Hacking the PBX to gain unauthorized access, exploiting voicemail security, or trying default or common passwords are a few of many techniques. Fraudsters may also directly contact employees, and using “social engineering” will be able to ascertain useful information that can be used to gain access to systems.
Hacking the PBX to gain access privileges, much like hacking a computer network. This attack type may include denial of service (DoS) attacks, brute force attacks, etc.
Hacking the PBX to gain access to internal computer systems via the link intended for connecting the PBX to the CRM system. This can allow the hacker to access customer data (including credit card information), insert viruses into your system, or otherwise disrupt business by bypassing the firewall.
In the Al Qaeda case they were calling Premium Numbers to charge calls to the enterprise PBXs that were then split with the hacker's and paid to Al Qaeda.