Asterisk hacking began evolving from a fairly "low-level problem" into a much more serious issue around September of 2008, when easy-to-use tools were first published, Todd said. "There are now people doing videos on it and there are blogs and podcasts," he said. "The information is out there."

With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office's local area network to a network provider such as AT&T, which connects the calls to the rest of the world.

The hacker tries to guess the VoIP system's passwords, making thousands of guesses. While an Internet program such as Gmail will block visitors after a handful of failed password guesses, VoIP systems are often not configured this way and will often let any computer connect to them. So hackers pound away at them, trying to guess working phone extensions. Once they find an extension, they run their dictionary attack software. If the password is easy to guess, they're in the network and can phone out for free.

That's what happened to Innovative Technologies, based in Wheeling, West Virginia. It was hacked in early October, apparently by Romanian cyber criminals who used its VoIP system to make telephone-based phishing calls to customers of , a small regional bank with offices in California.

"They had scanned a whole bunch of IP addresses on the Internet in order to find [VoIP] servers," said Terry Lewis, CEO of Innovative Technologies.