Another long weekend, and another PABX hacking takes place.
It tends to come in waves, but lately it’s been particularly
nasty with at least one report of a $250,000 weekend for one local company.
You probably know how it works but it bears repeating.
Ratbags ring around after business hours looking for a PABX system. They try
various combinations of readily available default passwords (user name and
password set to 0000 for example) and once they’ve struck gold they wait for a
Staff clear out on Friday at 5pm, then the diallers start
in. They have access to the set-up systems of the hacked PABX (which hasn’t
really been hacked, just left unguarded) so they assign all the direct dial
outbound lines to call numbers overseas – typically in those countries that
couldn’t care less about such things. Think Somalia or Azerbaijan. These
compromised systems spend the next three days dialling out and every time they
connect the company in questions starts paying through the nose for the toll
The staff return to work on Monday none the wiser until the
phone bill arrives, typically with tens of thousands of dollars’ worth of toll
The company will then ring the telco which will say sorry
but your phones made all those calls, and even if the local telco waives any
profit margin and offers the calls at cost, you’re still in the gun for
thousands of dollars owed to a foreign telco that isn’t going to take no for an
The ratbags in question typically get a clip of the revenue
earned in their country and have had quite a profitable weekend. Even if the
host telco over there wises up and kicks them out, there’s always another telco
Rinse, repeat until wealthy.
This isn’t a new phenomenon – in 2005 we covered the
situation at Computerworld and even then we referred to advice given in 2003.
There are, however, some simple steps you can take here to
make sure you’re not done over. Fortunately it’s all quite straight forward.
First, talk to your PABX system provider. Actually, the real
first step is to figure out if anyone in your organisation is responsible for
the PABX – in many cases I’m told responsibility has devolved to the IT department
who don’t necessarily know all the old PABX hacker tricks.
But talk to your provider about securing your system and you’ll
probably discover the easiest thing to do is change the default passwords to
something more difficult.
I’m in two minds about password security – on the one hand a
long and tricky password means you’re unlikely to be hacked. On the other hand,
who can remember them? Bruce Schneier once told me the best way to secure a
system was with a long password that’s complex and difficult that is written
down and stored by the computer, on the basis that anyone who steals your PC
won’t know about the bit of paper and will miss it, and anyone who’s hacking in
from outside won’t be able to see the bit of paper because they’re in another
country. I quite like that.
While the telcos do what they can to limit the damage from
this kind of thing, at the end of the day we the customers have to play our
part and making sure we bolt the door before we head away for a break is a very
good thing to do.