Stopping Next-Generation Fraud Aimed at Internet-based Services

Public communications networks are becoming an extension of the Internet itself. New business models and relationships will evolve to take advantage of this reality. However, wherever there is an opportunity for an operator, there are some individuals and organizations that will exploit weaknesses within the delivery chain for their own advantage.

Although next-generation networks are susceptible to many traditional forms of fraud—such as subscription, premium rate, roaming, technical (for example, cloning) and dealer fraud—an increasing number of Internet-style risk areas, specific to next-generation and wireless networks, could be exploited by fraudsters. Carriers can harden these weak spots to reduce their risk and vulnerability.

Fraud Associated With Next-generation Networks
Fraud risks fall into two broad categories: those aimed at interrupting service and those associated with making money at the expense of a third party. Because networks are becoming more open, with more information transmitted over wireless connections, they are becoming exposed to threats that are traditionally associated with the Internet, like hacking, viruses and malware. With ever-increasing handset capabilities, such as mobile smart phones that can execute code, Trojan horse-style malware presents numerous opportunities for fraudsters. The following are some of the most common and emerging types of fraud, as well as methods for monitoring potential trouble.

Denial-of-Service (DoS) Attack
Switches and gateways in a VoIP network are vulnerable to external hacking attempts. In a DoS attack, the hacker gains access to the IP address information of certain switches and targets them, leading to a complete disruption of calls and preventing all communication until the attack is stopped. The DoS attack is characterized by a flooding of voice channels with de-authentication packets that terminate all VoWLAN handset associations to access points. This continually disconnects all handsets from the network.

DoS monitoring mechanism
One way to help identify a DoS attack is to use a fraud management solution (traffic analyzer) to detect abnormal increases in traffic for a particular service. An example would be to track abnormal proportions of de-authentication messages to the number of handsets in the network. Spikes in the number of de-authentication messages would indicate suspicious denial of service behavior and would alert the user to a hacked or compromised network element.

AIT (Artificial Inflation of Traffic) or Click Fraud
AIT is similar to premium rate service (PRS) scams, but AIT is now increasingly associated with content downloads, where transaction charges are higher than traditional voice services. In this case the fraudster obtains a means to increase consumption of the content service. This revenue-depleting fraud leaves the operator unable to collect fees from the fraudulent connection—but still on the hook to pay the legitimate content provider.

In addition, AIT also can manifest itself as a specific type of fraud—commonly known in the search advertising world as click fraud—where the fraudulent PRS content provider drives traffic to a paid content Website. This is done by arming phishing messages or other infecting devices with malware software that automatically uses the service or hacks an operator’s network and diverts traffic to a content service, similar in nature to the older auto-dialers.

AIT monitoring mechanisms
Most of the frauds relating to artificial inflation of traffic are perpetrated by fraudsters who stand to gain from the payout made by the operators to the content providers. The fraudsters target specific content channels and operators to make their money. AIT is initially identified by an abnormal increase in traffic volume, or a large volume of traffic from a small number of sources, to a PRS number or paid content site. Once identified as fraudulent, link analysis of the sources (callers or visitors) of fraudulent traffic will allow future frauds to be identified much more quickly.

Eavesdropping
Eavesdropping, the unlawful interception of voice and data communications, is another form of malware, in which the content of text-based messages can be provided to an interested party. Even VoIP calls can be intercepted, with the fraudster conferencing into the call while it’s in progress. Eavesdropping can also be a source of information to enable other fraudulent activities, especially if the call mentions identity and related information.

Eavesdropping monitoring mechanisms
Weaknesses in the Wired Equivalent Protection (WEP) security standard are addressed to a large extent by upgrading to Wi-Fi Protected Access (WPA). WPA (with 802.1x) is quite secure and protects against unauthorized handsets sneaking onto the network. In addition, the new standard for WLAN security is 802.11i, which is expected to be supported widely. VoIP eavesdropping can be averted by using strong encryption between the communicating parties.

VoIP Bypass
VoIP bypass fraud involves diverting legitimate fixed-line or mobile originating voice traffic into VoIP sessions. This results in a loss of revenue for the terminating operator.

VoIP bypass monitoring mechanism
To help combat VoIP bypass fraud, it is important to employ interconnect and retail monitoring functions. When monitoring interconnect, an operator can look for an unexpected decrease in inbound traffic over total volume without a similar decrease in outbound traffic. Operators also should be on the lookout for unexpected decreases in inbound traffic from a specific operator without a similar decrease in outbound traffic. On the retail front, it’s important to identify subscriber identity modules (SIMs) that generate outbound traffic only, SIMs that are “very busy,” or sudden and unexpected increases in traffic from specific cells.

Illegal Content Resale
Content reselling refers to distributing unauthorized copies of paid content, resulting in reduced revenues for operators and content providers.

Illegal content monitoring mechanism
New standards are available for digital content rights management that help in tracking illegal downloads or expired license content. Fraud analysts need to look for usage patterns indicating content reselling, such as multiple data sessions of similar download sizes.

Mobile Malware
Mobile malware is another emerging fraud category that involves infecting mobile devices with viruses and Trojan horses that can force a handset to perform unauthorized actions, like making calls and deleting or stealing data. Once installed on a device, mobile malware replicates itself and performs undesired activities, such as using network services like SMS or voice to make calls to PRS numbers or to subscribe to unwanted billing schemes; data theft, where the user’s personal phone records such as contact lists and account details are stolen, sent to a third party, and erased on the handset; and launching distributed DoS attacks intent on forcing a legitimate service to fail.

Malware monitoring mechanisms
Operators have a number of ways to monitor for mobile malware. The first is to use network Signature Based Detection Techniques (SBDT) to detect virus signatures in messages and filter them. Also, tracking any high usage of network resources like email, MMS and SMS spamming patterns to block affected handsets can be effective. Another layer of monitoring is to block unusual activities related to unexpected PRS usage, like low-duration calls and overly periodic access to PRS websites. It also is important to encourage use of antivirus software on devices, and to initiate a customer program to educate subscribers about preventive measures they can take to help ward off mobile malware.

Internet Spamming/Phishing
Spam and phishing fraud is quickly migrating from the world of email to telecom message services. This new, high-profile form of phishing involves masquerading as a trusted source in order to obtain access to vital information from a victim. It typically involves messages received from a purported known source asking for information, like login details and other sensitive information. Phishing also can spread through viruses and mobile malware.

Spam and phishing monitoring mechanisms
Awareness campaigns about phishing targeted to the user community could mitigate the impact of phishing sites and messages. Providing customers with educational information on phishing tactics and creating easy-to-use authentication processes for validating incoming messages sources, such as a VeriSign signature, are effective means for minimizing spam and phishing fraud.

New Forms of Spam
Spam over Internet Telephony (SPIT) consists of unsolicited bulk messages that are broadcast to phones connected to the VoIP WLAN network. Fraudsters send voice messages (such as PRS callback or even marketing spam) in bulk instead of targeting each number separately. Methods include hacking into a computer used to route VoIP calls to target a large number of subscriber phones.

SPIT monitoring mechanism
Protective measures for SPIT include deploying a fraud management system that can detect large numbers of incoming calls and voice messages from a single or specific block of IP addresses. This provides an indication of the occurrence and source of this type of fraud on the network.

Keeping Ahead of the Perps
The exploitation of telecom infrastructure is inevitable, because it is highly profitable for the perpetrators. New IP-based communications networks are exposed to new Internet-style threats and frauds offering new and easier ways to exploit these organizations. Fraudsters are continually finding new ways to take advantage of the ongoing revolution in the new telecom world. Operators need to be one step ahead by anticipating emerging fraud risks and taking steps to avoid such activities.

Operators must learn from the experiences of the past if they are to avoid serious loss of revenue due to fraudulent activities on their networks. Full security risk assessments and analysis of technical vulnerabilities are essential, as is the review of all products and services to eliminate loopholes and implementation oversights that could be exploited. This aggressive approach—coupled with continuous monitoring of network usage and subscriber behavior patterns—can minimize an operator’s exposure to these real and growing threats.