The Early Warning Power of IPRN Test Call Detection in Blocking IRSF Fraud

International Revenue Share Fraud (IRSF) remains the primary means criminals use to defraud telecoms of many billions of dollars per year.

Just one successful IRSF attack can easily cost an operator or enterprise $50,000 after only a weekend of massive calling to high-tariff numbers around the globe.

However, in recent years, fraud management (FM) experts have learned to protect themselves better by detecting the test calls made to International Premium Rate Numbers (IPRN) prior to fraudsters launching their IRSF attacks.

To explain the importance of IPRN test calls and the value of detecting them via commercial databases, I spoke with Colin Yates, a leading FM consultant and the former head of Fraud Management at Vodafone.

	Dan Baker, Editor, Black Swan: Colin, to begin, it seems odd that fraudsters would openly reveal the test call numbers used prior to launching an IRSF attack.  Why do they do that?

Colin Yates: Dan, the fraudsters use test calls because it’s a practical necessity.  Before a fraudster commences his IRSF attack, he needs to confirm that the device he’s using to make the calls (through stolen handset/SIM card, hacked PBX, etc) and the country he’s calling from permit calls to terminate in the IRSF country.

The test call typically lasts one minute or less, and is placed immediately prior to an IRSF attack, or is mixed in with the fraud records as the fraudster is preparing to change his calling destination.

	OK, excellent.  Now before we get into the details of how IPRNs and test numbers are employed, can you review for us the basic flow of criminal operations in IRSF fraud — it’s rather complex.

Dan, it’s easier to understand if you break the fraud down into the roles of the three key parties who must coordinate to pull off a successful IRSF attack:

The Call Generator (often called the Fraudster) pumps a massive volume of calls — in a relatively short period of time — through a hacked device (PBX or cellphone/SIM).  Those calls are sent to high-tariff telephone numbers across the globe.  The Call Generator may also manage global traffic flow through transit operators, some of whom may be in on the fraud.  However, managing the global traffic flow may also be completed by the IPRN Provider. 

The Hacker uses brute force hacking of passwords to break into the PBX machines, or they steal cellphones and SIM cards — the devices to pump fraudulent call through.  The Call Generator often pays the Hacker a fixed fee for the password for a PBX or for a particular mobile device.

The IPRN Provider is the insider party who has control over the destination phone numbers within the country the Call Generator calls into. 

The numbers called can be those allocated to a type of 900-number/ information service, or an unallocated set of numbers.  Some may be provided to him by the number range owner.  Other numbers may be simply misappropriated, or hijacked and used without the number range owner’s knowledge. 

In all cases, the IPRN provider inserts himself into the billing stream or gets a payoff from an insider.  When payment is received from the transit operator, the IPRN Provider then pays the Call Generator the agreed-upon fee and pockets the rest himself.

(NOTE: Not all IPRN Providers are involved in fraud.  Some are run a legitimate business and provide IPR Numbers for billing, content services etc.  Most of these providers monitor their traffic to identify and block fraud).

	Sounds like fraudsters need to coordinate quite a bit.  The Call Generator needs to know what routes are available and the current payoff rates the IPRN Provider is offering.  Meanwhile, the parties want to exchange that information anonymously.

Exactly, and this why the IPRN Provider information is shared anonymously through public websites and online registration forms.

Today there are more than 120 of these websites around the globe.  It’s here where the Call Generators decide which IPRN providers and call destinations they will use.  A typical Rate Card on these sites is shown below:

So in the example above, the Call Generator goes to say, IPRNsite.com, and selects Somalia route S101 as the destination he will pump calls to.

And in the rate card you see that by sending calls to the +252-4412619 number range, the IPRN Provider will pay him 0.2000 USD for every minute of traffic generated into that range.

So the Call Generator will make a test call to 252-44126190 and if that’s successful, he’ll make arrangements with the IPRN Provider to start his revenue share fraud to that number range and obtain more numbers to do this.

Now, there’s generally a time lag of 15 and 60 minutes between the time the test call is made and the start of IRSF call pumping.  Time is needed for the fraudsters to coordinate payment terms and other details with each other.

So given this time delay, you can see why detecting the test number dialled provides early warning of an impending attack.  If this number is known by the originating operator, the number can be “hot listed” as a high risk number, and the IRSF attack can be blocked before it even starts.

	It’s interesting to hear how the fraudsters work with each other to set up an IRSF attack.  So how do operators actually do “early warning” test call detection of imminent IRSF attacks?

Dan, operators need to either track the IPRN websites on their own or work with a commercial firm who maintains an up-to-date IPRN database of global numbers.

For the past 3 years, my company, Yates Fraud Consulting Limited, has teamed up with FRSLabs to harvest these IPR test numbers across the 120+ known IPRN Providers websites.

Our test number database — with almost 400,000 numbers today — is now being used by 40 telecom operators worldwide.  We update the database twice a month — the typical frequency at which IPRN providers update the test numbers on their on-line catalogs.

What’s interesting to note is the increased rate of new IPRN numbers being added to these websites.  In January 2016, for example, we added 9,800 new numbers to the database.  However, in January 2017, new numbers jumped to 27,000.

	And what’s been the experience of operators using your IPRN database?

I think every one of them consider our IPRN database to be a critical tool in their defence against IRSF.  Some have told us the database is stopping 75% of their IRSF attacks.

All of them are using the database to drive a ‘called number hotlist’ which raises an alert once a call is matched to a known test number.

	Is there an objective measure of how successful the IPRN database is in stopping IRSF fraud?

It would be great if an objective measure existed, but fraud data is so scattered that any benchmark would probably not be statistically valid.

However, a number of operators — who have experienced IRSF losses already — have contacted us to see if using our database might have helped them prevent their IRSF loss.

So far, in 100% of the operators sending us their IRSF call records, we found telltale test call numbers in our database.

In one unusually big IRSF case, the operator lost $2.3 million after an attack lasting only three days.  Details of the case are in the diagram below.

	Colin, thanks for this splendid brief on the complexities of IPRN and the value of test call number detection.  Can you tell us how an operator can gain access to your IPRN database?

Sure, Dan.  Access to our PRISM database is available to telecom operators for a modest annual subscription.  The amount can easily be recovered if it assists a new user avoid the loss of just half a day of a modest IRSF attack.  Generally access to our database can be finalised within 24 hours of applying.