Companies, mind your phone systems !

I used to work for a private company that had state of the art network security and strict security policies on everything, except their phone system, and this article will discuss the risk of crafty people from syphoning information from gullible employees.

It all started one day when I received a random call at my desk from a company claiming to be a Microsoft partner and needed to validate some information in their database. I immediately identified a scam and started to shawl the caller with questions. While the caller was trying to get back to the scripted questions, I logged on our PBX and identified the caller’s number. Then I search the incoming call history and saw that our company received hundreds of calls from this same person, but at all different destination extension each times.

I was obvious to me that the caller was collecting more information about the company I worked for than what should be acceptable. I discovered how far down the rabbit hole their call could bring you when they reached a colleague of mine working meters away from me. I could hear his conversation and knew that this caller from allegedly, “Microsoft”, was the originating call. My colleague started spitting out company information and answering every questions this person had. Quite a breach in security there buddy!

Therefor, as an initiative, I pulled the logs from the phone system for the past several months and looked for patterns of large amount of incoming calls. There were many! It seem that this (these) companies specialize at calling companies and slowly build a complete profile of employees, names, titles, email addresses,…etc. This information can then be sold back to marketing firms, or simply stolen and exploited by crafty scam artists. Neither one I would trust.

I then proceeded with building an inbound call filter and re-routing all of these originating call numbers to a fantom voice message box announcing that all our circuits were busy and asked them to leave a call back number. They never did.

Yes, your telephone system is at risk. In the old days, hackers tried to breach phone system to get enough control to call in and then get an outside line so they could make expensive long distance calls all over the world, and your company would get stuck with the long distance bill. But these days, it’s so cheap to make a call around the world that no one bothers to do this anymore. What hackers (Or research marketing firms) will do is to call in and ask for an extension number, and then cover each extension numbers incrementally, one by one. This requires a lot of inbound calls.

I was a bit baffled that our receptionist who answers and dispatch all the incoming calls during the day didn’t pick up on the fact that the same person could call in 50 times per day and ask for a different extension number each time. But then again, the receptionist was probably not trained to pay attention to those details and made minimum salary, so she routed the call without asking any questions. That where you can make a difference! You should train your receptionist and staff about social engineering made over the phone system. First rule of thumb, no one should give out any type of information to anyone without having validate the caller’s identity first.

And just like a multi-factor authentication, all information given should be done thru an alternate channel, further validating the recipient of the information. Also, managers should inform their teams about what king of information CAN or CAN’T be given over the phone, and specially to random callers. The company I worked for, although has stric security policies, never bothered training me of them. That was a huge weakness.

A network environment should have SIEM, and so should your phone system. I should be able to detected large amounts of “same number” inbound calls and alert your CISO. It should also allow your security staff to make analysis of inbound calls to determine risks, potential breach, and targeted employees who are vulnerable to giving out too much information to random callers.

No because a phone system is old school technology that it is NOT exploited by bad actors. Keep an eye on those phone call logs, and if your staff all operate on cell phone, see if you can import those cell phones call report into a SIEM database and make analysis of incoming calls.

Do you know who is really calling ? If you don’t, you shouldn’t be talking to them.

This entry was posted in Articles, Stories and tagged , , , . Bookmark the permalink.