Email a colleague    

December 2020

PRISM Report on IPRN Trends 2020: An Analysis of the Destinations Fraudsters Use in IRSF & Wangiri Attacks

PRISM Report on IPRN Trends 2020: An Analysis of the Destinations Fraudsters Use in IRSF & Wangiri Attacks

If conventional wisdom was always correct, there would be no need for scientific investigation.

Back in the 17th century, prisms that create a rainbow of colors were well known.  However, the conventional belief back then was that a prism somehow dyed the white light that passed through it to create a rainbow.

Sir Isaac Newton in England was curious about this problem so he went to work on it using a lamp and prism.  After many experiments, he eventually passed the green light from one prism through a pinpoint hole in a barrier which aimed the green light at a second prism.  And the output color from that second prism was not a rainbow as expected, but only the color green.  In this way, Newton proved that the spectrum of colors is a characteristic of white light itself.


When Colin Yates headed up the Fraud Department at the Vodafone Group in the 2010s, he and his team conducted their own scientific investigation in search of a better way of detecting Wangiri and International Revenue Share Fraud (IRSF).  The issue?  Vodafone had no efficient method of gaining an advantage on fraudsters due to two barriers:

  1. Blacklists of fraud numbers were not effective — You could save the phone numbers that the fraudsters used in their IRSF attacks in a blacklist, but unfortunately — even if telecoms shared those blacklisted numbers with each other — the fraudster could simply commit IRSF using new numbers.
  2. Analytic number-crunching was only partially effective in detecting IRSF attacks.  And that meant you had to spend a small fortune hiring lots of fraud analysts to track down and decide if a potential IRSF attack was real or not.

But through a deeper observation of how IRSF fraud is conducted, Yates and his team came up with an insight that would give Vodafone a leg up on detection.  That idea begins by understanding there are two parties in any IRSF attack:

  • The Fraudster (also called the Call Generator) is the party who pumps a massive volume of calls — in a relatively short period of time — through a hacked device (PBX or cellphone) to commit the fraud.
  • The IPRN Provider is the insider party who has control over the destination phone numbers the Fraudster uses to pump its IRSF traffic.  In all cases, the IPRN provider inserts himself into the billing stream or gets a payoff from an insider.  When payment is received from the transit operator, the IPRN Provider then pays the Fraudster the agreed-upon fee and pockets the rest himself.

Now the way the Fraudster and IPRN provider coordinate is what led to the breakthrough.  To remain anonymous, the IPRN provider is forced to advertise his list of IPRNs on a website.  And there are more than 120 such public websites today where the Fraudster chooses its IPRN numbers for an upcoming IRSF traffic pumping campaign.

However, a few minutes before each IRSF attack, the Fraudster must test its numbers to confirm with the IPRN provider that the calls can go through.  And it’s precisely this test call where Vodafone inserted its innovation.

By collecting all the IPRNs advertised across the world, Vodafone created a powerful “early warning” database.  Then, every time a fraudster tested an IPRN, the Vodafone fraud team knew an IRSF attack was imminent so it could block the attack right from the start.

The system worked beautifully, and today the IPRN database has become integral to Vodafone’s method of blocking IRSF and Wangiri.

Then, when Colin Yates retired from Vodafone a few years later, he teamed up with FRS Labs in India to launch PRISM, an IPRN database that any operator could lease for about $7,000 a year with bi-weekly updates.

When PRISM was launched back in 2013/2014, the database had some 70,000 numbers and now — as of 20 November 2020 — the number has grown to over 6.2 million numbers.  And 70+ operators around the world use it.  Many of them claim the IPRN database successfully detects between 50 and 80% of traffic pumping attacks.

Well, Colin Yates has just completed his customary end-the-year Report on IPRN trends.  And just before Colin could put on his swimming shorts to enjoy New Zealand’s summer holiday, I contacted him to share with us his latest IPRN findings.

Colin, great to connect you again with Black Swan readers.  What’s the methodology behind your IPRN Trends Report?  And what are some of the trends you’ve discovered?

Colin Yates: Dan, we are actively tracking the websites where IPRNs are advertised.  And since we collect fresh data every two weeks to update PRISM, I like to analyze the data to see what trends we can find in terms of growth or decline in specific country destinations where telephone numbers reside.

We currently track 230 country destinations in PRISM and I’m going to present some charts that highlight the countries that have the highest number of IPRNs.

Yet aside from whatever Top 10 or Top 20 analysis I’m going to show, any IPRN number in any country destination — high risk or low risk — is a risky number and could lead to substantial IRSF or Wangiri fraud losses.

So let me discuss our major findings one by one.

1. Huge Growth in IPRNs being Advertised

The most alarming trend in the data is the year-over-year increase in number of IPRNs being advertised worldwide.

In April 2020 there were 3 million IPRNs advertising vs. only 1.1 million in April 2019.  That’s an almost a 3X increase in IPRNs!

On a worldwide scale, the continent of Africa continues to be the region with the largest number of IPRNs.  Actually our Report finds there’s been very little change in the overall distribution of numbers across the continents although Oceania, with an 84% increase, grew substantially less than other continents.

Number of IPRNs Advertised by Continent April 2019 vs April 2020

What do you feel is the cause of this extraordinary increase in IPRNs being advertised?  Do fraudsters need a larger set of numbers so they can keep their thresholds lower and avoid detection?

Most IPRN Providers are competing for business, and I feel that some have a view that the more numbers they advertise, the more choice they offer to their potential users, which makes them more attractive as an IPRN Provider.

Also, if a carrier blocks a country code or a range within that country code, they can’t block every potential IRSF number without impacting legitimate revenues.  IPRN Providers want to have sufficient number stock to provide sufficient choice to their potential users so they do not have to go to another site to find number ranges that have not been blocked when doing their call testing.

2. Changing Destinations for IPRNs by Country

In the first four years (2013-2016) of our PRISM journey, the top 10 high risk country destinations didn’t change much.  These countries — Latvia, Cuba, Lithuania, Somalia, and more — accounted for 46% to 50% of all numbers in PRISM.

But around 2017, this profile began to change.  The reason is CSPs got a lot better at monitoring and blocking calls to these high-risk destinations to avoid fraud losses.  So fraudsters got active in changing their IPRN schemes.

In the last 4 year period, the percent of IPRNs in top 10 high risk destinations has dropped considerably: in our November 2020 report, these 10 destinations are now responsible for less than 15% of the 6.2 million numbers in PRISM.

In fact, the Top 10 list now includes four countries who have never been in the Top 10 before: the United Kingdom, Iraq, Afghanistan, and Sri Lanka.  See the chart below.

Top 10 High Risk Destinations 2018 To 2020

Colin, so what should an operator’s strategy be?  In years past, you could rely on a few countries to be risky and they were small countries.

But look at the new countries on the list today.  You’ve got the United Kingdom on top.  And other new ones in the Top 10 are Iraq, Afghanistan, and Sri Lanka.  All these countries have good sized populations.

Is the point you can no longer rely on rule-of-thumb blocking of certain countries?

Correct, Dan.  To use PRISM effectively, we recommend our users put some thought into how they are going to utilize these numbers.  For example, in the 2020 high risk destinations above, the UK is way out in front with the highest quantity of IPRNs advertised.  No carrier can take the risk of blocking the UK, and it will be a popular calling destination from every other country.

Other countries in that top 10, such as Iraq or Algeria, may only have a few legitimate calls a month from some smaller carriers, so they could take a different approach without having a negative impact on the business.  Fraud Management generally requires support from all of the business and implementing a blocking or monitoring strategy based on PRISM numbers also requires this business support.

3. Most IPRNs Advertised Analysis

In the next chart we have a High to Low list of Destination Countries who have the highest total IPRNs advertised in November 2020.  The numbers in the 2020 ranking column show the position each of those countries sits in the November 2020 risk profile, and the entry in column 4 is their ranking on 20 November 2019.

Of these 20 destinations, only 1 (Afghanistan) is in the “highest growth” category.  It’s also interesting to note that the highest risk destination from 2019 (Latvia) only increased their numbers by 33% over this year.  Cuba, Number 2 in 2019, decreased by 8%; Lithuania, at number 3 in 2019, fell 55%, all against an average increase across all destinations of 148%.  Likewise, 9 of the top 20 destinations did not make this list 12 months ago, which seems to confirm our view that the global destination risk profile is changing.

Top 20 Countries in Total IPRNs Advertised in November 2020

 

For what reason are IPRN providers flattening the distribution curve of IPRNs across the globe?

Well, we feel the IPRN Providers are changing their number stocks to try and avoid providing numbers in destinations that are being blocked.  They know that through industry organizations such as the GSMA, CFCA, RAG, etc, IPRNs used in fraud attacks are being shared, and consequently blocked.

IPRN Providers know that it is pointless to keep advertising numbers or destinations that have been used previously, and are likely to now be blocked.  As they identify their own numbers that have been blocked, they remove these from their lists and replace these with new numbers, and frequently new countries that may not be blocked.

4. Recently Added Numbers are Significant

Two years ago we found it prudent to increase our PRISM database updates to twice a month.  During the year December 2019 to November 2020, we added 6.4 million new numbers to PRISM.

The new numbers for November 2020 are shown in the chart below.

Note that only 5 of these destinations were in this top 20 new number list during November 2019, and only 9 of these are in the top 20 highest risk list.  New numbers are significant because — as a general rule — the new numbers added in current and previous months are the ones most likely to be used in any current IRSF attack.

Top 20 Countries Highest Number of IPRNs Added in November 2020

Thanks for this update, Colin.  It’s highly interesting.  And it’s great to keep up with IPRN trends: it gives us some clues on the aggregate direction the criminals are moving.
IPRN Database Guide Cover

NOTE to Readers: In late 2019, Colin Yates and I got together to write a Black Swan Solution Guide that provides a deep dive analysis of IPRNs and Colin’s PRISM Database.

The value of PRISM is not so easy to grasp at first glance because it requires a knowledge of IRSF and Wangiri fraud — and the larger fraud control process.  However the Guide lays it all out across 14 pages with Colin Yates’ commentary.

To download the free Guide, click the image at right.

Copyright 2020 Black Swan Telecom Journal

 
Colin Yates

Colin Yates

Colin started his working life in Law Enforcement in New Zealand, then after 18 years moved to a Risk and Fraud Management role in Telecom New Zealand.

After 12 years there, he moved to Vodafone New Zealand and for the next 12 years had roles with Vodafone in New Zealand, Australia, Germany and the UK, leaving Vodafone in 2012 as Group Head of Fraud Management and Investigations, having had responsibilities for managing fraud and investigations right across the Vodafone footprint.

Colin has held Management positions in the GSMA Fraud Forum, CFCA, FIINA and Pacific Partners.

He is currently managing his own firm, Yates Fraud Consulting Limited which consults back to industry operators to review their Fraud and Revenue risk maturity.  He also manages an IPR Test Number database currently in use by some of the world’s largest operator groups.

Colin is a Certified Fraud Examiner (CFE) and is also a Fraud Adviser to PITA (Pacific Islands Telecommunications Association).   Contact Colin via

Black Swan Solution Guides & Papers

Recent Stories