Email a colleague    

June 2015

Mapping the Interconnect Resale Routes of Fraudsters: How a Global Robot Network Detects Voice and SMS Bypass

Mapping the Interconnect Resale Routes of Fraudsters: How a Global Robot Network Detects Voice and SMS Bypass

A few years back, the term “bypass fraud” was practically synonymous with voice fraud via the SIM box.

But the march of network, software, and mobile technology has brought new stealth tools and fresh avenues to deliver bypass fraud.  The effect has been to open the bypass floodgates for fraudsters.

In the SIM box area alone, human behavioral simulation tools have made it devilishly hard to detect bypass SIM boxes via CDR analysis alone.  And SIM Servers are automating multi-national bypass operations by rotating cards from a central bank of SIM cards located halfway around the world from the infected country.

What’s more, bypass is spreading to SMS and is finding avenues through ghost trunks and OTT apps on the smartphone.

One company at the forefront of helping operators deal with the bypass challenge is Araxxe, a managed services firm and an expert in using robotic test call systems to detect revenue assurance and fraud problems.

We are now joined by Xavier Lesage, CEO of Arraxe, who gives us a colorful snapshot of this fast evolving bypass scene.  He not only explains the strategy of the fraudster, but also provides some illuminating case studies to make his points.

Dan Baker: Xavier, pleased to have you here on Black Swan again.  In our last discussion, you explained how useful robots are on the revenue assurance side.  This time we’ll talk about their power in fraud management.  To begin, it would be great to get a quick overview of the Araxxe business.

Xavier Lesage: Certainly, Dan.  We have about 250 test call robots deployed in 150 countries, and these robots are connected to about 1,750 interconnect routes.  So this is a unique source of intelligence on retail and wholesale routes.

And we use this network for two service lines.  The first is in revenue recognition for revenue assurance, billing, and for checking engineering codes, SMS, and making sure they are properly billed to the subscriber.

And our second service line is to make sure voice and SMS are properly routed according to the agreements between carriers.  And it’s using this service line where we detect SIM box fraud bypass and plenty of other types of fraud.

Why do we have these bypass problems in the first place?  What’s the root cause?

Well the simple answer is that bypass occurs when there’s sufficient margin to make arbitrage attractive.  But that arbitrage opportunity is caused by three pressures that all operators face as they do business:

  1. Value Based Pricing Pressure — To optimize their use of expensive networks, operators are forced to set higher prices for one set of customers to offset the lower fees they get from others.  So this causes marketing people to create so-called “hideously complex” offers aimed at very specific segments of their market.  Maybe they create a low cost offer for students and a more expensive, feature-rich plan for business customers.  So the higher rate to businesses opens the door to arbitrage.
  2. Regulatory Pressure — Regulators write interconnect laws that control the price or require higher taxes be paid to particular destinations such as all inbound calls to the country.
  3. Competitive Pressure — To gain an edge over competitors, operator will sometimes create highly attractive promotional offers that can be exploited by fraudsters.  For example, to attract more traffic from pilgrims and migrant workers, a Middle East operator offers an attractive wholesale rate for all calls originating in Saudi Arabia.  The discrepancy between the standard rate and the rate applicable to traffic originating in Saudi Arabia is detected by fraudsters and they will immediately “dress” their voice traffic landing in the said Middle East country by replacing the Calling Line Identifier with a dummy number starting in +966 for Saudi Arabia — and so the traffic will enjoy the discounted rate wherever it comes from!  In our jargon, we call that “CLI Refiling”.

So fraudsters basically take advantage of this complexity.  Now the simplest example is where the interconnect fee is 10 cents for international inbound calls and only 1 cent for in-country retail calls.  Well, a price gap like that makes SIM box bypass very attractive.  So a fraudster can go to the international market and as long as they don’t ask questions about how the interconnect traffic is terminated, they can make a profit selling for 5 cents a minute.

That’s the original idea behind the SIM box, but it’s really the simplest bypass scheme.  There are many other bypass frauds out there involving SMS, ghost trunks, and OTTs.

At first glance, finding the interconnect paths seems like an impossible task given the number of interconnect routes available to the fraudsters.  How does Araxxe gain some leverage in the detection process?

It’s true, the routes are many, the fraudsters are highly intelligent, and they are careful to hide their tracks, but there’s one fundamental weakness that we can exploit to our advantage, and that’s the fraudster’s need to resell.

Let’s say you, as a fraudster, have developed a perfect way to terminate to one network in let’s say, Egypt.  And you terminate at a very attractive price — maybe 2 cents instead of the 10 cents, which is the legal termination rate.

So how does a fraudster exploit this opportunity?  Well, when you think about it, a fraudster’s captive network of interconnect routes is probably very limited, so he’s hungry for distribution.  His dilemma is like the genius who builds a fantastic mousetrap but struggles to get the publicity and distribution channels to sell to customers.

In other words, being a successful SIM box fraudster requires more than a purely technical capability.  The fraudster must be also be well-organized, have contacts, and know how to resell its routes to interconnect carriers, retail carriers, and calling card carriers.  In short, they are eager to resell to any channel that can drive profitable traffic to its SIM Box operation.

So this is where Araxxe come in.  We know that no matter what a fraudster does, their game is to resell.  And because of our wide footprint of robots, we are constantly making calls onto wholesale and retail routes.  And if there’s suddenly a very attractive offer in a particular market, we will buy that top up card or subscribe to this offer ourselves and use our robots to demonstrate how, for example, 20 different grey routes are reaching each network.

You mentioned “ghost trunks” as yet another form of bypass.  What is that exactly?

Well, because we detect SIM box bypass very fast, the fraudsters constantly seek other ways to terminate.

One of those is the ghost trunk, basically an internal interconnect link for sending traffic to a network that’s completely hidden from billing.  It will be declared as an internal trunk within the operator so nobody will bill off it, but it’s really a backdoor for fraud.

If you use a fraud management system and look at the CDRs of subscribers, you will never detect ghost trunks, because the usage is not recorded within the usage of subscribers.  This is why ghost trunks are invisible to the billing and fraud management team.

Ghost trunks highlight the importance of complementary bypass detection solutions.

In particular, fraud management systems (FMS) and test call generation (TCG) teams need to coordinate with each other.  It’s essential to have as wide a view of bypass activity as possible.  Some things are seen by an FMS, but not by TCGs — and vice versa.  This is the reason why when we work for a mobile operator we often spend a lot of time integrating with their existing FMS to understand how they work to refine it.  We also study fraudulent SIM card lifecycle to focus detection and reach the near real-time detection needed by our clients to protect their wholesale revenues.

What do you consider your detection strengths, Xavier?  And what are some of the challenges you face?

Well, certainly our network of 1,750 interconnect routes is our first strength.  A point to highlight: more than 50% of our routes are calling cards and voice over IP routes.  This is crucial because those grey routes have higher infection rates and enable a far quicker detection than with standard GSM routes that also work but are slower to detect the same fraudulent numbers.

And I would say our second key strength is our ability to design algorithms that are efficient.  Let’s imagine you have a perfect network of robots and routes that you are investigating.  The question then becomes: how do I best use those routes to solve the problems of our clients?

The challenge to achieving that goal is you must reconcile two opposing strategies.  On the one hand, to detect SIM boxes very fast you need to make lots of calls.  But at the same time, you need to limit your number of calls to avoid being detected by the fraudsters.

So to get around this dilemma, we have developed some algorithms we are extremely proud of.  The idea is to constantly adapt the intensity of our probing depending on the situation in the network.

For example, we work in many Muslim countries.  And many of the people who live in those countries immigrate to other countries and return back home during Ramadan.  So we design specific call campaigns for the Ramadan period to ensure that we detect plenty of SIM boxes just at the time that the networks are at peak traffic.  This capability is very important to our clients in the Middle East and North Africa.

Likewise, in Latin America, Mother’s Day in May is a huge celebration.  So there are plenty of calls being made at this time.  Once again, we designed some specific campaigns at these times to raise the protection for our clients.  So it’s an adaptive thing.

With your network of robots, it may be possible to detect patterns that would lead you to the actual fraudsters themselves.

Dan, I am friendly with a exec at a Middle-East operator who once told me that his experience with SIM box and bypass fraud is that one should not try to find who is responsible for the fraud because it often leads to terrorism, money laundering or the army.

I think this advice is wise.  Detection needs to be completely on the technical level.  So we never look at who is responsible for what.  We are not the police: we are a vendor who helps our clients make more money.  We are there to efficiently protect their network, not to save the world.

Strange things happen in this SIM box world.  When we work in the Caribbean, we detect a lot of bypass where the SIM boxes are located in Venezuela.  Now this is very odd because the operator needs to initiate an international outbound call from Venezuela to the Caribbean country, so it’s expensive.

In fact, we found the fraudster was actually operating at a loss.  They were selling something on the international market for 10 cents knowing full well that it costs them 20 cents.

It doesn’t make sense until you understand the motive.  The SIM box scheme was being used to get money out of Venezuela to bypass exchange controls: fraudsters were paid in dollars outside Venezuela but were spending in Venezuela’s Bolivar currency.  So this was a highly unusual case.

Though most of your fraud control business is detecting bypass in nations of the developing world, I understand you recently discovered a bypass operation in France and another by a well known on-line taxi company.

People believe there’s no bypass fraud in France.  They say, there used to be SIM box fraud in Europe, but it’s been cured.  Termination fees in Europe used to be high, but now that they are low, no SIM Box fraud is occurring.  That’s conventional thinking.

However, I can tell you that only last month we detected a fraudster with 1,000 SIM cards it used to send SMS.  The scheme works on the same principle as it does for voice.

Now 1,000 SIM card is a pretty substantial operation.  More than 500 SMS were sent by each SIM card per day.  International SMS often leads to an interconnect charge of 5 euro cents.  We calculated that the average loss to the operator was above 1 million euros of net loss per year..

There are a growing number of fraud schemes in SMS.  For instance, you are no doubt familiar with Uber, the international taxi and private vehicle renting service.  It’s a big commercial success and a wonderful company.

Uber also sends a lot of SMS.  When you order a taxi from Uber, they notify you via SMS.  And the SMS will tell you when your taxi has arrived.  So Uber has millions of SMSs to send to people in France, Germany, Italy and the UK.  The legitimate market price for terminating SMS for application-to-person is between 2 and 5 cents per SMS in Europe.  To bypass these SMS termination fees, Uber notification SMSs transit through international SIM Box equipped with SIM cards from UK mobile operators — so they foot the bill!

There are a lot of wholesale operators, say in Argentina, who will negotiate an SMS agreement with a big name like Facebook because they are proud to sign an agreement with a famous company.  But, in fact, these agreements are often used by other people to bypass the termination of marketing messages.  So they make money by reselling termination SMS to a given network.

So you see, there are all sorts of schemes for using the telecom network without paying for it.

Xavier, thanks for this excellent briefing.  The case studies you cite are fascinating, and your comments have certainly broadened our outlook on bypass fraud.

Copyright 2015 Black Swan Telecom Journal

Xavier Lesage

Xavier Lesage

Xavier Lesage is president of Araxxe, a managed services firm that uses robotic test call systems to detect revenue assurance and fraud issues.

Prior to joining Araxxe in 2005, Xavier managed major revenue assurance and billing programs at Accenture for telecom clients such as Orange, Vodafone, Telecom Italia, AT&T and Liberty Global.   Contact Xavier via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles