Oh boy.....
Leaving the VM out of it there are still a few ways.
1) this is my most current study interest: A hacker attacks a SIP based telco provided router. Breaks the credentials and then sets up his own router. Generally it appears this is used for doing TDoS attacks on other customers, not so much toll fraud.
2) Trunks that don't disconnect properly. A call that hits the system and then someone/something hangs up but the caller stays on line and gets PBX dialtone. From there can dial out if the other layers of security are not set properly.
3) of course the old stand by: DISA. Dumb.
4) Twinning. If your twinning creds are compromised then they can twin anywhere.
5) The
exten '900' scam 6) Internal fraud: i.e. Forward your phone to grandma and then call your phone from home.
Of course there needs to be several layers of security. Only peel these back as needed
1) Block trunk to trunk calls.
2) Set the COR of the trunks to deny ARS access.
3) remove/restrict direct trunk access.
4) layer your ARS -
See this doc5) Block your VM ports from dialing.
6) Block call forward external - or forward only to system speed calls (preferred)
7) Work with your carrier to block international calls
Work with your carrier to restrict incoming toll free calls to only those areas of the country that require it.
Of course the apps, like OPS, UCA etc, if they compromised then of course any knowledgeable hacker will cause problems.
Remember this: the only totally secure system is the one that turned off and locked in a vault.
Ralph