Exchange Unified Messaging is the voicemail platform common to most Lync/Skype for Business installs but also supports PBX systems. We’ve recently seen a new toll fraud attack targeting Exchange UM’s to relay calls and either bypass call charges or run up charges on premium rate numbers.
The attack relies on guessing or otherwise compromising users PINs.
- The attacker then calls the compromised users DDI, presenting their calling party number as the number they want to call, +4444 (most likely spoofing the calling party number),
- Leaves a short, usually empty, voicemail.
- They then call DDI again, and presses * on the voicemail and enters the users PIN. From here they can listen to the voicemails, and critically Exchange UM allows users “call back” people who left voicemails, allowing the attacker to bridge their current, usually local rate call, to the voicemail calling party (+4444).
By leaving a voicemail from a spoofed premium rate number (+4444 in our example), the attacker can then rack up charges to that number, or have a low cost call to some international number/mobile.
By default Exchange UM pins 6 digits, random, don’t allow common patterns, and lock out after 5 incorrect attempts. Unfortunately some people set these to less secure 4 digits or to allow common patterns (like the last X digits of the phone number, or setting all user Pins to the same number). It’s unclear if the Pins are being guessed or war dialed, but since the default attempts before lockout is 5, it seems more likely they are being guessed/leaked/social engineered somehow.
Standard advice is to keep these Pins at least 6 digits or higher and complex, keep the lock out feature and consider limiting the call back feature dial plan to only allow Internal extensions or regional/national numbers as appropriate for your organisation. You could even disable this feature for users that don’t use it (doesn’t everyone listen to voicemail in their email these days? :-)
Tobie Fysh has a great write up of the attack and mitigations here, check it out.
Isn’t the likelihood of a such an attack pretty low, as dialing rule restrictions by default don’t allow UM to place any call? Usually you wouldn’t allow international calls either from UM. Regardless all the more reason to encourage proper use of dialing rule restrictions in UM to prevent toll fraud.
It’s hard to say how likely an attack is, but we’ve definitely seen it in the wild. Agree with you re outbound dialing rules from Exchange