1. Technology and Method behind Cross-border
Fraud Investigation in Telecom and Internet
How to Combat Cyber Crime Effectively
2. Fraud Crime Cases through Telecom and
Internet
Challenges
Trace Communication Route and Obtain
Related Data
Case Study of the Recent Investigation on
Cyber Crime
Conclusion
Outlines
2
4. Traditional crime
with the cutting
edge technology
Crime
globalization
Hard to analyze
large volume of
complicated data
during investigation
Crime toward
seamless
processes
and delicate
organization
Emerging type of fraud
crime cases through
telecom and Internet
and its associated
features
4
5. 5
With mobile, Internet, IP phone, mobile Internet access or other value-
added telecom services, swindlers commit more crimes easily; However,
by whatever advanced technology and tool they use, the nature of their
crimes always stays all the same. We still need to profile such crimes by
the analysis on conditions, mindset, and behavior of crime.
Traditional Crime with Cutting Edge Technology
Traditional Crime
Advanced
Technology
Emerging type
of Crime
6. 6
Crime Globalization
As applications and services of telecom technology and
Internet are developing rapidly and pervasively, people are
also familiar with those services. Fraud crimes through
telecom and Internet, which are just like contagious
diseases, may widespread globally by networks.
7. 7
Globalized Crime Issue
Borderless Internet makes crime behavior more globalized. Through the Internet and
cloud computing, communication in swindler group can be enhanced and anonymous.
Because of limitation of state authority and anonymity, it is really hard for state
prosecutors and police to take investigation on the entire crime activities.
Thailand
North America
China/HK
Japan
South Korea
Taiwan
Swindlers
Vietnam
Cloud Computing = Network Computing
Through Internet, computers can cooperate with each
other, or services are available more far-reaching
8. 8
Hard to analyze large volume of complicated data
There is often large volume of data or information (such as phone multiple
transfers) produced by telecom and Internet fraud crimes because of
converged IT network and telecom routes. In reality, such huge amount of
data is acquired from multiple service providers. Investigators must apply
multiple orders from court in advance to connect with data from those
service providers.
(for example: If there is phone transfer between 2 operators, investigator must request both to
provide CDR information and call content by 2 orders from court ahead of time, and integrate all
information for further analysis.)
Therefore, it is no way to cope with such telecom and Internet fraud crime
only by tradition way of comparing, claiming or tracing targets manually. It is
the best way for investigator to adopt several effective software tools to
analyze such huge amount of data.
9. 9
Converged ICT Communication Routes
IT Network
Telecom
Network
Cross Border
Domestic
Illegal Transfer
Internet D
Internet E
Telecom
Network A
Fixed
Network B
Mobile C
Illegal DMT by
ISP
Illegal ISP
10. 10
Crime toward seamless processes
and delicate organization
It is a nature trend that group crime
is toward seamless process and
delicate organization. There is very
clear hierarchy of role and
responsibility (R&R) for leader,
telecom engineer and service staff
in crime group. They never mix the
use of phones for crime and private,
and adopt one-way contact in order
not to be cracked with whole group.
Such crime model can be easily
duplicated. Fraud crime group often
splits into small ones, forms new
gang, commits more crimes, and
exchanges information and new
techniques of fraud.
Swindler
Group
Telecom
Internet
Finance
R & D
Telecom
contact
Private
collection
Jump
board
Cash flow
ATM
Operation
New crime
Recruiting
Monitor
Police
11. 11
Common Features
Converged ICT
technologies in daily life
and not far above police
head
Telephone as primary
communication during crime
commitment
Skillful at all Internet and
telecom services but not
familiar with operations
behind and LI by police
Faults can be tracked
from human behavior
Telephone
Criminals
(Group)
Converged
ICT
Technologies
Skillful at
all
services
Faults by
human
13. 13
Hard to
Identify
Criminal
Hard to Track
Cross-border
Phone
Hard to Find
Foreign Proxy or
Router as Jump
Board
● By new technologies (like IP phones), it is
hard to intercept their calls with existing
equipment. We need professionals and
suppliers to find the way out
● Looking for cross border cooperation or
other related clues if no cooperation
● VPN, Foreign Proxy as Jump Board for
criminals may be hidden behind deeper in
Internet
14. 14
Large Volume of
CDR, and Hard to
Take Analysis
Wrong CDR or
Missing Partial
Data
Hard to Track
Calls with
Dummy
Accounts
● Analyze data and find the key information
by text mining and data warehousing
● CDR is for billing management of ISP, and we
must find how it is happening and analyze the
reason
● Find source and links, and know the key
point by technical assistance and help from
ISPs
16. 16
The way of investigation on fraud crimes behind telecom and Internet is the same
with the one on traditional crimes. All the techniques are not for specific case,
but can be used flexibly by need.
Check Post
Deployment
Archive Look-up
Tenant Interview
Tracking
Lawful Intercept
Warrant & Confiscation
e-Positioning
17. 17
Gap between Physical and Cyber Crimes
Physical Crimes
Cyber Crimes
Clues
Evidence
collection &
investigation
Enforcement
Sourcing
clues
Analysis &
highlight
Evidence
collection &
investigation
Enforcement
Different sources dealt by police:
hard to get clue (don’t know how to
do it), and no way to trace!
•Finance Record
•Interview(Video)
•CDR, LI
•Informers
•others
•human:apprehend arrest
•place:warrant, confiscate
•Crime side
(web or tool)
•non-Crime side
(Social network)
•others
excluded
(Useless)
•Lock
activities
(by Account)
•IP tracking
•Finance Record
• CDR, LI
•human:
apprehend,
arrest
•place:warrant,
confiscate
18. 18
Quest for Investigation on Cyber Crimes
Tenant List
Credit card、
Insurance
Cable TV、
Broadband
Internet googling
165 voice signature
Finance
Transaction
Shipping
List
Immigrant
Labor
Insurance
Property Tax
Car Meter
Record
Co-prisoners
Crime
Record
Relatives
Resident
Information
Car Plate
CDR
Cross Check
Find Links
19. 19
There is no difference between cyber crime and traditional crime in nature.
With the advantages of convenience, anonymity and mobility of telecom
and Internet, criminals are able to disguise their command center and
disrupt the direction of investigation. Lawful enforcement officers need to
make more effort in studying crime model and finding the way out to combat
criminals.
1、Set up dedicated
database for
information collection
and analysis
3、data
organization and
link analysis by
software
2、clear about
crime tool and
method, and
find the key
point
20. 20
Process Flow for Investigation
Follow-up
Primary data
sourcing and
collection
Suspect arrest
and evidence
collect
Further
Investigation
Primary data
study and
further
collection &
sourcing
21. 21
Primary data
sourcing and
collection
Primary data study
and further collection
& sourcing
Further
Investigation
Suspects arrest
and evidence
collection
Follow-up
● A1 clue、informer、case claim、daily crime
information collection and integration,
sourcing
● Study primary data, cross check databases
in Police Department, googling in Internet
and confirm crime type in order to prepare
investigation
● Phone record, check post、lawful intercept,
tracking, location positioning, knowledge of
crime organization and members
● Arrest all suspects, confiscate all evidence,
check all computers, telephone record,
booking record…etc.
● follow-up investigation on related targets &
evidence and hunting for clues from other
members to combat all gangsters
22. VoIP based Interception and data interception of
other 150 Internet services
Flexible implementation in multiple telecom
operators
Intercept all VoIP routes from different sources
simultaneously
Collect original pcap as well as reconstructed voice
data for evidence in court
Support all common VoIP protocols such as
G.711a-law, G,711µ-law, G.726, G.729, iLBC
Meet the requirement of state LI Law, ESTI
standards
22
23. LAN Internet Monitoring, Data Retention, Data Leakage Protection
& IP Network Forensics Analysis Solution
Solution for:
Route of Internet Monitoring/Network Behavior Recording
Auditing and Record Keeping
Forensics Analysis and Investigation,
Legal and Lawful Interception (LI)
VoIP Tactic Server & Mediation Platform
FX-30N
FX-06
FX-100 FX-120
E-Detective Standard System Models and Series (Appliance based)
25. Play back of reconstructed VoIP audio file using Media Player
Callee
Phone #
Caller
Phone #
IP Address
Duration
Date
& Time
26. Source IP Address
Telephone number of caller
Telephone number of receivers/victims
Date & time of calls
Duration of calls
Call content
26
27. 27
Case Study of the
Recent Investigation
on Cyber Crimes
Lessons and Experience
28. 28
Real Case on VOIP Investigation
The most common tool by swindler
group is telephone. While arriving
the telecom room of criminal,
sometimes police can’t do anything
because they know nothing about
these equipments and can’t track
IP phone source from Internet.
Problem Here:
29. Group and Billing Systems
Account information in SIP
Gateway or IP-PBX Servers
Detail CDR from SIP Gateway or
IP-PBX Servers
29
30. 30
VOIP Tracking from Swindler Group –
Group and Billing System
Group System-Random to Call
Billing System-Call CDR
32. 32
VOIP Tracking from Operator –
CDR of SIP Server
Callee ID and CDR of IP phone from ISP
Callee VOIP ID Caller Callee VAD Srvc- Redial
Initial Time Ans Time End time Interval
IP of VOIP ID
33. 33
Key Points of Investigation
1) Aggressively hunting for intelligence
2) Don’t give up any follow-up opportunities,and
carefully analyze any useful information
3) Active Lawful Intercept:tap into suspected lines,
intercept phone number and IMEI, phones in China,
interview resident houses, and clarify criminal
organization, identity and location
34. 34
34
Experience
1) familiar with law and regulations, understand what the target is and
what the key evidence is. For example: find Chinese victim information
and testimony through cooperation with Chinese Police after breaking
cross-strait swindler group in Taiwan. Otherwise, these criminal will be
non-prosecuted or non-guilty sentence by court.
2) Telecom equipment supplier, telecom shop, network engineer, telecom
engineer, telecom sales …network and telecom professionals usually are
aware of information and location of suspects.
35. 35
3) Understand calling flow, and accounts of swindler group from operators
side in order to find more background information from CRM and
billing systems
4) Active Lawful Intercept:Tap into suspected lines, intercept phone
numbers to China
5) Carefully Trail down: Prepare information (Time, place, behavior) in
advance, trail by segment (not to expose self), identify criminal from
different sides
6) Use confiscated computers for investigation to find more strong evidence
Experience (continue…)
37. 37
1) It is quite nature for criminal to use advanced ICT technologies.
Human is the key of every crime act. Although there may not be
fault in technology itself, human may make mistakes by using it.
Investigators are able to find the way out and combat these
criminals
2) Enhanced on-job technical training for police to promote
capability of investigation and understanding of criminal law
3) From viewpoint of investigation, more horizontal coordination
among all units in order not to waste resources. From tactical
viewpoint, more international, cross-strait cooperation to combat
cross-border swindler group
4) God will help those who work hard for justice