REDCOM recently learned about a massive fraud scheme which was undoubtedly costing an ICT company a small fortune.
The customer, a national carrier, selected REDCOM to replace another vendor’s unsupported softswitch serving as an international gateway, national tandem switch, and PSTN. Upon switching live traffic to the REDCOM, it was discovered that massive quantities of voice calls from overseas had been transiting the former softswitch, bound for the other side of the globe.
Typically, an international gateway should prohibit transit international traffic (that is, traffic coming from outside the country and then going back out of the country). In this case though, the inbound fraudulent traffic was spoofing the carrier’s mobile and gateway IP addresses (which are of course generally considered “safe”) and the calls were allowed to proceed.
Malicious IP-based attacks are nothing new. This case, though, exhibits a new level of ingenuity and complexity in that the IP addresses had to be obtained to be spoofed. In all certainty, these addresses were intercepted from IP-based network communications, indicating that the customer’s IP network has been breached.
Furthermore, immediately upon replacing the old softswitch with the REDCOM, it was observed that an outside entity had identified the IP address used by the new REDCOM softswitch and was repeatedly attempting to gain access to the new REDCOM switch as if it was a mobile switch call. The supposedly mobile packets had non-mobile numbers in the URL as the originator of the calls. With this identification, the REDCOM switch was able to create a white-list to allow only proper mobile numbers. The financial implication, had the intruder been successful, would be critically damaging to the business.
How to protect your network from fraud:
Conduct a Traffic Audit
It takes a day to lose $100,000 to fraudulent call activity. Traffic patterns should be reviewed daily. What to look for:
- Suspicious volumes of traffic from an odd location/number
- Unlikely call origination location/number. If it looks strange, something is probably going on.
- Suspicious call destinations. Is it likely your customers are calling Ivory Coast or Uruguay? In the case discussed here, the spoofing revealed the source with a URL number and this should be a red flag.
- Usage at odd hours. Watch for suspicious levels of traffic at typically low traffic periods. In this case, the appearance of non-mobile URL numbers at any time of the day was suspicious.
- Balance traffic usage with revenue and expenses. They should match! If not, there is a problem.
REDCOM systems have two applications for monitoring traffic, TDMP (Traffic DuMP) and a Source-to-Destination Matrix. These allow traffic managers to monitor historical traffic based on usage, the source country/ core device, and destination. In addition, REDCOM’s server-based General Traffic Metering Package provides an easy to configure traffic analysis that outputs usage graphs for management consumption.
The solution is simple: don’t let traffic go where it should not. You have three options:
- Severely limit transit traffic. End offices should only allow outgoing calls to subscribers and PBXs- not back into the network. International gateways should block international-to-international transit traffic.
- Limit transit traffic. In some cases a carrier may have inter-country agreements to carry third-party traffic. In these cases, traffic should be tightly controlled. Traffic from legitimate business partners should be limited to that country/company; traffic to these partners should be limited to a set of countries identified by the business partner (or by you, if you have problems with certain country traffic.) Some carriers use a black list as standard; if a customer wants to call one of the countries on the black list, they waive all rights and become responsible for all traffic originating from their device to any of the black listed countries.
- Throttle traffic. Calls to what may reasonably be considered low volume destinations (e.g., Antigua) should be blocked. If you can’t block the destination due to a customer’s actual need, reduce the number of simultaneous calls to that and other similar destinations.
REDCOM systems have the capability to block transit traffic, calls from given countries, and calls to given destinations. Beyond that, calls to “suspicious” or low-use destinations may be forced to use a limited number of trunks (including SIP trunks) and roll over to All Trunks Busy. This protects carriers by limiting the number of fraudulent calls to given destinations, while the ATB allows administrators to easily identify a probably abuse case.
Secure your IP Network
- Close down unused ports. This is a standard operation for IT.
- Block known malicious sources.
- Watch the IP traffic for obvious criminal activity, such as that from SIPVICIOUS. We use Wireshark, which is free.
- Install a Session Border Controller. It’s imperative. We recommend the ACME Packet devices; ACME was bought by Oracle, so you can go to Oracle. Unless your technical staff has experience with the SBC they will also need training.
As can be seen, monitoring malicious and fraudulent traffic involves many people, often working in unity. Defense includes a comprehensive audit of voice and data, OA&M access, SIP packet inspection, network design, and financial records. But more than anything, it requires a strategy to avoid and terminate fraud.
REDCOM’s staff has extensive experience detecting and deflecting fraudulent traffic, and are willing to contract to audit your traffic and network, either one-time or on an ongoing basis.