Track And Correlate Toll Fraud Attempts In Real Time

With the massive growth in SIP Trunking deployments connecting the inner IT enterprise core directly to the internet, Toll Fraud attacks are fast exploding. These attacks are increasingly simple to perform versus previously attacks on TDM networks. Toll Fraud was previously considered a highly organized crime activity by professional perpetrators involved in multi-million-dollar fraud. Global deployment of VoIP (and UC) makes SIP an even easier target for both service provider networks and enterprises of all types and sizes.

Today’s global and distributed workforce demands connectivity and collaboration at any place, any time and from any device. SIP global deployment makes Toll Fraud attack vectors easily available – stolen devices, weak passwords easily cracked, poor (or no) encryption, caller-ID poisoning, registration hijacking , call forwarding or redirecting attacks. Malicious exploits gain control of a vulnerable endpoint, a leg of a connection, or even the eSBC or PBX. The exploits move laterally and cause illegitimate utilization of expensive services or illegitimate routing of calls such as long-distance calls, premium VoIP (or UC) services and sell them to unsuspecting individuals (or corporations).

RedShift Networks global intelligence network identifies many Toll Fraud attack patterns including:

  • illegitimate registration hijacking/addition/deletion
  • number harvesting
  • password cracking
  • wangiri fraud
  • PBX fraud,
  • RSF fraud
  • illegitimate call forwarding/redirection or hijacking
  • illegitimate referral/join or caller-ID spoofing attacks.
Global carriers and enterprises lost more than $31B revenue and operational costs in 2019 due to Telecom Fraud around the world according to the CFCA. This represents a significant piece of revenue for many service providers and enterprises. Popularity of SIP and WebRTC protocol and ubiquitous networks only raises criminal frequency to alarming new levels. Because these VoIP (or UC) services use internet transmission often traversing multiple service provider networks before reaching the final destination, there is ample malicious opportunity for any leg of the communication to be intercepted or rerouted for the purpose of committing Toll Fraud. SIP Trunking on VoIP networks makes the economics of conducting Toll Fraud even attractive. Broader SIP conduits or trunks, more bandwidth readily being available and masqueraded IP addresses. Large scale malicious Toll Fraud activities especially during bursts of night hours without getting noticed for weeks, months (or even years).

The key to thwarting and preventing Telecom Toll Fraud is to proactively block these fraudsters before they steal the credentials of their targets and cause monetary losses. RedShift’s UCTM solution proactively detects these fraudsters before enterprises and service providers experience loss. This is far more proactive and closed loop approach versus reactive CDR (Call Data Record) based fraud solutions in the market.

Redshift’s User and Toll Fraud tracker offers a combination of:

  • advanced state machines that track and correlate user behaviors
  • track normal and abnormal application state transitions
  • track anomalies in call and session flows
  • correlation and conformance detection
  • application transitions or User properties
  • monitor Blacklists/Whitelists information
  • validate policy controls with real time call analytic information such as CDR records
  • complete visibility of call profiles, call zones, Block lists, Time of the day tracker.

The Toll Fraud tracker uses complete UC-stateful Back to Back Use Agent (B2BUA) technology. B2BUA allows RedShift Networks customers to track and correlate malicious attempts in real time. The authorization codes are tracked to ensure no foul play is detected – e.g. same authorization code being used at multiple geo locations or by different users.

RedShift Networks helps users spot toll fraud, tracks, and learns all local, long, international, toll and do-not-call numbers for each user per time of hour, day, month, and year buckets. All results are normalized and kept in the Fraud detection database. Any sudden surge in anomalies in real time are matched with the policy profiles – either the user is asked to retry after an allotted time, or the call is simply rejected. Refer-To’s or redirects are strictly monitored and through the UCTM patent pending learning process, the engines automatically generate a dynamic circle of trust. Activity outside the circle of trust is considered malicious and depending on the predefined policy, any attempt to use the Refer-To feature to initiate long distance or international calls is rejected.

IT departments also decide to provide Policy Zones to gain more specific controls on the usage of long distance and international calls. These zones create different security policies and attach it to a group of users. This optional feature along with configuration ensure policies are enforced by the Toll fraud detector. The Fraud database is constantly updated and provides a list of all known and/or learned Fraudster locations, Botnets, War dialers, spamsters or scanners that should be blocked.