Here is a link to a brief video on YouTube that describes how you an use XLite (a SIP softphone) to connect directly to a media gateway, in this case in a router, to make outbound long distance calls.
The idea is that the softphone uses SIP (or H.323 or even MGCP) to connect to the VoIP side of the gateway, which typically gets converted to ISDN-PRI for access to the PSTN. This connection is not seen or monitored by the PBX, so no CDR is generated and no class restrictions are in place to block the call.
The motive is of course toll fraud. I actually worked with one company that was hit with over $250,000 of toll fraud, that occurred through this vulnerability.This is a good example of a traditional voice application attack, but which is made easier to execute through VoIP. Remember, its not that VoIP is insecure, its that it makes all of the traditional voice attacks easier.
The vulnerability is quite easy to fix. The trick is to just make sure the router/media gateway only accepts signaling requests from the PBX. You can also use IPSec to protect the connection between the two components. If a connection requests comes from any other system, it will be ignored. It is also a very good idea to enable logging. You should also deploy a voice firewall/IPS on the external trunks (PRI or SIP) to provide real-time monitoring and control of long distance traffic on the trunks.
Here is the link: