Fraudulent calls on 3300 with NuPoint, using SMDR logs

[Casgrain]

Hello all!

I've been looking on this forum to find ressources on SMDR logs to track fraudulent international calls but I could not make sense of it for my context so maybe one of you expert could help me?

Here is an example of our SMDR logs for a fraudulent call:

Code: [Select]

03/13 02:27  00:00:33 7783      7783 0                    A T323T T302         
     001   17783                 A0010223A A0010211                             
 03/13 02:27  00:00:52 T302 0000 T51940223770 8080 7000      7783T T323         
     001   1940223770 8080       A0010211A A0010223 
From my understanding, from the 3 line, an inbound call overnight from T51940223770 on our main trunk (T3xx) is answered by messaging (7000) NuPoint and redirected to our main menu (8080).
From there the call seem to go to a VM via one of the NuPoint VM port (778x numbers).
After I get lost how they do it but from the log I understand a supervised transfer (T) is made from that 7783 port to an external number over our main trunk.
I think the first little is that external outbound call being made to the operator and then transferred to whatever international number that was requested from the operator.
After I dont have any traces of said call.

Now, did I understand those logs correctly? And since the NuPoint seems to be involved, any way I could trace it to a specific ext/VM that's obfuscated behind that NuPoint port?

We checked and VMs are not allowed to dial out as per policy, nor do we have any DISA in place. I would really help me close the gap if I new what the exploit was exactly!

We have a Mitel 3300 with NuPoint for VM (and some other features I believe).

Thank you!

[ZuluAlpha]

You can assign a COR to your NuPoint ports that would prevent them from calling out, or local only. Sometimes this is a useful feature for operator escapes on individual mailboxes. Do you have a 9999 mailbox on your NuPoint? That's where I would expect to see someone attempt to configure Toll Fraud. More often on integrated VM than NuPoint though.

[acejavelin]

Absolutely shut down those VM ports from making outside calls, or at the very least not more than local calls... The most common attack vector for hacking voicemail is changing an individual mailboxes "Dial 0" destination.

[Casgrain]

Ok so I checked and our NuPoint has a 999 mailbox but our dialout plan is 4 digit so asking for it returns "This is not a valid mailbox" error. Our integrated VM has a 9999 extension but that doesn't seem reachable due to the NuPoint redirection. Unless I'm missing something, I think we can rule that out.

As for COR on those ports, I'm still trying to make sense of how this works (im a sys/net admin so this is somewhat all new to me) but I think it's restricted. Let me describe the setup:

All our VM ports are assigned COR 2.
COR Group 1 is assigned COR 1.
COR Group 2 is assigned COR 1,2.
COR Group 3 is assigned COR 1-3.
The fraudulent calls are made on our trunk group 1.

Now where I get lost a little:

ASR routes 1,3,5,7,9 and 99 are assigned to trunk group 1.
ASR routes are assigned respectively to COR Groups 1,2,3,60,60 and 64. (last 3 are for emergency dialing)
ASR Digit Dialed for 90 (operator), 901 (operator assisted long distance) and 9011 (international) goes respectively to routes 1, 3 and 5.

So I'm deducting it's possible to dial out to operator (90) due to missing COR 2 in COR Group 1, correct?

[ZuluAlpha]

You'll want to set up different Routes to Trunk Group 1 for each category of Digits Dialed. You can then assign a COR to each of those. They will still go to Trunk Group 1 but with different COR's assigned.

There is a great explanation here:
http://www.mitelforums.com/articles/mitel_ars_programming.php

[Casgrain]

Ya that's what I've read to be able to provide the earlier reply. I understand how they organize the rules but I'm not going to start redoing everything now, especially not until I know what the flaw is exactly.

Anyhow, the fraudulent calls stopped once I reset the password to the VM of the 8080 VM, basically the ext assigned the overnight attendant.

[Casgrain]

Ok I found the exploit...

Call the main number, NuPoint call flow picks up (attendant), it waits for user to dial an extension, but dial 90 and it'll hit the corresponding route on the Mitel 3300.
Solution is to configure COR properly for VM ports and to that I can add limitation to NuPoint Menu Dial Plan foir the call director (from vvvvvvvvv to vvvvvvvv1) so that 9 in the menu just returns invalid.

[acejavelin]

Ok I found the exploit...

Call the main number, NuPoint call flow picks up (attendant), it waits for user to dial an extension, but dial 90 and it'll hit the corresponding route on the Mitel 3300.
Solution is to configure COR properly for VM ports and to that I can add limitation to NuPoint Menu Dial Plan foir the call director (from vvvvvvvvv to vvvvvvvv1) so that 9 in the menu just returns invalid.

Funny part is, shortly after Mitel purchased Centigram in the early 90's, Nupoint was known as "Mitel Mail" and although there was no GUI, the programming and setup was largely identical except it ran on QNX (a POSIX style OS, similar to Linux in the very early 90's)... When I went to training for it at that time, this exact scenario was brought to our attention strongly enough that I still remember it 25 odd years later...

Not really important, but just reiterating the fact this has been an exploit since the beginning that required manual configuration to manage.