Why real-time fraud detection is important
Today’s IP networks are full of malicious scanning attempts to gain access to various applications, including voice over IP (VoIP). SIPVicious and sipsak are a couple examples of SIP scanners that fraudsters can use to analyze networks and locate VoIP enabled devices, such as PBXs, gateways, and endpoints.
Acme Packet’s Patrick McNeil recently shared the top fraud scenarios and reasons why fraudsters are attacking networks in his blog post, “Phone Fraud: Following the Money.” One of the most common scenarios involves international revenue-share numbers. Through International Revenue-Share Fraud (IRSF), the fraudster breaks into networks in order to inflate traffic to his own international number and collect revenue from the call. Often enough enterprises and service providers are left with a hefty bill and a long discussion – sometimes a lawsuit – about responsibilities. Nobody but the fraudster emerges victorious from this scenario.
How does the fraudster conduct an attack?
Once an attacker identifies a VoIP endpoint, he may try to guess the password to either authenticate himself or attempt to make calls. The attacker will know that he authenticated himself properly once the system does not return the usual 401 or 407 ‘Authentication required’ response, but another response code. Some system engineers blatantly try to confuse attackers by sending random SIP response codes, a tactic known as "security through obscurity." However, this tactic is not generally recommended – although it may confuse an attacker at first, it doesn't fix the underlying issue.
Once ‘on the system,’ the attacker will try to initiate fraudulent international calls to incur charges as high as possible for his revenue-share fraud numbers. In most cases the fraudster does not know the victim’s dial plan and will need a prefix to dial an outbound line. To overcome this issue, attackers have enhanced their toolkits and developed programs that – by brute force – attempt calls with all sorts of prefixes. It may take a while and a few call attempts, but since these scripts can run completely unattended, the attackers don’t care how long it takes. Therefore, even if enterprises try to confuse attackers with misleading SIP response codes, it only extends the time necessary for automatic scripts to gain access to the network.
After successfully breaking in, fraudsters have working credentials to authenticate a victim’s network (in some cases authentication is not required) and basic knowledge about the dial plan, such as prefixes and working destinations (e.g. countries or prefixes reachable).
Once this status is established, the attacker may resell the account credentials to other fraudsters or invoke a program to conduct fraudulent calls. A screenshot from Acme Packet’s Palladion monitoring software (Figure 2) shows an attacker evolving from this reconnaissance phase to making fraudulent phone calls within 65 seconds.
VoIP engineers may have noticed that the Palladion screenshot shows an Asterisk PBX as being the source of the fraud attack. Further message flow and SIP packet analysis available through Palladion revealed that the attacker faked the SIP User-Agent in the communication. This is an easy, but is often an effective mechanism to avoid detection at the first glance. However, attackers don’t usually spend the time to hide themselves, but just move on to the next target.
Why CDR analysis doesn’t always work
A typical call detail record (CDR)-based fraud detection system may not show – or take into account – the unsuccessful call attempts and will only alert the enterprise when fraudulent calls run up the phone bill. Therefore, the delay for CDR-based detection may be as long as a monthly billing cycle. The potential for damage is too high to risk detection being this slow. However, Palladion easily allows an enterprise to detect potential fraud in real-time. With the context information shown above, the verification of potential fraud cases is simple. What employee or customer would dial dozens of different prefixes in a time frame that is too short to actually punch in numbers on a physical or computer dial pad?
How can you stop fraud?
Real-time fraud detection is important for both enterprises and service providers. Enterprises are often only alerted when the huge bill arrives and the fraudster is long gone. Enterprises can protect themselves by taking fraud detection into their own hands, which reduces the detection and reaction time from billing cycles to mere minutes. Fraudulent calls can even be stopped in real-time. With the available Palladion tools, the enterprise may verify and document the fraud case. Additionally, the enterprise may use the Palladion system for service level verification, including service availability and service quality.
Service providers can also offer communication services with fraud protection included, which allows them to identify and prevent fraud as quickly as possible. Their terms of service can also include no-hassle clauses, which take the fraud issue out of their customers’ hands, thereby reducing lengthy discussions about responsibilities.
Biography: Hendrik Scholz is the Palladion Fraud Detection and Prevention (FDP) Product Manager. Based in Acme Packet’s Berlin office, Hendrik is responsible for the FDP strategy and fights fraud on a daily basis. Before joining Acme Packet, he designed and developed the infrastructure for a multi-million subscriber VoIP network (which was also suffering from its fair share of fraud attempts) in Germany and worked for a VoIP media quality monitoring company as a Software Architect and Product Manager.
Net-SAFE: A Comprehensive Security Framework for Enterprise IP Communications
This whitepaper describes Acme Packet's Net-SAFE™ offering for IP-based sessions:
- Overload protection
- Protocol conformance enhancement
- Static and dynamic Access Control Lists
- Topology hiding
- Encryption and authenticaiton