Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this talk I'll discuss... How SIP compromises occur and who the primary actors are: How did we get here? Why so many vulnerable devices? Common discovery and attack methodologies & the weaknesses exploited The most common attack tools used, backed up by real world data Where most attackers are coming from, again with real data After a system has been compromised: Top ways to make money - how and why they actually work: International Revenue Sharing Fraud - calling a high cost destination and splitting the profits Toll Bypass - using a PBX local trunk to bypass high per minute rates Domestic Traffic Pumping - driving traffic to a rural telco to increase payment from inter-exchange carrier Extortion using a Telephony Denial of Service attack - a quickly rising trend where phone lines are tied up if demands are not met Time permitting, other top fraud that doesn't require a PBX - Wangiri & SMS SPAM - missed call or text message to a mobile, return call to high cost destination with profit splitting