About Fraud Scenarios

The following sections describe some of the common fraud scenarios.

PBX Fraud

Scenario

Users on the internal side (for example, inside an enterprise) may conduct outbound calls and also receive calls. When looking from the outside (visible to Session Monitor or an SBC), the PBX receives calls for a limited set of numbers (for example, the number range of the enterprise) and makes phone calls to almost any number. Depending on the customer, the outbound calls may be directed to a restricted area (for example, mostly local calls).

Detection Method

Whenever possible, multiple metrics should be used to identify fraud. Calls bound to the PBX (as seen from Session Monitor or an SBC) are not subject to fraud in this context but may be part of a fraud scheme (for example, when representing the inbound leg of a forwarded call). In fact, an attacker might bypass the Session Monitor or the SBC monitoring points so that inbound calls are not. Fraud might be detected by observing a change in the daily distribution of calls as well as the geographical restrictions.

International Revenue Share Fraud

International Revenue Share Fraud (IRSF), Domestic Revenue-Share Fraud (DRSF), and Premium Rate Fraud are closely linked. The detection methods for all three scenarios are similar and all covered in this section.

Scenario

An attacker operates a premium number with a revenue share provider in a foreign country. For each call or call minute conducted to this number the attacker receives part of the revenue. The attacker's goal is to inflate the traffic to this number to increase his revenue. The services provided via this number may range from random announcements to call-through services. To redirect traffic to his number, the attacker may place calls (no connect, just creating a missed call entry) with a spoofed number to victims leading them to call him back. In a more sophisticated scenario, the attacker introduces his premium number into his victims' communication as a call-through service. He may modify VoIP endpoints (PBXes, VoIP enabled routers, and so on.) to carry his number as prefix. A Bluetooth-based attack has been used to replace phone numbers in mobile phones and prefix them with a premium number. This not only increases the revenue for the attacker, but (as above) also allows the attacker to eavesdrop on the phone calls. The most common approach to inflate traffic to the fraudsters phone number is to break into PBX or voicemail systems and call his own number knowing that this costs the PBX or voicemail operator significant amounts of money.

Typically the fraudster can collect revenue from the premium number quicker (for example, each day or each week) than the billing cycle on the originating side (for example, once a month). This allows the fraudster to extract money from the system before the bill hits him on the originating side if he decides to increase the traffic on his own.

Detection Method

The Amount of Traffic to the fraudulent number(s) increases. A hit on the Blacklist may also be triggered.