Resolved!!!
Thank you for the tips guys.
When I turned on DTMF under “FreePBX web gui / Settings / Asterisk Log File Settings” which saves in Asterisk’s /var/log/asterisk/full.log, I caught the offender dialing random extensions until they got a valid one, and the moment an employee picked up, they dialed *2 (In-Call Asterisk Attended Transfer), which is intended for our employees to dial. the moment the offender dials *2, Asterisk gives them control of transferring the call (whereupon they can dial out any number they wish), giving our employee silence and then a hangup, and the offender continues with his international (free) call, and once that call is done they hit *2 again and dial another international call.
Ouch. How painful.
Solution 1: So in “FreePBX web gui / Admin / Feature Codes” you can disable *2 and ## (and any other useless feature codes that could possibly be taken advantage of by a bot).
Solution 2: In “FreePBX web gui / Settings / Advanced Settings / Dialplan and Operational / Asterisk Dial Options & Asterisk Outbound Trunk Dial Options” you can remove “Tt” on both and leave the first one with “r” (which edits the defaults on every trunk… unless you bypassed this on any trunk). And make sure to push the green check mark next to each and hit the big red “Apply Config”. I tested re-enabling the *2 and ## features, and this change cut them off as well.
I chose to apply both solutions.
Thanks guys for your help and I hope this helps anyone else being hacked with toll fraud, redialing, war dialing, or whatever they are calling this. And to hell with the fraud calling card companies or hackers using this vulnerability!