19/12/2014

Monitoring and responding to fraudulent activity out of hours

Steffen Hylby

Experienced telecoms fraud watchers know very well that most VoIP and PBX hacking fraud happens out of usual office hours.

Many fraud attacks start on a Friday evening, where there is a potential window of up to 40 hours before the attack will come to light on Monday morning – if they are attacking an organisation without out of hours monitoring & response, which is case for most SME which are the ultimate victims of the hack attack.

Christmas is a once-a-year “perfect storm” for PBC hackers, especially where Boxing Day runs into the weekend, as it does this year, giving a full 4-days for PBX hack to run – close to 100 hours of clear time.

Steffen Hylby is responsible within SmartIPX for managing the fraud detection products and reporting on fraudulent activity to clients. We asked him to explain how these forms of fraud work and what can be done about them.

Is there an uptake in fraudulent activity over the Christmas period?

Yes, definitely. Most fraud attacks commence on Friday evening and in the run up to holidays, with Christmas being a particularly important one for fraudsters, with the extended holiday time, a skeleton team, or even worse no team. It’s important during the Christmas period to keep an eye out for unusual traffic volumes spikes, but that’s not useful unless you have the staff on hand to make intelligent decisions to help you identify good legitimate business from bad.
What type of fraud is most prevalent at these times?

Most fraud around these time windows is PBX hacking or VoIP dial through fraud – certainly that’s where the big, organised frauds that can really hurt a company take place. Sometimes we see other one-off smaller fraudulent activities such as staff or external contractors such as cleaners using the quiet office as a chance to make International calls or calls to UK Premium Rate services.

Could you please explain what you mean by the terms PBX hacking and VoIP fraud?

PBX hacking is a term used to describe a method used by criminals to illegally breach the security parameters of a PBX system. Criminals hack PBX systems for the purposes of accessing the trunk lines after which they begin generating as many calls as possible. They can do this in a number of ways, including paying for access to a maintenance port & password or accessing the call divert functions within voicemail and changing the routing number.

VoIP fraud covers such diverse topics as arbitrage, buffer overflow, bypass/interconnect fraud, access to premium rate services, revenue share fraud, roaming fraud & unallocated number fraud, but generally involves PBX hacking to get access to a route. You can read more about VoIP fraud here.

How do fraudsters make money out of this?

In some cases, the fraudster will have their own traffic that they want to route, or are reselling capacity to other organisations. If a fraudster can route 100k minutes through a hacked PBX, which they can sell on at 30p per minute, that’s £30k they’ve made at no cost to them – but at a significant cost to the owner of the PBX and the CSP providing them their telecoms. These types of scams tend to be to destinations with high call termination costs, such as Cuba or Inmarsat.

Other fraudsters will simply use the hacked PBX to make a series of calls to premium rate phone numbers, whether in the UK or abroad. We often see a pattern where a limited number of calls are called with the exact (long) duration or the same premium rate number is called multiple times and immediately hung up. Some premium rate numbers can cost £5 or more as a connection charge, so making 10,000 calls to one such number is a very lucrative use of a weekend for a single fraudster.

What does the SmartIPX team do to detect and respond to these types of fraud?

We have a number of different processes and products we use to detect different types of fraud for traditional telcos, SIP customer and MVNOs. Generally we’re looking to identify abnormal traffic patterns in 3 different ways.

  • By destination. We look at calls made and minutes spent on calls to different destinations over the course of an hour period vs the “normal” call patterns at that hour; so we will compare for example 7pm-8pm today with the normal 7pm-8pm for the client. Of course, we have some destinations that are more likely to flag up as potentially fraudulent, but we keep an eye on all traffic no matter the destination.
  • By spend on a group of destinations. We look at total spend to the group within a rolling hour. This lets us keep an eye on the big picture of traffic spend per destination.
  • The total spend on a day either specific account or for all customer accounts, where we set an expect maximum spend per period, day or hour being the most usual – and act to prevent that spend being exceeded, limiting our client’s exposure to fraudulent spend.

What is as important as the tools we use to detect fraud is that we have a 24 hour, 7 day a week team in place to monitor and respond to these alerts. The team understand each client and their usual traffic patterns and are able to make intelligent decisions about how best to respond, whether to take direct action, to alert our client, monitor activity or some other action. We colour code all alerts as Red, Orange, Yellow, Blue and Green indicating the financial risk for the alert. We report back to our clients monthly for the alert activity, patterns and trends.

How much money does this save your clients?

Our carrier customers benchmark fraud incident risk between 5-7.5k euro/£GBP of margin, per incident. Wholesale is not about stopping legitimate calls being made but keeping the fraud financial risk factor within very low financial parameters i.e. less than £250 turnover. Our clients see our fraud products as an insurance policy reducing their financial exposure, where it can’t be fully eliminated.

Finally, what are common destinations for fraud right now?

We are seeing a lot of fraudulent activity in the past 3 months to places in Eastern Europe such as Serbia, Azerbaijan, Bosnia and Herzegovina and Kosovo. African states such as Guinea, Liberia, Zimbabwe and Eritrea are also active, along with perennial “favourites” such as Cuba, Satellite Services and El Salvador.

Related content

Fraud negatively impacts everyone, including residential and commercial customers, with losses increasing the communications carriers’ operating costs, resulting in higher service costs to the end user. Read our two part technical briefing on fraud in the telecommunications industry here.

Read Steffen’s interview regarding monitoring and responding to fraudulent activity out of hours here.

Read more about our fraud management services here and our network surveillance activity here.

Check out our Voice Fraud Infographic to see where the attacks are being made and how.

Fraud, Network Surveillance, S.Hylby, Staff Post ,

Leave a Reply

Your email address will not be published. Required fields are marked *