Fraud against Exchange UM. Protect yourself now!

The ability to use a phone system to make low cost/free calls to numbers is known as Toll Fraud, for some of the "greatest" hackers out there it was their way into the dark arts and now we've seen how this can manifest itself on Exchange Unified Messaging.

The weak link (as is usually the case) are credentials, for Exchange UM (Outlook Voice Access) your username is you phone number and your password is a PIN that is set at account creation. If this PIN is insecure (all in company have it set the same/its the last 4 digits of your phone number/common pattern/never expires/written on a post-it) then you have a perfect attack vector.

The process that is followed is thus:

  1. Attacker calls the Victim and leaves a voicemail (in the cases we have seen this voicemail is left after working hours on a Friday indicating some pre-work has been done by the attacker)
  2. The voicemail will have been left from the presentation number (real or spoofed) that the attacker wants to force the phone system to call (premium rate/foreign mobile number/et al)
  3. Once voicemail is left the Attacker dials the user again and during the "Please leave a voicemail" message presses the * key, this tells Exchange to request the PIN for the account. As the Attacker already has this (due to one of the reasons above).
  4. The Attacker is now into the users mailbox, now it is simply a case of listening to the voicemail and selecting the "Call user back" option the system calls the number as left in step 2

So what can be done?
First - ensure that the security of your users UM PIN's are taken as seriously as their domain credentials. Look at the documentation (version specific) and set things like disabling common patterns and expiring the PIN

Second - think about your Outdialing plans - if your company is based in the UK and has no clients abroad then does your UM system need to be able to place international calls? How about premium rate (watch out for 070 numbers)?

The route that was taken for the fraud is shown here (Click for larger):