Anatomy of a telecom fraud attack
One of our customers recently defeated an International Revenue Sharing Fraud (IRSF) attack. We thought it would be useful to share with you some information about the attack profile and demonstrate how a modern telecom fraud detection system can prevent such attacks.
Attack profile
This was a high-speed fast traffic pumping attack launched against a medical clinic on the West Coast. Here are some attack statistics:
| Statistic | Measurement |
|---|---|
| Calls | 111 |
| Countries called | 37 |
| Telephone numbers called | 89 |
| Average gap between calls | 8.782 seconds |
| Maximum gap between calls | 1 minute, 42.176 seconds |
| Minimum gap between calls | 0.196 seconds |
| Total duration of the attack | 16 minutes, 5.971 seconds |
The service provider had previously blacklisted several countries that their customer never expected to call. Blacklisting blocked 66 of the calls in this attack, about 59% of the total calls.
The remaining calls were inspected by SIP Analytics® telecom fraud detection. These calls were scored by fraud risk and blocked when cumulative fraud scores exceeded thresholds that the service provider had set. Fourteen calls passed through before a threshold was breached. Thirty-one calls were blocked after a fraud alert had been triggered.
The service provider uses Cisco BroadSoft. The SIP Analytics integration with BroadSoft enables precise controls based upon service providers, groups and users.
Multiple users were compromised in the attack. Initally, SIP Analytics blocked calls from one user to the UK. Next, the user was blocked from making all international calls. Eventually, the entire group was blocked from making international calls.
Assuming a 20-minute average call duration, had the attack had not been prevented, financial risk exposures were as follows:
| Action | Call count | Calls% | Risk exposure | Risk exposure% |
|---|---|---|---|---|
| Blacklisted | 66 | 59% | $912.15 | 70% |
| Blocked | 31 | 28% | $307.62 | 24% |
| Not blocked | 14 | 13% | $79.89 | 6% |
| Totals | 111 | 100% | $1,299.66 | 100% |
Findings
- This was a fast attack, with 111 calls in 16 minutes. Faster than most, but not the fastest we’ve seen.
- The entire attack, with nearly $1,300 in losses, likely would have completed successfully before a CDR-based fraud management system could have detected it.
- Blacklisting by country was effective in blocking a significant majority of the attack.
- Of the $387.51 in risk exposure remaining after blacklisting, fraud triggers blocked $307.62 in potential losses and $79.89 potential risk exposure was not blocked.
- Had more calls been completed, the attack likely would have continued. The fraudster gave up after only 16 minutes.
SIP Analytics
We provide SIP Analytics fraud detection in our ClearIP and NexOSS software products. SIP Analytics is the fastest, most precise way to detect and block telecom fraud attacks.
Contact us today to learn how easy it is to protect your telecom network and subscribers from IRSF attacks using SIP Analytics.
SIP Analytics® inspects each call before it begins. It’s the fastest, most precise method available to detect and prevent telecom toll fraud.
Learn more