Phone fraudsters are stealing billions each year through a scheme known as IRSF
Telephony-based fraud has reached massive heights in the past decade, with losses to telcos and their consumers ranging around the $38.1 billion mark, according to statistics from the Communications Fraud Control Association.
Of all the different fraud schemes observed by telephony experts and security researchers, one scheme has been more lucrative than the others.
The scheme, known as International Revenue Share Fraud, or IRSF, centers around the existence of premium phone numbers.
Premium phone numbers have existed in the telephony landscape for decades, and they've been introduced to support automatic phone-based purchases. Customers can call a premium phone number that will charge a specific fee and later allow the user access to a website, initiate a product delivery at their home, or activate other services.
Premium phone numbers weren't abused in the beginning, but as they became more popular with the passing years, companies offering these services -- known as International Premium Rate Number (IPRN) providers -- have also grown in numbers to capitalize on the market.
These companies offer the infrastructure needed to run a premium phone number to ordinary companies. IPRNs charge telephone providers a high fee to take up a call and the telcos pass down these costs to customers through monthly invoicing services or real-time phone crediting systems. The company who rented a premium number from the IPRN also gets a small cut for driving traffic (callers) to the number.
The more calls an IPRN receives, the more money it can charge telcos and customers. Consequently, some IPRN providers have realized that playing a fair game isn't to their advantage and many IPRNs have allowed spammers or criminal groups to abuse their networks, splitting profits along the way.
The telephony industry and the general public become aware of IRSF schemes a few years back, especially after an initial report from the New York Times, which started raising awareness toward these schemes.
However, sifting through billions of daily calls has been a problem. Modern-day telephony isn't just fixed and mobile phone networks anymore. Telcos have to deal with a complex soup of protocols and added layers, such as VoIP traffic, SIM card-based customers, voice mail services, softphones (PC apps that work as a phone without needing an actual phone on a desk), OTT (Over-The-Top) services (IM apps that handle phone conversations), faxing, and a plethora of lesser-known Value-Added-Services (VASs).
This huge clutter has allowed criminal groups to operate undisturbed sometimes, and without facing any serious consequences, redirecting large quantities of telephony traffic to premium numbers through various methods.
These methods range in diversity, and the most common include:
- Malware installed on PCs and mobile phones, which can make phone calls without the caller's knowledge.
- Automated calls from stolen or hijacked SIM cards.
- Hacking company networks and taking over PBX (telephony servers) to place calls to premium numbers when employees aren't around (night, weekend).
- Callback spam, which is when malicious threat actors make short calls to users from premium phone numbers, hoping users will call back and get an automatic charge.
But in recent years, telecom operators have implemented filters for detecting traffic spikes towards well-known premium number blocks.
However, IRSF fraudsters also didn't stand by to watch their revenues trickle down to a stop, and they, too, reacted by changing their modus operandi. In recent years, security researchers have started to see partnerships between some IPRN providers and shady transit operators -- telcos that reroute telephony traffic through their network.
Fraudsters -- using the same methods listed above -- aren't calling premium numbers directly anymore, but are initiating calls to legitimate phone numbers that a malicious transit operator silently redirects to a premium phone number behind the scenes.
EURECOM researchers Merve Sahin and Aurelien Francillon have been tracking some of the IPRN providers that appear to engage in such schemes with rogue transit providers.
They say these services are easy to spot thanks to their websites, where they offer the ability to "test" if calls to a premium number work as intended.
Sahin and Francillon say that in reality, these tests allow renters (fraudsters) to test if the telephony traffic hijack works as intended. The tests are available so that fraudsters can make sure a premium phone number is accessible inside a target geographical space, and not blocked by local telcos already.
"Basically what we did was to test those test portals for about three years," said Sahin during the 35th edition of the Chaos Communication Congress, a famous security conference held in Germany every December. "In total, we have been collecting more than 1.3 million test [phone] numbers and 150K test call logs."
Sahin and Francillon's efforts have uncovered that these malicious IPRN providers have networks of premium phone numbers all over the world.
These networks of premium phone numbers span countries in Africa, the former Soviet space, and South American islands, primarily.
The duo found that the test numbers are never used for actual fraud. However, when a customer is satisfied with a test number, the IPRN provider opens a new phone number in the same number block as the test number, and allocates it to the fraudster, knowing that it's very likely to be valid. This allowed the two researchers to gain insight into phone number blocks possibly abused for IRSF schemes.
Sahin and Francillon also discovered that some IPRN providers sometimes abuse unallocated phone numbers. How IPRN providers got their hands on these numbers is unknown, but by abusing unallocated phone numbers, fraudsters are making their operations harder to spot, as telecom firms are less likely to have filters on unallocated phone number blocks.
This might also explain why the two researchers saw some IPRNs change premium numbers used for fraud every few days, while others didn't change numbers for months, suggesting those numbers weren't getting immediately blacklisted.
Furthermore, the duo also spotted some infrastructure reuse among various premium number providers. Researchers said that roughly 70,000 premium phone numbers abused for fraud were also shared among at least two different IPRNs.
When researchers ignored the last four digits in the premium phone numbers they tested, it turned out that 80 percent of all the phone numbers researchers tracked were shared among all providers.
Sahin and Francillon admitted that telecom providers face real difficulties when having to deal with abuse of premium phone numbers. The volume and the diversity of daily traffic makes it hard to identify abuse patterns in a timely manner, with many telcos using algorithms and filters that have a high false positive rate, meaning that telcos end up blocking normal traffic by accident.
Nonetheless, the two didn't just point the finger at a problem without doing anything. The two said they developed an algorithm that leverages the insight into IPRN test portals they obtained during the past three years.
The two researchers tested their algorithm on real-world call records known to contain fraudulent IRSF calls, which they obtained from a European telecom operator.
The test results showed their algorithm achieved a much higher accuracy in detecting IRSF schemes, but also a much smaller quantity of false positives.
The approach presented by Sahin and Francillon represents a solid alternative to the current measures deployed by telco providers. With IRSF damages estimated between $4 billion and $6.1 billion, telcos have a real incentive to improve their approach to detecting abusive calls, especially since both they and their customers end up losing money at the end of the day.
More details about the IRSF phenomenon are available in a video of Sahin and Francillon's CCC presentation, here. The video also deals with another fraud scheme known as OTT Bypass.
This technique describes how malicious transit operators hijack real-world phone calls and redirect the last few hops of a telephone call from a classic telephony network to an OTT service, such as WhatsApp and Skype.
Users don't lose money in this scheme, only their last hop telecom provider, but users do lose in terms of connection quality.