The Australian Federal Police (AFP) warned Australian IT security professionals at last week's AusCERT 2010 conference to do penetration testing on their telephone systems or risk having their PABX hacked.
"PABX hacking and fraud ... is happening more and more," AFP investigator Alex Tilley said. "It's been around for donkey's years, but in the last few months we've seen domestically and globally a major up kick in the amount of money that's being lost through PABX hacking," he said.
Tilley described an example scenario.
"You go home as a system administrator at night, come in the next morning and you've got an email from a telco saying 'Hey, by the way, you just made $30,000 worth of calls to Cuba last night, is that normal?'"
The problem was that in many cases customers didn't get their funds back, he said.
"You won't get your money back because [your telco] supplied you with a service, you used the service, and then all of a sudden you misconfigured your PABX and someone else has used it to make a lot of calls from a far off place," Tilley said.
"When did you last [penetration] test your PABX? It's not just a black box sitting in the corner," he said.
Ben Grubb travelled to the conference as a guest of AusCERT.