Toll Fraud: Voicemail Operator Extension

[solpuser]

Hello,

We have a Mitel 3300 MXe-III, release 6.0 SP3. We have noticed some Toll Fraud and have traced it back to voicemail reconfiguration of the Operator Extension (0) Value.

The passcode of a voicemail box for a normal user (i.e. not admin, manager, technician) is guessed and it seems the attacker is able to change the Operator Extension (0) field from blank or 0 to an overseas number. This is shown when we go to Voice Mail -- VM Mailboxes -- open the form for a particular Mailbox Number -- scroll down to Operator Extension (0), there is a value corresponding to an overseas number.

We've looked at a variety of options to change in order to better secure our system, however I would really like to understand how they can change the value in this field via the TUI. I have gone through the entire voicemail options tree and cannot determine how this is done.

Being able to reproduce what the attacker is doing will help us feel confident the changes we make to better secure our system address this problem and prevent future attacks.

Any guidance would be greatly appreciated!

[ralph]

Been there.  Done that.
The hacker used the admin mailbox to modify the operator extension.
You need to change the passwords for the 3 levels of TUI admin.

Ralph

[solpuser]

Thanks for the reply.

I'm not certain that is the case for the following reasons:

1) The 3 accounts (admin, manager, technician) all have non-default passcodes
2) The mailboxes (i.e. more than one) with the Operator Extension (0) that were modified had weak passcodes which would have been relatively easy to guess. Additionally, each compromised mailbox had their own overseas number.
3) After changing the passcodes of the affected mailboxes to something more challenging, the toll fraud stopped (at least for now, as I am seeing what appears to be further attempts to "guess" passcodes)

I will concede that #1 is entirely possible. However, if they had that level of access, why go modify the mailboxes that had weak passcodes?

Also, is it not possible to do what they have done only using the TUI for the individual user's voicemail?

Thanks!

[Mattmayn]

I would guess that people had weak passcodes on their mailboxes. Like they were 1234, or matched the mailbox number. If you don't need to have outbound calls from the VM I would suggest locking it down to prevent this. Ralph has a good how-to on this site for it. Basically you use interconnect restrictions to prevent the VM ports from being able to connect to the public trunks. It only takes a few min to do and is well worth it.

[ralph]

Ralph has a good how-to on this site for it. Basically you use interconnect restrictions to prevent the VM ports from being able to connect to the public trunks. It only takes a few min to do and is well worth it.

I believe this is the link you referred to:  http://www.mitelforums.com/articles/mitel_ars_programming.php


Ralph

[solpuser]

After some further digging, I have discovered that once the VM passcode had been guessed, the attacker changed the User Option for "Personal Contacts" (e.g. allow a caller to hit 2 to have the call forwarded to their cell phone).

I had to look inside a backup file in order to get a listing for each mailbox to see if they had any Personal Contacts configured. Is there an easier way to get this info? Is there an easy way to clear these or can it only be done via the TUI for each mailbox?

So, to answer my original question, changing the Voicemail User Option -- Personal Contact for '0' will show up in the "Operator Extension (0)" Field of the Web Interface for VM Mailboxes.

To prevent abuse with Personal Contacts, I set "Public Network to Public Network Connection Allowed" to No for the COS for Voicemail. Now, if a mailbox is compromised and the "Operator Extension (0)" is set to a TF Number, the caller will not be connected to their number and simply punted back to the Operator Greeting for our system.

Maybe there is a better way to do this such that we allow a caller to be forwarded to the recipient's cell using a configured Personal Contact, but restrict TF abuse?