Anatomy of a telecom fraud attack
One of our customers recently defeated an International Revenue Sharing Fraud (IRSF) attack. We thought it would be useful to share with you some information about the attack profile and demonstrate how a modern telecom fraud detection system can prevent such attacks.
This was a high-speed fast traffic pumping attack launched against a medical clinic on the West Coast. Here are some attack statistics:
|Telephone numbers called||89|
|Average gap between calls||8.782 seconds|
|Maximum gap between calls||1 minute, 42.176 seconds|
|Minimum gap between calls||0.196 seconds|
|Total duration of the attack||16 minutes, 5.971 seconds|
The service provider had previously blacklisted several countries that their customer never expected to call. Blacklisting blocked 66 of the calls in this attack, about 59% of the total calls.
The remaining calls were inspected by SIP Analytics® telecom fraud detection. These calls were scored by fraud risk and blocked when cumulative fraud scores exceeded thresholds that the service provider had set. Fourteen calls passed through before a threshold was breached. Thirty-one calls were blocked after a fraud alert had been triggered.
The service provider uses Cisco BroadSoft. The SIP Analytics integration with BroadSoft enables precise controls based upon service providers, groups and users.
Multiple users were compromised in the attack. Initally, SIP Analytics blocked calls from one user to the UK. Next, the user was blocked from making all international calls. Eventually, the entire group was blocked from making international calls.
Assuming a 20-minute average call duration, had the attack had not been prevented, financial risk exposures were as follows:
|Action||Call count||Calls%||Risk exposure||Risk exposure%|
- This was a fast attack, with 111 calls in 16 minutes. Faster than most, but not the fastest we’ve seen.
- The entire attack, with $1,300 in losses, likely would have completed successfully before a CDR-based fraud management system could have detected it.
- Blacklisting by country was effective in blocking a significant majority of the attack.
- Of the $387.508 in risk exposure remaining after blacklisting, fraud triggers blocked $307.622 in potential losses and $79.886 potential risk exposure was not blocked.
- Had more calls been completed, the attack likely would have continued. The fraudster gave up after only 16 minutes.
Contact us today to learn how easy it is to protect your telecom network and subscribers from IRSF attacks using SIP Analytics.
This information will only be used to respond to your inquiry. Transnexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
SIP Analytics® inspects each call before it begins. It’s the fastest, most precise method available to detect and prevent telecom fraud.Learn more