can block it.
© Sundance Business VOIP Telephone Help