They are _NOT_ selling the access
I have been hit by this scam when migrating firewalls a couple of years back. I had a 5060 redirect opened by mistake for 48h and paid for it. Thankfully I had rate limits on my outgoing calls so the attacker DOS-ed himself by trying to call too many times simultaneously so it costed me only ~ 20-30£ instead of 2000+. Prior to that, a colleague of mine was hit for $500 or thereabouts.
1. The access is _NOT_ resold. This part register got WRONG. They can see the numbers - they all go to the same country and some number block, if not same number.
2. The access is used by a bulk dialer to dial premium rate numbers in sub-Saharan Africa, Maldives and a few other destinations. The destination shares the revenue from the premium call with the caller. This _IS_ how this scam works.
3. After being hit, I set up a honeypot and this is what I got from the logs.
3.1. The attackers are nearly allways located on networks belonging to Palestinian Authority terrirories and more recently (and to a lesser extent) neighbouring regions - Libia, Egypt, Syria, Lebanon. Using a compromised system elsewhere for the dialer portion of the attack (as in this case) is an exemption, not the rule.
This can be proven by giving the original dialer some trouble. Throw some errors, call rate limiting, etc. If you do that, you will see the original IP disengage and a new IP (probably human controlled from console) engage from a Middle East network. There will also be repeated scans after that for usual security through obscurity suspects like port 15060, etc for months. Most of these also come from "manual" attack and from Middle east, so I would suggest setting a honeypot there and then.
The money from the scam is specifically used to finance err ... (well, make your guess based on location of the scammer). So the solicitor firm involved in this case can solicit their group of choice in that region to put a special thanks on the next missile flying across the border for sponsoring it. And no, I am not joking.
3.2. Based on the locations involved, the there is reasonable grounds to believe that part of the criminal code applicable here is not fraud, computer misuse, etc. It is sponsoring terrorism. Considering that we have solicitors involved I think it will be a good idea to pool for some popcorn to watch the show.
4. FreePBX as an Asterisk derivative has ACLs on extensions. You _MUST_ configure those to your private LAN even if you never intend to open external access. This is especially important if you use old phones like early Cisco 7960 with pre-version 8.0 OS which do not accept complex passwords. For everything else AutomatedPasswordGenerator (apg), SIP-TLS (if supported) and sRTP (if supported) are the real answer. In addition to that, prohibiting any outgoing calls to zones outside 1 and 3 in the dialplan is a good idea too. 1 needs to be doubl-checked as well to ensure that it is not one of the outlying islands which will allow the attacker to set-up a sink for the scam. For more info: http://countrycode.org/