SIP Fraud Detection –

Scenarios and Challenges

Nov 13th 2018 | 3pm London
 Today’s Presenters

Scott Bicheno Nuno Pestana Senior

Editorial Director Product Specialist
Telecoms.com WeDo Technologies
 Nuno Pestana
Senior Product Specialist

SIP FRAUD DETECTION

Scenarios and Challenges
ABOUT
CUSTOMERS, STRATEGY AND
TEAM AND CULTURE MARKET PRESENCE
More than # 1 IN THE WORLD
220 CUSTOMERS in Telecom Revenue Assurance
in more than 100 and Fraud Management Software
countries
Gartner
Offices in Stratecast / Frost & Sullivan
10 COUNTRIES Analysis Mason
and in 5 continents

A team of 600+ people World class

from more than reference customers
20 NATIONALITIES in Telecom, Retail, Energy,
Healthcare and Financial Industries
A “WEDO”
CULTURE
INDIRECT
CHANNEL STRATEGY
Proud of being has successfully started
part of this
with two global/Worldwide
COMMUNITY!
partners already certified
 AGENDA

VOIP FRAUD VOIP CALLS SIP FRAUD

FRAUD ATTACKS
CDR base SIP messages
analysis analysis
 AGENDA

VOIP FRAUD VOIP CALLS SIP FRAUD

FRAUD ATTACKS
CDR base SIP messages
analysis analysis
 VOIP TRAFFIC
Traffic is shifting International
from Landline to carriers
VoIP networks providing
due to lower cheaper VoIP
costs routes

Fraudsters are Multiple

using stealthier providers selling
and more complex IP PBXs, SIM
schemes taking Boxes and VoIP
advantage of based numbers
machine and human
weaknesses to
commit fraud
VOIP/SIP

SIP is used by If IP PBX is Hacked

most IP PBXs several attacks can be
triggered (for example
IRSF or Wangiri) that
As an IP based can cause high
protocol SIP is financial losses
exposed to security
issues and can be Fraud Detection and
used by external Intrusion Detection are
entities to hack usually handled by
CSP or Large different teams in the
Corporate accounts organization
PBXs (Fraud Team vs
Security Team)
 METHODS RELATED WITH VOIP/SIP FRAUD
Subscription Fraud (Identify) 2.03
Subscription Fraud (Application) 1.94
IP PBX Hacking 1.94
PBX Hacking 1.94
Subscription Fraud (Credit Muling/Proxy) 1.75
Account Takeover 1.66
Abuse of Service Terms and Conditions 1.66
Internal Fraud / Employee Theft 1.47
Payment Fraud 1.38
Phishing / Pharming 1.38
Spoofing (IP or CLI/ANI) 1.29
Abuse of network, device or configuration weakness 1.29
Dealer Fraud 1.11
Wangiri (Call Back Schemes) 1.01
Social Engineering 1.01
Robocalling 0.92
Signalling Manipulation 0.83
Voicemail Hacking (Not associated with PBX Hacking) 0.65 Many fraud
SMS Faking or Spoofing 0.65 methods include
Pre-Paid Equipment & Services 0.65 potentially use
Mobile Malware 0.65
Brand Name / Logo Abuse 0.65
of VOIP
IMEI Reprogramming 0.55
Clip-on Fraud 0.46
SIM Cloning 0.37
0 0.5 1 1.5 2

CFCA 2017 Survey - Fraud Losses by Method in $ USD Billions

POLL QUESTION #1

What is the percentage of VOIP traffic currently

in your network:
- Between 0 and 25%
- Between 25 and 50%
- Between 50 and 75%
- More than 75%
- Not Applicable
 AGENDA

VOIP FRAUD VOIP CALLS SIP FRAUD

FRAUD ATTACKS
CDR base SIP messages
analysis analysis
 INVITE

WHAT IS? 100 Trying

180 Ringing

200 OK
The Session Initiation Protocol
(SIP) is a protocol for signalling ACK
and controlling multimedia
communication sessions in Call/Media in Progress
applications of Internet telephony
for voice and video calls BYE

200 OK
 SIP HAS MULTIPLE MESSAGES EXCHANGED TO
ESTABLISH AND TERMINATE THE CALL

INVITE

100 Trying
Call
Setup 180 Ringing

200 OK

ACK

Call in
Progress Call/Media in Progress

BYE
Call
Termination
200 OK
 SIP HAS MULTIPLE MESSAGES EXCHANGED TO
ESTABLISH AND TERMINATE THE CALL

INVITE

100 Trying
Call
Setup 180 Ringing

200 OK
Usually for Fraud
ACK
Management
Call in
Progress Call/Media in Progress
CDR based data is used
(created upon call termination and
BYE
Call containing the call details)
Termination
200 OK
EXAMPLE
Wangiri Fraud, also known as Call Back Fraud is a fraud scenario where
fraudsters trigger multiple single ring and disconnected calls (displaying a
premium rate number)

Multiple one ring

and disconnect calls All call attempts made by the fraudsters
are not registered in CDRs making it
difficult to detect Wangiri scenarios from
the beginning of the attack
EXAMPLE
Wangiri Fraud, also known as Call Back Fraud is a fraud scenario where
fraudsters trigger multiple single ring and disconnected calls (displaying a
premium rate number)

Multiple one ring

and disconnect calls All call attempts made by the fraudsters
are not registered in CDRs making it
difficult to detect Wangiri scenarios from
the beginning of the attack

Some of the subscribers that

receive the call may call-back to the
originating number artificially inflating
the traffic to the Premium Rate Number
and paying the high value of the call.

Using CDRs only the calls back

Victims call to the original number may be
back to PRS used for detection
IS THE TRADITIONAL
CDR BASED

... What if the attack is

started in a big number of
devices at same time?

An huge loss could have

happened once those calls
have terminated!

SIP Signalling Messages

could be used to
minimize the impact
POLL QUESTION #2

What kind of measures are you taking in your

Fraud Management System for VOIP/SIP Fraud:
- Controls using CDRs
- Controls using SIP Messages
- Controls using CDRs and SIP Messages
- None of the above
- Not Applicable
 AGENDA

VOIP FRAUD VOIP CALLS SIP FRAUD

FRAUD ATTACKS
CDR base SIP messages
analysis analysis
 SIP HAS MULTIPLE MESSAGES EXCHANGED TO
ESTABLISH AND TERMINATE THE CALL

INVITE Fraud can

100 Trying start to be
Call detected on
Setup 180 Ringing
call initiation
200 OK

ACK

Call in
Progress Call/Media in Progress

BYE
Call
Termination
200 OK
 A GROSS SIMPLIFICATION

CDRs Signalling

Primary purpose – billing and charging Primary purpose – call control

Post event Real-time processing
Some information not easily accessible – Controls calls, data, text – can block/allow/interact
e.g.: all SIP messages times Some additional information
Multiple entities write CDRs or equivalent Multiple interfaces & protocols with different info

Both contain
Origin, destination
Date, time, length of calls, etc.
Source IP, Destination IP
EXAMPLE

Wangiri Fraud, also known as Call Back Fraud is a fraud scenario where fraudsters
trigger multiple single ring and disconnected calls (displaying a premium rate number)

Multiple one ring

and disconnect calls Fraudulent Premium Rate
Number will try to do as many call
attempts as possible to trigger the
call back from subscribers

Call attempts are available in the

SIP protocol enabling a quicker
detection in Wangiri or IRSF
scenarios

By using the SIP INVITE and

CANCEL messages the detection
Immediate detection using can be done from the first attempt
INVITE and CANCEL messages
EXAMPLE

Typical Detection Rules

Multiple one ring
and disconnect calls
High Number of INVITE followed by
CANCEL from the same CLI
Dispersion of called numbers by
the same origin
Origin CLI in known Premium
Number/Ranges lists
Dispersion of calls back to the
same Destination number

Immediate detection using

INVITE and CANCEL messages
 EXAMPLE OF FLOW WITH CANCELLED CALL

INVITE

100 Trying
Call
Setup
183 Session Progress

CANCEL

200 OK
Call
Cancel 487 Request Terminated

ACK
EXAMPLE

Aggregated CDR and Detailed Call Flow

 REGISTER
Early signs of activity that eventually
will trigger fraud can be detected 200 OK (if no authentication)
or
Example – SIP Register Attack 401 Authorized
or
Port Scan SIP Port-UDP 5060 407 Proxy
Send a SIP REGISTER to the SIP Server Authentication Required

Server responds to the authentication try

User agents responds with REGISTER
the password in MD5 format
Brute Force the MD5 hash
200 OK
containing the password
Authenticate using the
compromised credentials
EXAMPLE

Aggregated Event and Detailed Call Flow

 SIP REGISTER FLOODING

Fraudsters aim to collapse Detection Rules

Register Servers response Count of Unauthorized
capacity in order to bypass Response Code (401)
authentication required by messages from the same
Registers Source IP / Contact
Number
 PBX HACKING - CONCURRENT CALLS

Once hacked a PBX, the Detection Rules

hacker instruct the PBX to High number of INVITE
call IRSF numbers (multiple messages simultaneously
calls) and maintain the without CANCEL, BYE
communication as long as messages from same
possible until it’s detected Source IP/From
 LOCATION ROUTING NUMBER / ARBITRAGE

Fraudsters inserts fake cheap terminating LRN Detection Rules

numbers into their calls when the call will be Analyse the origination and
actually routed to a high cost destination termination numbers and found
The service provider network will charge a cheaper some strange patterns as fake
rate to the source network yet they will have to pay numbers, routing IPs, etc..
the interconnect costs of the high price
destination which can be up to five times higher
Incorrect LRN in SIP invite

Subscriber Fraudulent Incorrect Wholesale Correct LRN PSTN

source network LRN Low Cost Provider High Cost
 TOLL BYPASS

Attackers can configure Detection Rules

directly a SIP Proxy, Session Using a white list of known
Border Controller or any other Core Gateways or Trunking
gateway network element network elements
bypassing Authentication,
Authorization and Validating unknown
Accounting Procedures registered IP's configured
directly, avoiding Register
Under these circumstances Proxys
no billing information will be
created and fraud can be
undetectable until
interconnect bills are
presented to subscriber
service provider
 CALL TRANSFER

Fraudsters are able to hack a PBX and instruct the PBX Detection Rules
phone to transfer calls to the hacker’s phone service. Concurrent Call Transfer:
The compromised PBX’s is used by the hacker
to make free long distance or international calls High number of calls with REFER message
simultaneously without CANCEL, BYE message
This fraud can be further explored by using multiple
transfers which is harder to detect - from Same IP Address/From

INVITE
- With contact number/SIP URI not in Register
- To International Risky Destination

INVITE INVITE - To known IRSF Numbers or Ranges

INITIATE

Hacker PBX Soft switch Int. Long

Distance
 CALL FORWARDING/DIVERT

Hackers are able to compromise portal or voice Detection Rules

mail credentials and set unconditional call
forward to high price destinations Concurrent Diverted Calls:
A Call generator will call multiple times the High number INVITE message with Divert Reason
compromised extension of the PBX Unconditional, Response Code 3*, simultaneously
without CANCEL, BYE message
- From Same IP Address/From
- To/Contact Number/SIP URI field in
International Risky Destination
- To known IRSF Numbers or Ranges
PBX or Service High cost
Hacker voicemail provider Destination
system

Call
generator
 SIP BILLING ATTACK

Fraudsters aim to make calls Detection Rules

without subscriber's SIP INVITE MSG using an old
authorization nonce for the same subscriber
Fraudster prolong the Several Busy Response
duration of subscriber's call Code (486,600)
transparently
SIP BYE message comes
Both can create elevated from unknown IP not used
levels of fraud especially during entire session
when it concerns PRS, IRSF
and High price destination
numbers
POLL QUESTION #3

What are the major methods used on the

VOIP/SIP Fraud attacks in your company:
- PBX Hacking
- Wangiri
- CLI Spoofing
- SIP Messages manipulation
- Other
- Not Applicable
USING SIP SIGNALLING

High Volumes of data - each call has multiple message

Availability of signalling information

Complex information – same call available in multiple points of the

network with different call id

Suggestions to handle challenges

Focus analysis on critical points, reducing volumes to be handled:
- International Calls
- Corporate PBXs

Analyse your network to determine collection points

Use a combination of CDR based and Signalling based analysis for a

complete analysis
USING SIP SIGNALLING

Quicker fraud detection

Immediate action:
- Block source of attack
(Phone Number, Source IP, Carrier)
- Notify victim (PBX owner, customer)

=
Reduced fraud window
Better Customer Satisfaction
Reduced loss
Improved reaction time to new threats
SIP Fraud You can expand the CDRs and SIP messages can be
Attacks may CDR based approach consolidated in a single view to
cause severe with SIP messages cover all fraud cases origins and
financial analysis to prevent impacts
impacts fraud
Q&A