Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Voice Mail Fraud

Hi,<br>We received the following alert from our phone company. I wondered how vulnerable Unity is to these threats. I'll include the complete message below. Specifically, we have Unity 2.4 Build<br><br>***************<br><br>There have been some recent 'hacker attacks' on voice mail systems, and we wanted to make sure that our customers are taking adequate precautions to prevent telephone fraud through campus resources. While Resicom, along with many of the carriers that serve our mutual customers, does perform pro-active fraud monitoring, some types of fraud may not be detected by these systems. Ultimately, each PBX owner must ensure that their systems are 'fraud proof', as they are responsible for the charges.<br><br>In many cases hackers are calling from payphones, or using pre-paid cards (sometimes stolen), and cannot be easily traced.<br><br>Recent incidents of fraud were cases where hackers gained access to a voice mail system and used those ports to dial out to foreign destinations through multiple access methods. The voice mail system in question __was already set__ to deny outcalling, but these hackers were still able to place these calls through those ports.<br><br>Some suggestions:<br>--Ensure that your campus operators are trained not to transfer to external numbers, or to extensions that begin with the same digit as your trunk access code (i.e if you dial '9' for an outside line x9000, 9011; if you dial '8' for an outside line, x8000, 8001, 8011, etc.). It is also important to make sure that the non-business hour attendants are aware of the possible scam calls.<br><br>--Voice mail systems, automated attendants, and interactive voice response systems usually connect to the campus PBX through extensions just like those on your desk. Check that voice mail system extensions are completely restricted, and cannot place external calls, even with an auth code.<br><br>--If your voice mail system must do outcalling for pager notification, configure it to use only a small number of ports, and configure those ports to only allow dialling to a minimal calling area.<br><br>--If you have toll-free numbers that terminate in a voice mail system, configure that mailbox to not allow '0 transfer' after hours.<br><br>--If your voice mail system allows users to transfer to a caller-entered extension, ensure that the system will not allow transfer to an extension that begins with your trunk access code (for example 9000, 9001, 9011)<br><br>--Re-confirm restrictions after major system changes or upgrades to confirm that they are still in place.<br><br>


Re: Voice Mail Fraud

Unity is pretty tight here... currently you can't dial ANY number that doesen't correspond to a call handler or a subscriber. Period. No "free dials" are allowed (this feature is coming in a later version of 3.x but admins can lock it down if they wish).

The only vulnerability here would be the same weak spot all such systems have and that's hackers getting into user's mailboxes. They can change the transfer string over the pone and attempt to dial out that way. Unity employs restriction tables that dictate what number patterns are allowed for transfer strings to prevent this from being a problem (i.e. no long distance numbers are allowed).

Make sure your users all have PWs set and change them from time to time and make sure your restriction tables for dialout and transfers are locked down appropriately and you should be safe.

Jeff Lindborg
Unity Product Architect/Answer Monkey
Cisco Systems (new page for Unity support tools and scripts)


Re: Voice Mail Fraud

You can also use CallManagers calling searches spaces and partition to prevent Unity from being able to call outside to the local network. Just don't do this if you are doing notification to outside devices.


Keith Chambers
Unity Technical Lead
Unified Voice Team, San Jose
Cisco Systems

CreatePlease to create content