Vocus customer's compromised PABX system behind triple zero call flood

It is understood an overseas attacker used the compromised system to undertake the mass phone dials

A compromised private automatic branch exchange (PABX) phone system of a Vocus (ASX:VOC) customer was used by a “third party” for attempted toll fraud, resulting in a flood of calls disrupting Australia’s triple zero emergency call service.

First reported by Fairfax Media, an overseas attacker used the compromised system to undertake the mass phone dials, which ultimately prompted a government investigation.

Vocus has confirmed its analysis identified that one of its customers’ PABX systems was compromised, enabling an external party to attempt international toll fraud.

The publicly-listed telco said that, at 8.30AM on Saturday 26 May, it was made aware of unusual inbound voice over IP (VoIP) call activity to triple zero call centres between 6.09AM and 7.55AM that morning.

“Pre-defined fraud filters meant that algorithmically generated attempts to dial international numbers failed and the attempt was aborted,” a Vocus spokesperson said in a statement. “However, many of these calls included a “000” prefix which were routed to emergency services.

“Steps have been taken to prevent another such occurrence,” the spokesperson said.

According to Vocus, toll fraud is a significant problem and can be complex and time consuming to resolve.

“Vocus takes fraud awareness very seriously and works closely with customers to assist them to keep their business safe from toll fraud attacks,” the spokesperson said.

Telstra (ASX:TLS), which operates the infrastructure supporting the nation’s triple zero emergency call services, said that it has worked with the government, emergency service providers and the provider to resolve the issue. 

In some cases, the telco said, repeat calls were directed to police in the state in which they were determined to have originated.

“There was some impact on call response times during these call bursts and our network otherwise operated normally,” a spokesperson for Telstra said.

“On three occasions between 6am and 8am Saturday, 000 operators received a series of approximately 600 ‘blank’ calls - two bursts within 60 seconds and one period across 35 minutes.

“These calls came from multiple numbers and were answered by operators and consistent with long-standing protocol, directed to a recorded service which asks the caller to press ‘55’,” the spokesperson said.

The telco confirmed that the Australian Communications and Media Authority (ACMA) was informed on the incident on Saturday 26th May.