Toll fraud is unfortunately very common. You need to secure your system so only authorized users can connect, and also fix whatever problems allowed the fraudulent calls.
Look at your Asterisk logs to find out how the calls were made. By default, the system keeps one week of logs. They are in /var/log/asterisk
If the calls were made from an existing extension, possibilities include.
- Your provisioning system may be open to the world, with no encryption. Phone MAC addresses are easy for the attacker to guess.
- You used a very weak password (the extension number, 1234, etc.) and the attacker guessed it by brute force.
- The attacker may have captured traffic from e.g. a SIP app used over open Wi-Fi.
- The device may have been open on the internet with a weak admin password, so the attacker could access the device GUI.
- The PBX Admin GUI was open, with a weak password.
If a new extension was created, possibilities include:
Admin GUI open with a weak password.
Admin GUI open and system lacking security updates, allowing access without authentication.
In this case, you should reinstall the system from scratch, secure it, then reload configuration from a backup.
If the attacker called in from the PSTN and could call out from there:
- Call transfer features incorrectly enabled on incoming calls.
- Voicemail with weak password and outbound calling enabled.
- Errors in IVR, etc. permitting outbound calling.
If the attacker accessed the system via SIP and called without authentication:
- Anonymous calls / Guest calls enabled.
- Inbound Routes misconfigured to allow outbound calling.