Unity Connection 10 - Toll Fraud

Kirill Klimakhin · ‎12-14-2015

Hi everyone,

One of my clients was involved in a toll fraud hack through their Unity Connection server (from what it seems like...)

All the calls originated from the Unity Connection voicemail ports in CUCM when I look at the CDR records. I checked the Unity server and the restriction tables are in place.

How could anyone dial into Unity Connection and force it to place an outbound call?

Thanks.

Manish Gogna · ‎12-14-2015

Hi,

The toll fraud prevention should be set up as per the following

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/security/guide/9xcucsecx/9xcucsec020.html

If it still happens then please get detailed ccm traces for one of the calls to see where the call originated from as it will come in thru cucm.

Manish

- Do rate helpful posts -

mikeleebrla · ‎12-18-2015

The quickest and easiest way to prevent this (if you are using skinny between CUCM and CUC) is to make sure that the Unity ports in CUCM aren't using a Calling Search Space that has access to the PSTN. The same is true if you are using a SIP trunk between the two, just check the CSS.

But to answer your question about how someone could get into Unity and then dial out,,,, usually this happens when an end user's voicemail PIN is guessed (weak PIN) and then once they are in the account, they set the transfer rule to transfer to an offnet number. To see this,,, from the users mailbox, click edit, then transfer rules, then standard. Now once a call is transferred from unity, to this users box, they will be sent offnet to the PSTN.