Email a colleague    

February 2019

Araxxe on the Art of Deception and Analysis in SIM Box Fraud Warfare

Araxxe on the Art of Deception and Analysis in SIM Box Fraud Warfare
  • All warfare is based on deception.  When you are strong, appear weak.
  • Be subtle, even to the point of appearing invisible.  Be mysterious and make no sound.
  • Hold out baits to entice the enemy.  Pretend disorder, and crush him.

The Art of War, Sun Tzu (6th century BC)

Most commercial software is designed to automate or assist a user perform a certain task, like: bill a customer, take an order, or analyze customer behaviors.

However, creating software to fight fraud is quite a different animal because there’s an intelligent fraudster who is doing everything in his power to block you from accomplishing your task.

Fortunately, we’ve come a long way in recent years — to the point where good analytics software and an updated blacklist of fraudulent phone numbers can take you very far in mitigating International Revenue Share Fraud (IRSF).

But fighting SIM Box bypass fraud is a more complex problem that eludes simple analysis.  A bypass call could terminate — without warning — across millions of potential wireless phone numbers.  Yes, you can try to analyze all incoming phone calls, but that method is like trying to boil the ocean.

Because big data analytics alone is less effective, SIM Box fraud detection requires a lot of intelligent testing, trial and error.  Many possible fraud scenarios must be examined, and the need for human input and expert decisions is far greater.

The wise use of Test Call Generators (TCGs) are simply the best weapon a carrier has to stop SIM box fraud, and here to discuss the subtleties and strategies of their use is Philippe Orsini, Araxxe’s Vice President of Product Development.

Philippe explains Araxxe’s new method of foiling fraudster attempts to detect likely TCG calls via a “white list”.  He then describes how Araxxe detects likely SIM Box fighting effectiveness by analyzing wholesale route pricing trends.

Dan Baker, Editor, Black Swan: Philippe, maybe a good place to begin is to discuss the “white list” and why it’s become an effective defensive tool for fraudsters against TCG detection.

Philippe Orsini: Dan, there’s nothing fancy about the “white list”.  It’s simply a list of all active phone numbers in a particular country.  And having that list is extremely handy for the fraudster to quickly decide which calls are generated by TCGs.

Think about the way a carrier assigns the numbers for use in test calls.  Traditionally the numbers selected are test numbers, i.e. not assigned to a genuine subscriber.  And this is standard practice because carriers don’t want test calls interrupting the customer’s voice service.

However, recently, the use of test numbers has become less effective because fraudsters are using white lists.

For instance, just before the fraudster is about to terminate a SIM Box bypass call, a fraudster notices the number is not on his white list so their system immediately suspects it may be a test call from Araxxe.  So, it blocks the call connection.  Were the call to complete, then Araxxe or another test call firm would know the call connection path of the fraudsters and block it.

So what’s the counter-measure to this white list problem?

Well, the trick is to ensure the numbers we call in our call campaign are on the fraudster’s white list.

By the way, this white list problem doesn’t yet exist in every market, but in countries where the fraudsters use a white list, we have learned to deal with the issue.

What we do is set up specific rules with the operator that require certain technical and security capabilities.

The main difference is that we make test calls to genuine subscriber numbers rather than to test numbers.  For instance, each time we make a test call, we call a different genuine subscriber number (i.e. a number in the white-list).  But before making this test call, we send a request to the operator network to provision a temporary call forward.

This means when we call the subscriber, he is not going to receive a call.  Instead we will receive this call at our robot.

So, in this way, the fraudster can no longer use the white list to detect we are making a B-Number test call.

SIM Box Detection and Anti-White-List Services

Sounds great.  But isn’t there a problem for subscribers when you temporarily call-forward a call using their number?

If the pool of numbers is tens of thousands, Dan, then the odds the subscriber will be impacted is close to zero.

The difficult point is access to the HLR.  We interface with the operator network via secure APIs.  But we of course need approval to use this technique and it all depends on the operator’s policies.  However those operators who are frustrated with their SIM Box problem are eager to take this step.  Conversely, some operators don’t want to tamper with the HLR; but, even in that case, we have alternative technical solutions!

We are using this technique in Africa quite a bit, for instance.

We call from a huge list of subscribers so there’s no calling pattern the fraudster sees.  Besides, we are not spamming customers with lots of test calls.  Usually this means it’s only one such delay per subscriber.  In all, it’s a small price to pay to curb the SIM Box issue.

The only downside is the customer will receive no call at all while the call forwarded call is in progress until the call-forwarding is shut off.

The beauty of this anti-whitelist solution is it’s very effective: first, because it is impossible to counter-detect; and second, it can be run in real-time and enables real-time notification of fraud detection.

We know that the SIM Box fraudsters are dropping their fraudulent traffic in the target country via grey routes — wholesale routes where the owners are either friendly to the fraudster scheme or eager to monetize their wholesale routes regardless of who their clients are. 

Is there a way for Araxxe to narrow down the SIM Box monitoring problem by analyzing these grey routes?

Absolutely, Dan.  And you know, one of the great things about having a large global network of test call numbers we buy is that we have access to the retail and wholesale rates of many communication providers and international carriers.

When it comes to grey routes monitoring, it really makes sense to analyze the termination rates available in the wholesale market.

A couple years ago we decided to exploit this rate-sheet intelligence, so we built a report that analyzes international termination rates towards any countries worldwide.  Then we share what we learn with operators, both customers and prospective customers.

Our reports are very valuable information for fraud teams because it shows what prices the market in a particular country can bear.  In particular we are looking at the trend line of prices.

Over the last few months, what has happened to the termination rate at Operator XYZ?  Has its rate increased or decreased?  And how does that network compare to that of its competitors.

A rule of thumb is that if the termination rates increase, it shows the network is more protected from SIM Box fraud.  Conversely, since SIM box fraudsters keep their prices low, if lots of bypass fraud is terminating in a specific network, the prices to terminate calls in that network generally decrease as the legitimate operator lowers its prices to attract more volume.

So when we compare the trend lines of termination rates across different networks in the same country, it’s a good indicator of how effective the fraud control programs are at these operators.

Do you need cooperation from all the operators in a particular country to create a meaningful report?

No, that is a very good point: we can provide this intelligence without operator cooperation: we simply extract all these rates from the wholesale market.  Our report is a big picture of all the wholesale prices towards a specific country and/or a specific network.

In one country, for example, we track the wholesale prices published by 30+ carriers selling access.  And from that data we can determine if the wholesale prices overall are increasing or decreasing.

And the question is: Are there good reasons for the rise or drop in price?  There could be.  For instance, if the market leader in a country lowers its price, it might be because that operator is in a strong position and wants to gain market share against its rivals.

Bottom line: there is always a bad or good reason for a major price fluctuation.  And once we investigate a significant shift, we are keen to alert our operator customers of that change.

So here at Araxxe we’ve discovered a basic truth about detecting SIM Box fraud:

Reading the Pulse of SIM Box Fraud in a Market

Now when an operator sees that their network has a higher price than their competitors, this makes them very happy.  They say: “The fraudsters are having trouble taking business away from us based on price.”

On the other hand, if we see a specific carrier offering very low prices, it makes sense for us to contact them and propose a test call campaign.  We can probably detect and block a lot of SIM box activity for them.

So having this market intelligence available is a good complement to our fraud control test call generation business.

Thanks, Philippe, for this interesting analysis.  You’ve shown there’s great room for strategies and imaginative thinking when it comes to fighting SIM Box fraud.  Good luck on the fraud battlefield.

Copyright 2019 Black Swan Telecom Journal

Philippe Orsini

Philippe Orsini

Philippe Orsini is VP Product Management at Araxxe, a specialized company providing End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Philippe, who joined Araxxe in 2007, is in charge of product portfolio management and new product creation.  He also manages key client accounts mainly in North Africa and Europe.

After graduating from a top French “Grandes Ecole” and the Universidad Politécnica of Madrid (Spain) in telecommunication, Philippe has been developing strong insight and operational expertise in the communications industry across Europe.

Philippe has spent most of his work experience working at consulting companies, such as IBM Global Services or Accenture.  He has been managing large IT systems implementation projects and in-depth consulting studies in the distribution and telecommunication industries.   Contact Philippe via

Black Swan Solution Guides & Papers

Recent Stories