If the authentication password that the phone uses to connect to the application server is weak, the attacker can simply register with the application server as if it was the user's phone. This can be seen in the SIP messaging where the device used does not match up with that of the device assigned to the user. Typically this is a softphone such as eyeBeam.
Many PBX's have an interactive voice portal that allows a user to not only check their voice mail, but set up call forwarding. This can be exploited if the user has a weak password by simply setting up call forwarding to the fraud number, and then calling the user.
Depending on the PBX being used and the rights that are assigned to a user, this can potentially be the most dangerous. Basic users can set up call forwarding and change their voice portal passwords. Higher level users can start changing other factors, such as changing call forwarding for an entire group, up to changing the authentication password for users phones or even adding users and services.
Fraudstopper is a Linux service that runs in conjunction with the Broadsoft/Broadworks PBX platform. It monitors call record data for specific calling patterns as well as having call duration and count thresholds that will cause it to send an alert email for further investigation. It was developed and is purchasable from Engineers Consulting Group.