Critical Security Notice
Toll fraud can result in phone bills of $10,000 to $100,000+ in a single weekend. Attackers target PBX systems 24/7 using automated tools. If your system is exposed to the internet without proper security, it is only a matter of time before you become a victim.
What Is PBX Hacking?
PBX hacking (also called toll fraud, PBX fraud, or VoIP hacking) is the unauthorized access and exploitation of a Private Branch Exchange (PBX) phone system. Attackers break into business phone systems to make calls at the victim's expense, typically routing traffic to expensive international premium-rate numbers.
PBX hacking is one of the most costly forms of telecommunications fraud. The Communications Fraud Control Association (CFCA) estimates global telecom fraud losses exceed $38 billion annually, with PBX hacking and toll fraud accounting for a significant share. Any business running an IP PBX — whether Asterisk, FreePBX, 3CX, or a legacy system — is a potential target.
Unlike data breaches that steal information, PBX hacking directly costs you money. A compromised system can generate $10,000 to $100,000+ in fraudulent call charges in a single weekend, and the business is typically liable for the bill.
Weekend Attacks: Most attacks occur Friday evening through Monday morning when IT staff are unavailable. A hacked PBX can generate $50,000+ in fraudulent calls in 48 hours.
How PBX Hacking Works
PBX hackers use a combination of automated scanning tools and manual exploitation techniques to find and compromise phone systems. Here is a typical attack sequence:
Step 1: Scanning
Automated tools (like SIPVicious, Sippts, or custom scripts) scan millions of IP addresses for SIP services running on port 5060. Any PBX exposed to the internet is discovered within hours.
Step 2: Enumeration
Once a SIP server is found, attackers enumerate valid extensions by sending SIP REGISTER or OPTIONS requests. Common extensions (100-999, 1000-9999) are tested rapidly.
Step 3: Brute Force
With valid extensions identified, attackers launch dictionary and brute-force attacks against SIP passwords. Weak passwords (matching the extension number, simple words, or default credentials) are cracked in seconds.
Step 4: Exploitation
Once authenticated, the attacker registers as a valid extension and begins placing outbound calls — typically hundreds of simultaneous calls to premium-rate international numbers.
This entire process — from scanning to exploitation — can happen in under an hour for poorly secured systems. Attackers operate 24/7 using botnets and automation, making it a numbers game: scan enough IPs, and vulnerable PBX systems are found constantly.
How Do PBX Hackers Make Money?
PBX hacking is a profitable criminal enterprise. Here are the primary ways hackers monetize compromised phone systems:
International Premium Rate Fraud
The most common scheme. Hackers own or partner with premium rate numbers in high-cost destinations (Cuba, Somalia, Latvia, Sierra Leone, Guinea). They route thousands of calls through your PBX to these numbers, earning $0.10–$1.00+ per minute in revenue sharing while you pay the inflated per-minute charges.
Call Selling Services
Compromised PBX systems become unauthorized gateways for cheap international calling. Hackers sell calling cards, VoIP minutes, or callback services to third parties, using your system (and your bill) to terminate the calls. This is common in regions with expensive international rates.
Wangiri (One-Ring) Fraud
Your PBX places brief one-ring calls to thousands of phone numbers. Curious recipients call back the missed number, which connects to expensive premium-rate lines controlled by the fraudsters. Your PBX generates the initial calls; the callbacks generate the revenue.
Caller ID Spoofing for Scams
Hackers use your legitimate business caller ID to conduct phone scams (IRS impersonation, tech support fraud, etc.). Your real business number makes the scam more convincing. This damages your reputation and can trigger STIR/SHAKEN violations and legal liability.
The Economics of PBX Fraud
A single compromised PBX running 50 concurrent calls to premium-rate numbers at $0.50/min generates $1,500/hour for the attacker. Over a weekend (48 hours), that is $72,000 in fraudulent charges on your account. The attacker takes a revenue-share cut; you get the bill.
Signs Your PBX Has Been Hacked
Early detection is critical to limiting damage. Watch for these warning signs that indicate your PBX may be compromised:
Unexpected spike in call volume
Suddenly seeing dozens or hundreds of concurrent calls, especially outside business hours.
Calls to unfamiliar international destinations
CDRs showing calls to countries you do not do business with, especially high-fraud destinations like Cuba (+53), Somalia (+252), Latvia (+371), or Sierra Leone (+232).
Unusually high phone bill
A sudden jump in your SIP trunk charges, especially international usage you cannot explain.
Failed registration attempts in logs
Asterisk logs showing thousands of failed SIP registration attempts from unknown IP addresses — a sign of active brute-force attacks.
Complaints about your caller ID
People calling back saying they received calls from your number that you did not make. Your caller ID is being spoofed.
Calls at unusual hours
Active calls showing on your PBX at 3 AM when no employees should be making calls.
Pro Tip: Set up automated alerts for after-hours call activity and international dialing. If your PBX is making calls at 2 AM on a Saturday, you want to know immediately — not on Monday morning when the bill is already $50,000.
Common Attack Vectors
1. Brute Force SIP Registration
The most common attack. Automated tools scan the internet for SIP servers on port 5060 and attempt thousands of username/password combinations. Default or weak credentials are cracked within minutes.
Common weak credentials attackers try: 100/100, 1001/1001, admin/admin, extension numbers matching passwords, voicemail PIN as SIP password
2. Social Engineering
Attackers call your company posing as telecom support, IT vendors, or even employees. They trick staff into revealing PBX credentials, transferring calls to premium numbers, or enabling call forwarding to external lines.
3. Misconfiguration Exploitation
Poorly configured PBX systems often have:
- Open SIP ports allowing anonymous calling
- Unrestricted outbound dialing (no international call blocking)
- DISA (Direct Inward System Access) without PIN protection
- Outbound routes accessible without authentication
- AMI (Asterisk Manager Interface) exposed to the internet
4. Voicemail System Abuse
Attackers exploit voicemail-to-external transfer features. They access voicemail boxes with default PINs (0000, 1234) and use transfer features to reach outside lines, bypassing normal call restrictions.
5. Web Interface Vulnerabilities
FreePBX and other web GUIs can be compromised through default credentials, unpatched vulnerabilities, or exposure to the public internet. Once attackers access the admin panel, they control the entire phone system.
Essential Security Measures
Strong Password Policy
This is your first line of defense. Every SIP extension must have a strong, unique password.
Password Requirements
- Minimum 16 characters for SIP secrets
- Mix of uppercase, lowercase, numbers, and symbols
- Never use extension number as password
- Use a password generator, not human-created passwords
- Change passwords immediately if staff leave
Fail2Ban Configuration
Fail2Ban monitors log files and automatically blocks IP addresses that show malicious behavior. This is essential for protecting against brute force attacks.
Create /etc/fail2ban/jail.local:
# Asterisk/FreePBX Fail2Ban Configuration
[asterisk]
enabled = true
filter = asterisk
action = iptables-allports[name=asterisk, protocol=all]
logpath = /var/log/asterisk/full
maxretry = 3
bantime = 86400
findtime = 600
[freepbx]
enabled = true
filter = freepbx
action = iptables-allports[name=freepbx, protocol=all]
logpath = /var/log/asterisk/freepbx_security.log
maxretry = 3
bantime = 86400
findtime = 600Create /etc/fail2ban/filter.d/asterisk.conf:
[Definition]
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.*
ignoreregex =Firewall Rules (iptables)
Only allow SIP traffic from trusted sources. Never expose port 5060 to the entire internet.
# Allow SIP from your SIP trunk provider (IPComms example)
iptables -A INPUT -p udp -s 208.67.60.0/24 --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -s 66.212.71.0/24 --dport 5060 -j ACCEPT
# Allow SIP from your office IP
iptables -A INPUT -p udp -s YOUR.OFFICE.IP.HERE --dport 5060 -j ACCEPT
# Allow RTP media ports
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
# Drop all other SIP traffic
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A INPUT -p tcp --dport 5060 -j DROP
# Block AMI from external access
iptables -A INPUT -p tcp --dport 5038 -j DROPPro Tip: Use iptables-persistent or firewalld to ensure rules survive reboots. Test rules carefully before applying - you can lock yourself out!
Asterisk/FreePBX Specific Hardening
PJSIP Security Settings
Configure your endpoints to require authentication and restrict access:
; /etc/asterisk/pjsip.conf - Secure endpoint template
[endpoint-secure](!)
type=endpoint
context=from-internal
disallow=all
allow=ulaw
allow=alaw
direct_media=no
trust_id_inbound=no
trust_id_outbound=no
send_pai=no
send_rpid=no
auth=auth-template
aors=aor-template
[auth-template](!)
type=auth
auth_type=userpass
; Always use strong, randomly generated passwords
[aor-template](!)
type=aor
max_contacts=1
remove_existing=yes
qualify_frequency=60Disable Guest Calls
Never allow unauthenticated calls. In /etc/asterisk/pjsip.conf:
[global]
type=global
allow_unauthenticated_registrations=noFreePBX Intrusion Detection
Enable the built-in Intrusion Detection module in FreePBX:
- Admin > System Admin > Intrusion Detection
- Enable "Intrusion Detection"
- Set ban time to 86400 (24 hours) or longer
- Set max retry to 3
- Whitelist your office IP and SIP provider IPs
Restrict Outbound Dialing
Create outbound route restrictions to limit damage if compromised:
- Block international by default - Only enable for users who need it
- Block premium rate numbers - 900, 976, and international premium prefixes
- Set concurrent call limits - No extension should make 50 simultaneous calls
- Time-based restrictions - Block international calls after hours
DISA Warning: If you use Direct Inward System Access (dial-in for outbound calls), require a strong PIN and restrict which numbers can be dialed. Better yet, disable DISA entirely and use a mobile softphone instead.
Network Security Best Practices
VPN for Remote Users
Instead of exposing SIP to the internet, require remote phones to connect via VPN. This eliminates external SIP port exposure entirely.
Network Segmentation
Place your PBX on a separate VLAN from general network traffic. Limit which devices can communicate with the phone system.
Use TLS/SRTP
Encrypt SIP signaling (TLS on port 5061) and media (SRTP). This prevents eavesdropping and man-in-the-middle attacks.
Disable Unused Services
Turn off AMI if not needed. Disable HTTP/HTTPS management interfaces or restrict to internal IPs only. Remove unused protocols (IAX2, SCCP, H.323).
Session Border Controller (SBC)
For enterprise deployments, consider placing an SBC between your PBX and the internet. The SBC acts as a security proxy that:
- Hides your PBX topology from external attackers
- Normalizes SIP messaging to prevent protocol exploits
- Provides call rate limiting and anomaly detection
- Handles NAT traversal without exposing the PBX
Monitoring and Detection
Early detection is critical. Set up monitoring to alert you before a small breach becomes a massive phone bill.
What to Monitor
| Metric | Alert Threshold | Why It Matters |
|---|---|---|
| Failed registrations | > 10/minute | Indicates brute force attack |
| Concurrent calls | > normal + 50% | Unusual spike suggests compromise |
| International calls | Any after hours | Fraud often happens overnight |
| Calls to premium destinations | Any | High-cost fraud destinations |
| Single extension call volume | > 5 concurrent | One compromised extension |
Log Analysis Script
Create a simple cron job to alert on suspicious activity:
#!/bin/bash
# /usr/local/bin/pbx-security-check.sh
# Count failed auth attempts in last hour
FAILED=$(grep "SecurityEvent=\"InvalidPassword\"" /var/log/asterisk/full | \
grep "$(date -d '1 hour ago' '+%Y-%m-%d %H')" | wc -l)
if [ "$FAILED" -gt 50 ]; then
echo "ALERT: $FAILED failed auth attempts in last hour" | \
mail -s "PBX Security Alert" admin@yourcompany.com
fi
# Check for international calls (adjust country codes as needed)
INTL=$(asterisk -rx "core show channels" | grep -E "011|00" | wc -l)
if [ "$INTL" -gt 5 ]; then
echo "ALERT: $INTL international calls active" | \
mail -s "PBX International Call Alert" admin@yourcompany.com
fiCDR Analysis: Regularly review Call Detail Records. Look for calls to unfamiliar country codes, especially high-fraud destinations like Cuba (+53), Somalia (+252), Latvia (+371), and Sierra Leone (+232).
What to Do If You've Been Hacked
Time is Money: Every minute counts. A compromised PBX can generate hundreds of dollars in fraudulent calls per hour. Act immediately.
Immediate Steps
- Disconnect from the network - Pull the ethernet cable or disable the network interface. Stop the bleeding.
- Contact your SIP provider - Call IPComms support immediately. We can disable your trunk to stop outbound calls.
- Document everything - Screenshot active calls, save logs, note timestamps. You may need this for insurance or law enforcement.
- Change all passwords - Every SIP extension, admin interface, AMI, SSH, and database password must be changed.
- Review CDRs - Identify which extension(s) were compromised and what numbers were called.
Recovery Process
- Apply all security measures from this guide before reconnecting
- Consider a fresh install if the system may have been rootkitted
- Implement Fail2Ban and firewall rules before enabling SIP
- Enable TLS/SRTP for all connections
- Set up monitoring and alerts
- Document the incident and update your security policy
Dealing with the Bill
Unfortunately, you are generally liable for fraudulent calls made through your system. However:
- Contact your carrier immediately - Some providers offer fraud protection limits
- File a police report - Required for insurance claims and may help with carrier negotiations
- Check your business insurance - Some policies cover toll fraud losses
- Document your security measures - Demonstrating reasonable security may help negotiations
IPComms Security Features
As your SIP trunk provider, IPComms includes multiple layers of security to protect our customers from toll fraud and unauthorized access.
IP-Based Authentication
Your trunk only accepts calls from your registered IP addresses. Even if credentials are leaked, attackers cannot use them from other locations.
Fraud Monitoring
Our systems monitor for unusual call patterns 24/7. We proactively alert customers and can suspend trunks when fraud is detected.
Spending Limits
Set daily and monthly spending caps on your account. Once the limit is reached, outbound calls are blocked, limiting your exposure.
International Call Blocking
Block international destinations by default. Enable only the countries you actually need to call, dramatically reducing fraud risk.
TLS/SRTP Support
Full encryption support for both signaling and media. Prevent eavesdropping and man-in-the-middle attacks on your calls.
24/7 Support
Security incidents do not wait for business hours. Our support team can disable your trunk immediately if you suspect fraud.
Hosted PBX Alternative: If managing PBX security sounds overwhelming, consider IPComms Hosted PBX. We handle all security hardening, updates, and monitoring. You get enterprise-grade phone features without the security burden.
Secure Your Phone System with IPComms
Get SIP trunking with built-in fraud protection, spending limits, and 24/7 monitoring. We help keep your business safe from toll fraud.