Anatomy of a telecom fraud attack

One of our customers recently defeated an International Revenue Sharing Fraud (IRSF) attack. We thought it would be useful to share with you some information about the attack profile and demonstrate how a modern telecom fraud detection system can prevent such attacks.

Attack profile

This was a high-speed fast traffic pumping attack launched against a medical clinic on the West Coast. Here are some attack statistics:

Countries called37
Telephone numbers called89
Average gap between calls8.782 seconds
Maximum gap between calls1 minute, 42.176 seconds
Minimum gap between calls0.196 seconds
Total duration of the attack16 minutes, 5.971 seconds

The service provider had previously blacklisted several countries that their customer never expected to call. Blacklisting blocked 66 of the calls in this attack, about 59% of the total calls.

The remaining calls were inspected by SIP Analytics® telecom fraud detection. These calls were scored by fraud risk and blocked when cumulative fraud scores exceeded thresholds that the service provider had set. Fourteen calls passed through before a threshold was breached. Thirty-one calls were blocked after a fraud alert had been triggered.

The service provider uses Cisco BroadSoft. The SIP Analytics integration with BroadSoft enables precise controls based upon service providers, groups and users.

Multiple users were compromised in the attack. Initally, SIP Analytics blocked calls from one user to the UK. Next, the user was blocked from making all international calls. Eventually, the entire group was blocked from making international calls.

Assuming a 20-minute average call duration, had the attack had not been prevented, financial risk exposures were as follows:

ActionCall countCalls%Risk exposureRisk exposure%
Not blocked1413%$79.896%
no hackers


  1. This was a fast attack, with 111 calls in 16 minutes. Faster than most, but not the fastest we’ve seen.
  2. The entire attack, with nearly $1,300 in losses, likely would have completed successfully before a CDR-based fraud management system could have detected it.
  3. Blacklisting by country was effective in blocking a significant majority of the attack.
  4. Of the $387.51 in risk exposure remaining after blacklisting, fraud triggers blocked $307.62 in potential losses and $79.89 potential risk exposure was not blocked.
  5. Had more calls been completed, the attack likely would have continued. The fraudster gave up after only 16 minutes.

SIP Analytics

We provide SIP Analytics fraud detection in our ClearIP and NexOSS software products. SIP Analytics is the fastest, most precise way to detect and block telecom fraud attacks.

Contact us today to learn how easy it is to protect your telecom network and subscribers from IRSF attacks using SIP Analytics.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.