A hacker recently obtained unauthorised access to the IP telephony (VoIP) system of a Perth business, making 11,000 calls costing over $120,000, according to the Western Australian police.
The calls were made over a period of 46 hours, the police said, and the business only became aware of the imposition when it received an invoice from its service provider.
Thieves have always targeted PBX systems by finding numbers used for remote calling — for mobile employees or those requiring international call access outside of business hours — to make calls at the company's expense.
This has in the past been exploited for uses such as routing calls made on cheap international phone cards, according to Pure Hacking senior security consultant Chris Gatford.
However, police said they were more concerned with the increasing number of occurrences such as that in Perth where the thieves gained access to users' VoIP network. They have issued a warning to small businesses to ramp up their VoIP security.
"Business operators should invest in appropriate security software to protect their communication systems. Most businesses are prepared to install firewalls on their computers but fail to extend that level of security to their phone systems," detective sergeant Jamie McDonald said in a statement.
Pure Hacking's Gatford said that he saw fraudsters exploiting weak VoIP passwords as more of a threat than the older style targeting of PBX systems. "From a fraud perspective, an ISP-based VoIP gateway with a weak user name and password would be the bigger problem going forward in telephony," he said.
VoIP systems from companies such as Alcatel-Lucent, Cisco and Avaya were quite good, Pure Hacking's Gatford said, but were unlikely to be found in very small businesses due to the cost.
To prevent businesses landing in the same VoIP quagmire as the Perth company, Gatford suggested that businesses create strong passwords and change them regularly. He also said that businesses with "road warriors" needed to be aware of the wireless or hotel networks they were conducting their business from.