international fraud scene clifford m. jordan february 13, 2007, las vegas, nv
TRANSCRIPT
International Fraud Scene
Clifford M. JordanFebruary 13, 2007, Las Vegas, NV
International Fraud Scene
Top International Fraud Schemes– International PRS– Bypass– Carrier Surfing – Subscription Fraud– Roaming Fraud– Subsidy Fraud– International SMS Frauds
International PRS Fraud
• Also called:– Revenue Sharing Fraud– Audiotext Fraud– Telesex Fraud
• Objective– The objective of the fraud is to generate as
many minutes of traffic possible to a PRS (premium rate service) number. The more minutes of traffic generated, the more revenue that the content owner of the PRS number receives.
International PRS Fraud
• Methods Utilized– Subscription Fraud to get postpaid phone which then calls
PRS number.– Subscription Fraud to get postpaid or prepaid phone
which then roams internationally in order to call PRS number.
– Clip-on Fraud or PBX Fraud to make calls to PRS number.– Basically most any type of fraud possible just to make
free phone calls to a PRS number.
• Net Result– The content owner of the PRS number gets paid via the
Intl Carrier who owns the physical number. The Intl Carrier gets paid via settlement charges between carriers. The carriers most often do NOT get paid because of the fraud involved. The content owner wins. The carriers lose.
International PRS Fraud
• Another variant called “Modem Hijacking”• This is where websites (usually porn sites) allow
users (victims) to download an executable script called a “Dialer” that will call via the computer modem to an International PRS number that is also a modem.
• Upon completion of the call the victim is “re-connected” to the internet via the Intl PRS modem.
• The victim then can surf the website gaining access to the content for the duration his modem is connected to the Intl PRS number.
• Many times, this is all done WITHOUT the victim knowing his modem is being used. These such cases are called “Modem Hijacking”
International PRS Fraud
Client A Long DistanceProvider
InternationalCarrier
Service BureauLevel 1
Service BureauLevel X
ContentProvider
Service BureauLevel 2
Flow of Money for Intl PRS Fraud:
• Client A uses International Telesex Service• Client A pays Long Distance Provider for calls on invoice• Long Distance Provider pays International Carrier a
percentage for interconnect costs• International Carrier pays a percentage to Service Bureau (Level 1) • Service Bureau (Level 1) pays a percentage to Service Bureau (Level 2)• Service Bureau (Level 2) pays a percentage to Service Bureau (Level X)• Service Bureau (Level X) pays a percentage to Content Provider
Hence the name: Revenue Share Fraud
Example of Level 1 Service Bureau:
Internext Conference, Jan 6, 2003
International PRS Fraud
Another Example of Level 1 Service Bureau:
Internext Conference, Jan 6, 2003
International PRS Fraud
Example of “Good Dialer”
Choose yourOriginating
Countryso dialer knowshow to dial out.
International PRS Fraud
Example of “Good Dialer” continued...
Choose type of Access.
“MODEM/ISDN” will give you a
Dialer
“CABLE-DSL/LAN-WEBTV”
will give you an intl phone number to
call.
International PRS Fraud
Example of “Good Dialer” continued...
Executing the Dialer.
Notice the option of “Silent Dialing”
In some “Bad Dialers” this is the
default
International PRS Fraud
Executing the Dialer...
Logging into the site.
Observation:To prevent unauthorized
access from direct connect, an IP address is auotmatically assigned to client on Login,
and website will only work for that IP range
Example of “Good Dialer” continued...
International PRS Fraud
Example of “Bad Dialer”• Look up in Google key words:• Hobby Hacker Carding• Go to sites and download dialer and execute• Dialer will silence modem tones and will not give any information
of what it is doing.• In addition to being connected to an international destination,
your machine will be infected with various trojans and viruses inabling your machine and requiring re-loading of the operating system.
Please do not try this on a machine with:• A LAN connection• Important or Sensitive Information• A Critical Function
International PRS Fraud
Bypass Fraud
• Objective– Bypass Fraud: The objective of the bypasser is to
make money bypassing legal international routing.
• Method Utilized– VOIP Feed – Through the internet, the bypasser will
setup a VPN with an International Carrier and then receive calls to be terminated locally. The calls will come across the VPN, to a digital PBX and out through a SIM Box. The incoming international calls are then re-originated through the SIM Box accounts and appear and charged as local calls.
Bypass Fraud
Jamaica
at&tMCI
Digicelcompetitor
Internet
Intl Carrier
Legal RouteBypass Route
VPN
SIM Box
SIM Box
Switch
Bypass Fraud
• Net Result– The bypasser is paid a rate (less than the
normal rate) for the termination of the calls. The bypasser pays the local rate for the termination of through the SIM Box. The bypasser then keeps the difference as his profit.
Bypass Fraud
• Detection– Behavioral Analysis:
• Accounts with high volumes of calls per day AND• With calls throughout the day (early morning to late night)
AND• All calls are Local or Domestic AND• Accounts do not RECEIVE calls AND• Accounts are NOT a Call Center of any type AND• High Diversity meaning the number of unique destinations
called is 90% or greater. (number of unique destinations / number of calls made) AND
• Number of cell-sites is 3 or less consistently OR account is Land Line
• The certainty of Behavioral analysis is always less than 100%. For example, Call Centers look exactly like Bypassers.
Bypass Fraud
• Detection– Test Call Analysis:
• Test calls are made from outside the country to test numbers in-country. The termination CDRs from these test calls are then analyzed. If the call came into the network via an acceptable international route, then no problem. If the call that was terminated was from a local number, then this is bypass.
• When a test call is found to terminate via a bypass route, the certainty of that route being bypass is 100%. However, it is not a 100% probability that a test call will be routed down a bypass route. Hence, many test calls are statistically needed in order to increase the probability of hitting a bypass route.
• There are companies that can provide this service (eg. TJTVIDS www.identitel.com )
Carrier Surfing Fraud
• Background– In some developing countries, regulatory
agencies have a goal of insuring that telephone service reaches ALL the public and not just to the rich. To accomplish this goal, they may control or limit the ability of a carrier to deny a subscription for service. This could be by:
• making it against the law to deny any subscription • make it illegal to perform a credit check prior to
subscription• make it illegal to share credit information (bad debt)
with another telecom
– One example of this is Brazil.
Carrier Surfing Fraud
• Objective– In such countries, fraudsters will try to use a carrier for
as long as possible without payment for services. Once blocked for non-payment or bad debt, the fraudster will simply switch networks or carriers and begin all over again with the same identity. Eventually when all the networks and carriers have blocked this fraudster for non-payment, he will assume a new identity, and start all over again. Can be used to sell traffic or obtain free service.
– In Brazil, such a fraudster can go 2 years without ever paying for long distance service from a land line.
local
LD1
A
B
1. External fraudster gives true documentation to local carrier in order to provision a prepaid line.
2. Local carrier provisions line for fraudster.3. Fraudster then can perform local prepaid calls and
postpaid long distance calls via LD1. He never pays LD1 and is blocked by LD1
4. Fraudster then performs long distance calls via LD25. Fraudster never pays and is blocked by LD2.6. Fraudster then performs long distance calls via LD37. Fraudster never pays and is blocked by LD3.8. And so on...
LD2
LD3
Carrier Surfing FraudExample Case: Surfing LD Carriers
Carrier Surfing Fraud
• Methods Utilized– Fraudsters will most often use Subscription
Fraud as the way to obtain the initial service.
• Net Result– The fraudster can obtain free service
sometimes for many months until he has run out of carriers. ALL the carriers are victims.
Carrier Surfing Fraud
• Detection– Have the carriers share as much information about such
abusers as the regulatory agency will allow them to. When a person is seen with an outstanding debt in two or more carriers, assume he is a fraudster and block as soon as possible. In Brazil, it was illegal to share information about bad debtors, however, it was NOT illegal to share information about fraudsters.
– Also, look for tell-tale signs of no intention to pay such as:• Higher than normal usage for the neighborhood of the user.• Calls at all hours• Receiving lots of collect calls• User cannot pass a validation OR PERFECTLY passes the
validation without the least variation.
Subscription Fraud
• Objective– In many under developed countries, where telephone
service is still at premium prices, Subscription Fraud is still being used to obtain free service.
– As voice calls and SMS’s are increasingly less expensive in the US, the need to use Subscription Fraud with the objective of receiving free service is declining. In fact, in the US, the objective of Subscription Fraud is evolving to allow a fraudster (Identity Thief) to be validated for more profitable frauds, such as Bank fraud, Card fraud, Mortgage fraud, Insurance fraud.
Subscription Fraud
• Methods Utilized– The user’s True Identity – often used in the
developing countries by people who purchase phones/service to sell to others to earn money. Oftentimes the user himself purchases the phone/service with the intention of not paying.
– Identity Theft – fraudsters purchase or steal other people’s identity information from them in order to facilitate Subscription Fraud. Also, Identity Theft is becoming more and more popular via hacking, dumpster diving, Phishing, and Pharming.
– A Fake Identity – due to the lack of methods of authentication, people can easily create new fake identities altogether.
Subscription Fraud
• Net Result– The Carriers suffer heavily in terms of bad debt and
fraud losses due to Subscription Fraud.
• Detection– Look for tell-tale signs of no intention to pay such as:
• Higher than normal usage for the neighborhood of the user.• Calls at all hours• Receiving lots of collect calls• User cannot pass a validation OR PERFECTLY passes the
validation without the least variation.• Welcome letter is returned.
– User fails authentication attempt
Roaming Fraud
• Objective– The objective of the Roaming Fraud is to
generate as many minutes of traffic possible in a limited period of time. It could be to sell traffic, make calls to PRS (premium rate service) number, or simply allow someone to use the service anonymously and/or for free (or at discounted price).
Roaming Fraud
• Methods Utilized– Subscription Fraud to get postpaid or prepaid phone
which then is taken abroad so it can roam internationally.
– If it is a postpaid account, then the fraudster usually has about 2 days of unlimited usage before the account is detected and shut down.
– If it is a prepaid account, then the roamer must find a switch/network on the roaming network that is not CAMEL provisioned. If this is the case, the calls can be made for free. Again, fraudster will have only 2 days of unlimited usage before detected and shut down.
– If the user has many such accounts, he can spread out the usage and “fly under the radar”. If his volume is less than 50 SDRs per day (1 SDR equals 1.4 USD) at the wholesale rate, then no HURs (High Usage Reports) will be created to alert the home network.
Roaming Fraud
• Net Result– Two days of unlimited usage equals 2880
minutes, which can be worth anywhere from $700 USD to $5000 USD depending on the destinations of the calls. If each account frauded costs the fraudster $30 USD, then the profit margin is huge.
– 10 roaming accounts can profit a fraudster $6700 to $49,700 in a matter of a few days.
Roaming Fraud
• Detection– For standard networks, any roamer with over 50 SDRs of
usage will generate an HUR (High Usage Report) sent back to the home network. The home network is then responsible to investigate and shut down the account if they deem it fraud.
– Now many companies are moving to NRTDE systems (Near Real-time Roaming Data Exchange). These systems send and receive roaming CDRs in near real-time, ie. within minutes of the end of the call. Some NRTDE systems are Optel, Mach Ex, RoamEx, Syniverse Datanet, Neetrix, and others.
– NRTDE systems are mandatory for GSM operators by Oct 1st, 2008.
Subsidy Fraud
• Objective– The fraudster wants to take advantage of the low
subsidized price for handsets so they can sell them elsewhere at a marked up price for a profit.
• Methods Utilized– Fraudsters will most often use Subscription Fraud
as the way to purchase subsidized handsets. Or if he finds prepaid handsets sold without authentication at subsidized prices, then they are an even easier target. However, these lower priced handsets are not as much in demand.
Subsidy Fraud
• Net Result– The fraudster makes a profit re-selling the phones
at a near real cost. The carrier who sold the phone to the fraudster loses the subsidy value.
• Detection– Look for new accounts with very little or no initial
usage and then no usage at all. Try calling the accounts and they will not be connected to the network. Try billing them and the bills will come back or not be paid.
– Blacklist all names, contact numbers, and addresses used by fraudsters as part of Subscription Fraud.
Subsidy Fraud
• Other Symptoms– The DOUBLE WHAMMY: Look for immediate
International Roaming on the account with a different IMEI (handset number). If this is the case, then the GSM SIM chip was used for Roaming Fraud and the handset was sold as a Subsidy Fraud.
International SMS Fraud
• Objective– Send SMS’s for free. Especially profitable for SMS
Spammers.
• Methods Utilized– A misconfigured switch can allow a Prepaid User to send
an SMS while having a zero prepaid balance. In one scenario, the user will first attempt to send the SMS to a destination that does not accept SMS’s (eg. Cust Service, Land Line, etc). When it fails, user then resends same SMS to intended destination.
– A SMSC that is not properly configured can allow users not belonging to a foreign network to send SMS’s.
International SMS Fraud
• Net Result– The SMS community is much like the internet community.
The knowledge of any vulnerabilities found will spread like wildfire.
• Detection– Monitor closely the number of SMS’s sent to each country. – Monitor SMS attempts to non-SMS numbers. Also, do a daily
balance check for all accounts.
– Monitor all SMS’s to non-standardized destination numbers.
Yesterday’sbalance
Today’susage
Today’srecharges
Today’sbalance- + =