
MANY years ago, say, 15 or so, this was a pretty common hack. Basically any phone system (PBX) has dial-in maintenance ports for engineers to call in and test the system and fix configuration problems that don't require a site visit. The problem is that EVERY system out there has default passwords, and these default passwords are available online if you know how and where to look for them.
The scam is pretty simple. Watch the Government Computer News magazine to see who is buying what, apply some social engineering skills, and find out the range of phone numbers that the PBX will handle. Configure a modem to dial a range of phone numbers before and after and you can locate the maintenance port. Once you've identified the port, test the default passwords that you've downloaded. If one hits, you're in gold!
Now what you do is go down to the local Asian/Indian/Mexican/Whatever community and you sell "phone cards" that have the access port and the key codes to forward that number to an outbound, long-distance line. Sell the card for, say, $50, and you'd move a ton of them. The buyer dials in and gets to talk to grandma in Karachi for really low rates.
It's a VERY common scam.
It's just embarrassing that a VAR would install a PBX without changing the default passwords, just embarrassing.