Toll Fraud Exploits

A company telephony system can be subject to toll fraud by company employees or by external people who try to find vulnerabilities in the system. The first group, employees, simply ignores policies, hoping that their activities will not be detected because it is difficult to differentiate between business calls and private calls based on the dialed number. The other group of people, the external callers, is more technically oriented. They try to find vulnerabilities in network devices, including IP telephony systems. Sometimes, they do not even specifically look for voice systems; they just exploit whatever system over which they can get control.

The main difference between these two groups is the way in which you can mitigate the "attack." In the case of external attackers, the key is to prevent unauthorized access to the system and its devices. For authorized users of the system, the administrator has to very carefully limit the technical abilities and features of the system without compromising the flexibility and efficiency of its users.

There are also some features in a telephony system that can be misused. These include call forward and call transfer settings and voice-mail transfer options. If the features that are commonly used for toll fraud are well protected, users might try to exploit the system using other features. As an example, if a user is not allowed to transfer an external call to another external destination, the user could try to set up a conference call for these two parties and then leave the conference.

Usually, an administrator has to accept the fact that toll fraud cannot be eliminated completely. The only way to achieve complete elimination would be to block all external calls and disable all features that would allow employees to place calls outside the company. This technique might be feasible for single-function telephones, such as public telephones located in a lobby, but is not desirable for telephones used by standard employees. Therefore, only those calls that can be clearly identified as nonbusiness calls will be blocked. However, in many cases, you cannot judge in advance whether the call being placed is business-related or private.

Figure 22-1 shows different types of toll fraud.

Figure 22-1. Forms of Toll Fraud

The following list explains these types of toll fraud:

• Call Forward All (CFA) The first example describes a scenario in which an employee forwards the office number to, for example, an international or mobile number. This employee then tells friends to call the office number. The call is forwarded to the number that the employee specified, making the company pay the costs of the calls.
• Transfer from voice mail The second toll fraud example shows an attacker making an external call to the voice-mail system, which forwards the call to an international premium destination. The attacker is billed only for a local call, whereas the company, from which the call is forwarded, pays for the international call.
• Social engineering The third example shows a scenario in which an attacker calls from outside the company and uses social engineering tricks (for instance, pretending to be an employee working from home) to be transferred to an external number, such as 9011. The 011 prefix (plus 9 being the typical number dialed in corporations for outside dial tone) is used in the United States to place international calls. This attacker is also charged only for a local call, whereas the company again pays for the connection to an international telephone number.
• Inside facilitators The fourth example is very similar to the third one. But in this case, an employee inside the company transfers the external call to another external number. In this case, the toll fraud has an internal source.