SIP Fraud Detection – Scenarios and Challenges Challenges Nov 13th 2018 | 3pm London
Today’s Presenters
Scott Bicheno Editorial Director Telecoms.com
Nuno Pestana Senior Product Specialist WeDo Technologies
Nuno Pestana Senior Product Specialist
SIP FRAUD DETECTION Scenarios and Challenges
ABOUT CUSTOMERS, TEAM AND CULT CULTURE URE More than 220 CUSTOMERS
in more than 100 countries
STRATEGY AND MARKET PRESENCE # 1 IN THE WORLD in Telecom Revenue Assurance and Fraud Management Software Gartner
Offices in 10 COUNTRIES
and in 5 continents A team of 600+ people peop le from more than 20 NATIONALITIES
Stratecast / Frost & Sullivan Analysis Mason
World class reference refere nce customers
in Telecom, Retail, Energy, Healthcare and Financial Industries
A “WEDO” CULTURE
Proud of being part of this COMMUNITY!
INDIRECT CHANNEL STRATEGY
has successfully started with two global/Worldw global/Worldwide ide partners already certified
AGENDA A GENDA
VOIP FRA UD
VOIP CA L L S FRAUD
SIP FRAUD ATTA CKS CK S
CDR base analysis
SIP messages analysis
AGENDA A GENDA
VOIP FRA UD
VOIP CA L L S FRAUD
SIP FRAUD ATTA CKS CK S
CDR base analysis
SIP messages analysis
VOIP TRAFFIC Traffic is shifting from Landline to VoIP networks
due to lower costs Fraudst ers are Fraudst using stea stealthier lthier and more complex schemes taking
advantage of machine and human weaknesses to
International carriers
providing cheaper VoIP routes
Multiple providers selling IP PBXs , SIM
Boxes and VoIP based numbers
VOIP/SIP
SIP is used by most mo st IP PBXs
As an IP based based protocol SIP is exposed to security issues and can be used by external entities to hack CSP or Large Corporate accounts PBXs
If IP PBX is Hacked severall attacks can be severa triggered (for example IRSF or Wangiri) that can cause high financial losses
Fraud Detection and Intrusion Detection are usually handled by different teams in the organization (Fraud Team vs
METHODS RELATED RELATED WITH VOIP/SIP FRAUD Subscription Fraud (Identify) Subscription Fraud (Application) IP PBX Hacking PBX Hacking Subscription Fraud (Credit Muling/Proxy) Account Takeover Abuse of Service Terms and Conditions Internal Fraud / Employee Theft Payment Fraud Phishing / Pharming Spoofing (IP or CLI/ANI) Abuse of network, network, device device or configuration configuration weakness weakness Dealer Fraud Wangiri (Call Back Schemes) Social Engineering Robocalling Signalling Manipulation Voicemail Hacking (Not associated with PBX Hacking) SMS Faking or Spoofing Pre-Paid Equipment & Services Mobile Malware Brand Name / Logo Abuse IMEI Reprogramming Clip-on Fraud SIM Cloning
2.03 1.94 1.94
1.94 1.75 1.66 1.66 1.47 1.38 1.38 1.29
1.29
1.11 1.01
1.01 0.92 0.83
Many fraud methods include potentially use of VOIP
0.65 0.65 0.65 0.65 0.65 0.55 0.46 0.37 0
0.5
1
1.5
2
- Be Betw twee een n 0 and and 25% - Be Betw twee een n 25 and and 50% 50% - Be Betw twee een n 50 and and 75% 75% - Mor More tha than n 75% 75% - Not Not Appl Applic icab able le
AGENDA A GENDA
VOIP FRA UD
VOIP CA L L S FRAUD
SIP FRAUD ATTA CKS CK S
CDR base analysis
SIP messages analysis
INVITE
WHAT IS?
100 Trying 180 Ringing 200 OK
The Session Initiation Protocol
(SIP) is a protocol for signalling and controlling multimedia communication communication sessions in applications of Internet telephony for voice and video calls
ACK
Call/Media in Progress BYE 200 OK
SIP HAS MULTIPLE MESSAGES EXCHANGED TO ESTABLISH AND TERMINATE THE CALL
INVITE
100 Trying Call Setup
180 Ringing 200 OK ACK
Call in Progress Call Termination
Call/Media in Progress BYE 200 OK
SIP HAS MULTIPLE MESSAGES EXCHANGED TO ESTABLISH AND TERMINATE THE CALL
INVITE
100 Trying Call Setup
180 Ringing 200 OK ACK
Call in Progress Call Termination
Call/Media in Progress BYE 200 OK
Usually for Fraud Management CDR based data is used (created upon call termination and containing the call details)
EXAMPLE Wangiri Fraud , also known as Call Call Back Fraud is a fraud scenario where onnected calls (displaying a fraudsters trigger multiple single ring and disc onnected
premium rate number)
Multiple one ring and disconnect calls
All call attempts made by the fraudsters are not registered in CDRs making it difficult to detect Wangiri scenarios from the beginning beginning of the attack attack
EXAMPLE Wangiri Fraud , also known as Call Call Back Fraud is a fraud scenario where onnected calls (displaying a fraudsters trigger multiple single ring and disc onnected
premium rate number)
Multiple one ring and disconnect calls
All call attempts made by the fraudsters are not registered in CDRs making it difficult to detect Wangiri scenarios from the beginning beginning of the attack attack
Some of the subscribers that receive the call may call-back call-back to the originating number artificially inflating the traffic to the Premium Rate Number and paying the high value of the call .
Victims call back to PRS
Using CDRs only the calls back to the original number may be used for detection
IS THE TRADITIONAL CDR BASED
... What ... What i f th e attack attack is started starte d in a big number of devices at same time? An hu ge l os s c ou ld have hav e happened once those calls
have terminated! SIP Signalling Messages could be used to minimize the impact
- Contr Controls ols using using CDRs CDRs - Contr Controls ols using using SIP Messa Messages ges - Contro Controls ls using using CDRs and SIP SIP Messages Messages - None None of of the the abov above e - Not Not Appl Applic icab able le
AGENDA A GENDA
VOIP FRA UD
VOIP CA L L S FRAUD
SIP FRAUD ATTA CKS CK S
CDR base analysis
SIP messages analysis
SIP HAS MULTIPLE MESSAGES EXCHANGED TO ESTABLISH AND TERMINATE THE CALL
INVITE
100 Trying Call Setup
180 Ringing 200 OK ACK
Call in Progress Call Termination
Call/Media in Progress BYE 200 OK
Fraud can Fraud start to be detected on call initiation
A GROSS SIMPLIFICATION CDRs
Signalling
Primary purpose – billing and charging
Primary purpose – call control
Post event
Real-time processing
Some information not easily accessible – e.g.: all SIP messages times
Controls calls, data, text – can block/allow/interact
Multiple entities write CDRs or equivalent
Multiple interfaces & protocols with different info
Both contain Origin, destination Date, time, length of calls, etc. Source IP, IP, Destination IP
Some additional information
EXAMPLE Wangiri Fraud , also known as Call Call B ack Fraud is a fraud scenario sc enario where fraudsters nected calls (displaying a premium rate number) trigger multiple single ring and discon nected Multiple one ring and disconnect calls
Fraudulent Fraudulent Premium Premium Rate Number will try to do do as many many call
attempts as possible to trigger the call back from subscribers Call Call attempts are available in the
SIP proto protocol col enabli enabling ng a quicker quicker detection in Wangiri or IRSF scenarios
Immedia Immed iate te de detection tection using INVITE and CANCEL messages
By using the SIP INVITE and CANCEL messages the detection can be done from the first attempt
EXAMPLE
Typic al Detection Rules Multiple one ring and disconnect calls
High Number of INVITE followed by CANCEL from the same CLI Dispersion of called numbers by
the same origin Origin CLI in known Premium Number/Ranges lists Dispersion Dispersion of calls back to the
same Destination number Immedia Immed iate te de detection tection using INVITE and CANCEL messages
EXAMPLE OF FLOW WITH CANCELLED CALL
INVITE Call Setup
100 Trying 183 Session Session Progress Progress CANCEL
200 OK Call Cancel
487 Request Terminated ACK
EXAMPLE
Ag A g g r egat ed CDR and an d Detai Det aill ed Call Cal l Flo Fl o w
Early Early si gns of activity that eventually
will trigger fraud can be detected Example – SIP SIP Regis Register ter A ttack Port Scan SIP Port-UDP 5060 Send a SIP REGISTER to the SIP Server
REGISTER
200 OK (if no authentication) or 401 Authorized or 407 Proxy Authentication Required Required
Server responds to the authentication try User agents responds with the password in MD5 format Brute Force the MD5 hash containing the password Authenticate using the
REGISTER 200 OK
EXAMPLE
Ag A g g r egat ed Even Ev entt and Detai Det aill ed Call Cal l Flo Fl o w
SIP REGISTER FLOODING
Fraudsters aim to col lapse Regis Regis ter Servers response capacity in order to bypass authentication required by Registers
Detecti Detecti on Rules Count of Unauthorized Response Code (401) messages from the same Source IP / Contact Number
PBX HACKING HACKING - CONCURREN CONCURRENT T CALLS CALLS
Once hacked a PBX, the hacker hacker ins truct the PBX to call IRSF numbers (multiple calls ) and maintain the communication as long as possible until it’s detected
Detecti Detecti on Rules High n umber of INVI INVITE TE messages simultaneously
without CANCEL, BYE messages from same Source IP/From
LOCATION ROUTING NUMBER / ARBITRAGE
cheap termi nating LRN Fraudsters inserts fake cheap numbers into their calls when the call will be destination actually routed to a high cost destination
The service provider network will charge a cheaper rate to the source network yet they will have to pay the interconnect costs of the high price destination which can be up to five times higher
Detecti Detecti on Rules Analyse the origination and termination numbers and found some strange patterns as fake numbers, routing IPs, etc..
Incorrect L RN in SIP invite
Subscriber
Fraudulent source network
Incorrect LRN Low Cost
Wholesale Provider
Correct LRN High Cost
PSTN
TOLL BYP BY PASS
Attackers can configure directly a SIP Proxy, Session Border Controller or any other gateway network element bypassing Au th ent ic ati on , Au th or izatio izat io n an d Ac co un ti ng Proced Pro ced ur es
Under these circumstances no billing information will be created and fraud can be undetectable until interconnect bills are presented to subscriber service provider
Detecti Detecti on Rules Using a white list of known Core Gateways or Trunking network elements Validating unknown registered IP's configured directly, directly, avoiding Register Proxys
CALL TRANSFER
Fraudsters are able to hack a PBX and instruct the PBX phone to transfer calls to the hacker’s phone service. The compromised PBX’s is used by the hacker
to make free long distance or international calls This fraud can be further explored by using multiple transfers which is harder to detect
Detecti Detecti on Rules Concurr ent Call Transfer: Transfer:
High number of calls with REFER message simultaneously without CANCEL, BYE message - from from Same Same IP Addr Addres ess/ s/Fr From om - With With conta contact ct numb number/S er/SIP IP URI not in Regi Register ster
INVITE
- To Inter Internat nation ional al Risky Risky Destina Destinatio tion n INVITE
- To know known n IRSF IRSF Numbe Numbers rs or or Rang Ranges es
INVITE
INITIATE
Hacker PB X
So f t s w i t c h
In t . L o n g
CALL FORWARDING/DIVERT
Hackers are able to compromise portal or voice call mail credentials and set uncondition al call forward to high price destinations A Call generator will call multiple times the compromised extension of the PBX
Detecti Detecti on Rules Concurr ent Diverted Diverted Calls:
High number INVITE message with Divert Reason Unconditional, Response Code 3*, simultaneously without CANCEL, BYE message - From From Sam Same e IP Addr Addres ess/ s/Fr From om - To/Contac o/Contactt Numbe Number/SI r/SIP P URI URI fiel field d in International Risky Destination
Hacker
Call
PBX or voicemail system
Service provider
High cost Destination
- To know known n IRSF IRSF Numb Number ers s or Ran Range ges s
SIP BILLING ATTACK
Fraudsters aim to make calls without subscriber's authorization Fraudster prolon g the duration of subscriber's call transparently Both can create elevated levels of fraud especially when it concerns PRS, IRSF and High price destination numbers
Detecti Detecti on Rules SIP INVITE MSG using an old
nonce for the same subscriber Several Busy Response Code (486,600) SIP BYE message co mes from un known IP not used
during entire session
- PBX PBX Hac Hacki king ng - Wangi angiri ri - CL CLII Spo Spoof ofin ing g - SIP Messa Message gess manipul manipulati ation on - Other - Not Not Appl Applic icab able le
USING SIP SIGNALLING
has multiple multiple message message High Volum es of data - each call has Availab Avai lab il it y of signalling information Complex information – same call available in multiple points of the
network with different call id
Suggestions to handle challenges Focus analysis on critical points, reducing volumes to be handled:
- Internationa Internationall Calls - Corpor Corporate ate PBXs PBXs Analyse your network to determine collection points Use a combination of CDR based and Signalling based analysis for a
USING SIP SIGNALLING
Quicker fraud detection Immediate action : - Block source of attack attack (Phone Number, Number, Source Source IP, Carrier) Carrier) - Notify Notify victim victim (PBX own owner, er, custome customer) r)
= Reduced fraud window Better Customer Satisfaction Reduced loss reaction time to new threats Improved reaction
SIP Fraud Attacks may cause severe
You can expand the CDR based approach mess ages with SIP messages
financial impacts
analysis analysis to prevent prevent fraud
CDRs and SIP messages can be consolidated in a single view to
cover all fraud cases origins and impacts
Q&A
