There are a number of reasons to try to keep your voicemail secure. The most significant may be to prevent theft of information. Celebrities and politicians could be the most obvious targets, the escapades of reporters working for Rupert Murdoch’s News of the World are testament to this (see Hack Attack). Business leaders and decision makers should also be concerned, of course, much proprietary information is left on voicemail messages.

Many businesses though, have found their voicemail systems compromised resulting in very large phone bills due to fraudulent calls.

The Better Business Bureau recently warned of it, calling it a “new” type of fraud. It is far from new, though. At ExecSecurity, we have worked on such cases starting as far back as 1996, and I’m sure incidents were probably occurring ever since voicemail systems were first put to use.

From KMTV in OMAHA, Neb. – The Better Business Bureau is warning about a new kind of voice mail fraud. 

An Omaha company told the BBB they received a call from the fraud department of their phone service provider. The business owner was told that international calls had been made from their phone.  About three weeks later, the business got its phone bill and found a charge of $300 for international calls placed the day before they were notified of the fraud. 

According to the Federal Communications Commission, the scammers call into voice mail systems and search for voice mailboxes that still have the default passwords or have passwords with easily guessed combinations. The BBB says that includes combos like 1-2-3-4, 1-1-1-1 or the last four digits of the company’s phone number.  

“Hackers know these common default passwords and keep trying them until they are able to break into the phone system,” stated BBB President and CEO Jim Hegarty in a news release. “They can tell what voice mail system is being used by listening to the prompting pattern. After finding the default password, the hackers look for a mailbox they can access. Once connected, the hacker uses the connection to make multiple international calls.”   [more at KMTV]

 

 

In January, 2013, the Federal Communications Commission updated a guide advising consumers to be aware of voicemail fraud.

https://transition.fcc.gov/cgb/consumerfacts/voicemailfraud.pdf

They explain a few scenarios:

The Scam Works Like This:
A hacker calls into a voice mail system and searches for voice mailboxes that still have the default passwords
active or have passwords with easily-guessed combinations, like 1-2-3-4. (Hackers know common default
passwords and are able to try out the common ones until they can break into the phone system.) The hacker then
uses the password to access the phone system and to make international calls.
The hacker does this by first changing the voice mailbox’s outgoing greeting to something like “Yes, yes, yes, yes,
yes, operator, I will accept the charges.” Then, the hacker places a collect call to the number they’ve just hacked.
When the (automated) operator (which is usually programmed to “listen for” key words and phrases like “yes” or “I
will accept the charges”) hears the outgoing “yes, yes, yes, yes, yes, operator, I will accept the charges”
message, the collect call is connected. The hacker then uses this connection for long periods of time to make
other international calls.
There is also another twist to this scam. A hacker breaks into voice mailboxes that have remote notification
systems that forward calls or messages to the mailbox owner. The hacker programs the remote notification
service to forward to an international number. The hacker is then able to make international calls.

The advice they give is sound:

What You Should Do to Prevent This Risk:
To avoid falling prey to this scam, the FCC recommends voice mail users do the following:
 always change the default password from the one provided by the voice mail vendor;
 choose a complex voice mail password of at least six digits, making it more difficult for a hacker to detect;
 change your voice mail password frequently;
 don’t use obvious passwords such as an address, birth date, phone number, or repeating or successive
numbers, i.e. 000000, 123456;
 check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to
attack voice mailboxes at the start of weekends or holidays;
 consider blocking international calls, if possible; and
 consider disabling the remote notification, auto-attendant, call-forwarding, and out-paging capabilities of
voice mail if these features are not used.

The FCC document is a bit broad, but it does cover many good points.

The $300 mentioned in the KMTV story is relatively inexpensive damages. We have seen bills amounting from $2000 to $6000 and above.  The lower costs of international calls in recent years has made some of this hacking less lucrative for the perpetrators, but one type of hack does not involve conversations. This hack causes the phone system to dial international “toll” numbers (such as “900” numbers in the US), where the caller is billed per minute for as long as the call continues. The hackers try to keep the call alive for as long as possible, often for many hours.

In recent years we have seen another development in the voicemail hacks. This form actually takes advantage of the auto-attendant features of many voicemail systems which allows the caller to dial an extension within the company. In this situation, the phone system may allow the caller to dial numbers that are not actually extensions but may instead be “system codes”, normally used for special features, these could include accessing outside lines for placing calls that would end up on the company’s phone bill.  By entering the right code and appropriate digits, the phone system can get tricked into connecting the caller to an international call, dialed on the company phone lines.

 

Hackers often perform their techniques in the evening, on weekends, and especially at the start holiday weekends. When they find a susceptible system,  it gives them more time before there is a chance of the hack being discovered.

Phone companies often will help you recover part of your losses if you can demonstrate that you have taken steps to insure your system is secure.

If you suspect your system may have been hacked or if you want to know if your system is vulnerable, it is good to start by contacting your phone system vendor. Most major phone system providers are aware of the potential for hacking problems and often issue security updates to their dealers. We are available to work with phone vendors if they are not familiar with such hacking vulnerabilities. In the mean time, review the recommendations from the FCC listed above and develop good company policies to help secure your systems. While the main emphasis of this article was on business voicemail systems, many of the FCC recommendations will apply to your cellphone voicemail as well.