Phone Fraud: Following the Money
A co-worker based in Germany recently called my cellphone while I was at a conference. The call quality was absolutely horrible. There was so much noise—I had to yell to him to call me back. We hung up, he called me back, and the call quality was great, especially considering that we were on an international call, and on mobile phones. After we finished our conversation, I couldn’t help but see the irony in the situation. Why? Well, I received his call while attending the Communications Fraud Control Association Fall Educational Event. One of the presenters mentioned that frequently, poor audio quality is not the fault of your mobile or long distance carrier – it’s likely the result of fraud! It’s also likely that you have aided fraudsters without even knowing it.
Phone fraud is the use of telecommunications resources without the intention to pay. Fraudsters will either dupe a service provider to pay them revenues that are not due or steal resources to provide paid services to a third party. Since fraudsters are driven by the monetary opportunity, it’s important to “follow the money” to figure out how their scheme works.
There are many types of phone fraud, and many of our customers (outside of their fraud departments) don’t really understand all the possibilities for fraud until they’ve become a victim. Enterprises and service providers can both be victims of the fraud types we’ll discuss here, but they’re impacted in different ways. The enterprise is left wondering how to pay a large bill to their service provider, and the service provider is usually caught in billing disputes with both the customer and their transit carrier. With that in mind, let’s walk through a quick primer on a few of the major types of fraud that Acme Packet helps our customers detect and prevent on a regular basis.
PBX / Voicemail Fraud – The first step in enabling many types of fraud requires the fraudster to gain control of a PBX or voicemail system. Fraudsters can then use these devices to either make or send calls between destinations. Controlling a compromised system serves the dual purpose of helping the attacker stay anonymous, but also puts any billing responsibility back on the victim. Your PBX or voicemail server can be compromised in-band (over the phone circuit) by someone guessing the numeric pin on an extension or by finding an extension with a default pin. It’s been shown that the passcodes we select are usually not random, and are clustered in predictable ways. If your PBX is connected to the Internet, attackers can route calls through your PBX after user credentials have been cracked using freely available and easy to use tools. Once the attacker has control of your PBX, they can either use it to make free calls or to enable numerous other fraud types like International Revenue Sharing Fraud or Toll Bypass.
International Revenue Sharing Fraud (IRSF) and Premium Rate Services Fraud (PRS) – These two types of fraud are not very different from one another, but differ in where they are routed. IRSF calls are routed internationally, and PRS calls are domestic. Both types of fraud rely on the fraudster finding a way to generate a significant call volume, and forming an agreement (formal or informal) with a service provider or transit carrier (who will establish and bill for the calls) to share in the revenue (thus revenue sharing). Fraud rings in the Philippines or other developing countries have been known to have human “labor pools” that perform password guessing and make manual calls originating from your PBX. Sometimes the “labor pool” can even be generated by scams on social media, SPAM mail, or post cards that advertise free vacations or important information just by calling a phone number. It’s also fast and easy to use a script on a compromised IP PBX to make the same calls without using any manpower at all.
8YY Traffic Pumping – This is a fairly new fraud type that may actually be misconstrued as a Telephony Denial of Service (TDoS) attack. Companies that run contact centers for services or support of their customers subsidize your call by providing a toll free number. They pay a higher rate than you would for the call, but do so for your convenience. The fraudster sets up a revenue sharing agreement with one or more service providers routing the 8YY calls, and then generates a large volume of traffic. In many cases, they’ll target an Interactive Voice Response (IVR) system, because fraudsters can keep hitting prompts without dealing with a human that would hang up the call.
Toll Bypass– Many countries have established rates or tariffs for routing traffic that have been established over time by a combination of market demands, infrastructure availability, and regulatory intervention. The transit carriers, whose primary customers are other service providers (or even other transit carriers), route to destinations where their customers do not have infrastructure. This is what allows the ability for people on opposite sides of the globe to call one another. The highly competitive transit carrier business runs on an economy where fractions of cents per minute can make a difference. If calls between two countries can be routed via a third country that has a lower tariff structure, or if a data network can be used to bypass the international circuits, the pennies shaved enable them to offer a lower rate or be more profitable. Your IP PBX, your internal data network, and your local phone trunks might be used to route calls from around the world by an unscrupulous or oblivious transit carrier. Unfortunately, as long as the call connected, the transit carrier can bill for it, regardless of the call quality.
Detection and Prevention
Since the majority of the fraud described above relied on gaining access to the PBX, it’s important to put a session border controller (SBC) in front of any IP connected PBX. The SBC can detect and stop the attempts to guess user credentials or to route traffic without authorization. It’s also critical that your SBC is tuned to recognize the difference between normal and fraudulent traffic, so it can be effective. In many cases, the same configuration used to prevent the high rate of invalid messages sent in Distributed Denial of Service (DDoS) attacks can actually prevent password guessing and unauthorized calling.
Detection of whether your infrastructure is being used for fraud schemes like IRSF or Toll Bypass relies on an analysis of the calling patterns derived from Session Initiation Protocol (SIP) messaging or call detail records (CDR). Our Palladion Fraud Detection and Prevention system can dynamically learn your normal traffic patterns, and rules defined by the user define what deviation from the norm you’ll allow before the warning bells start going off.
8YY Traffic Pumping and TDoS attacks can really only be prevented if your 8YY service provider is involved to hunt down the source of the traffic as it’s routed through their network. In most cases, it’s coming from a single carrier source that they can shut down. You can spot 8YY Traffic Pumping since these calls are a generally long duration and happen around the clock, whereas TDoS may be of varied duration, but usually happens during your core business hours. In both cases, the caller’s number is usually spoofed so it’s not easy for you to determine the source.
So, why did my call have so much noise?
Most likely the noise was the result of a toll bypass, where a transit carrier was routing traffic to (or through) someone’s PBX, and my call quality couldn’t be assured. Take steps to prevent the flow of money out your door by protecting your infrastructure with a properly configured SBC, and keep a close watch on your calling patterns with Palladion.
Biography: Patrick McNeil, CISSP, is the Senior Security Engineer with Acme Packet's Premium Services group, and the founder of the Acme Packet Product Security Incident Response Team (PSIRT). He works on assuring the security of current Acme Packet products through product robustness and penetration testing, creating security best practices, and by providing input into security engineering efforts. He has nearly 20 years of experience in the IT industry, and has held roles working with telephony equipment manufacturers, commercial telephone service providers, large enterprises, call centers, banks, and the defense industry.
Net-SAFE: A Comprehensive Security Framework for Enterprise IP Communications
This whitepaper describes Acme Packet's Net-SAFE™ offering for IP-based sessions:
- Overload protection
- Protocol conformance enhancement
- Static and dynamic Access Control Lists
- Topology hiding
- Encryption and authenticaiton