Signaling security solutions are critical for protecting core networks. Telecom fraud these days can take many forms, from pervasive spam to gray routing and SIM farming.
The good news is that it's possible to identify threats and attack scenarios for a solid knowledge of the potential risks. Doing so requires approaching the issues seriously and being aware of the ways to mitigate vulnerabilities.
Watch the webinar to learn the types of SMS fraud attacks and detection techniques. With them, telecom companies can keep threats out and prevent revenue losses.
Do you want to stay ahead of fraud and be protected without fear of costly failure?
The key is to know your enemy!
Follow us on LinkedIn to keep up with our upcoming webinars and events: https://www.linkedin.com/company/positive-tech/
2. Who I am
Gained Ph.D. Of Telecommunaction in 2007
Worked 12 years for Leading Messaging company
Point of interest:
Messaging, VAS,
Spam, Flood and Fraud,
Support, R&D
Work for Positive Technologies, since 2019
Signaling System 7
(SS7) security report
Vulnerabilities of
mobile Internet (GPRS)
2014 2016
Primary security threats
to SS7 cellular networks
2017
Threats to packet core
security of 4G network
Next-generation networks, next-level
cybersecurity problems (Diameter vulnerabilities)
2018
Diameter vulnerabilities
exposure report
2019
5G security
analytics
3. V
Who we are
BANKINGERPICSWEBTELECOM
Positive Technologies is a company with over
17 years of vulnerability assessment expertise
and named a visionary company by Gartner.
In 2018 Positive Technologies was named a
Leading Signaling Firewall Vendor, by Rocco
Research, with our threat detection and response
champion PT Telecom Attack Discovery.
THE LEADING SIGNALLING
FIREWALL VENDORS OF 2018
V
900+
people worldwide
and expanding
V
10 countries
Global Presence
17 years
practical experience
4. What we do
Competences:
Identification of threats and possible
attack scenarios in companies of any
business sphere
Global cybersecurity research
Wide range of products and services
portfolio: corporate, ICS, telecom,
financial, media, retail, government
National scale sports and government
cybersecurity service provider
Worldwide leadership
Web
Banking
ERP
Telecom
IoT
ICS
More IT technologies
penetrate
into other segments
5. or unlawful gain
SMS Fraud
Spam
on to secure unfair
Flood
Spoof
Phishing
Fraud
Roaming
intentional deception
SMS Fraud is an
6. Ways to start
it seems to be
more available than
are sometimes much
Ways to start
Grey routes
Signalling fraud
SIM farms
9. Conventional techniques ...
Spread Sender over multiple
numbers using SIM farm,
Applications or Botnets
Campaign text variation
Homograph variation
URI camouflaging
Campaign switching
Sender rate filter
Sender volume filter
Exact match filter
Content rate filter
Content volume filter
Keyword filter
10. http://bit.ly/1dNVPAW http://www.harmful_link.com/some_spam.html
"Do you wanna feel and taste real Jakarta massage? Call me now 088005557240 xxbz"
GET REPL1CA R0LEX W4TCH GET REPLIСA ROLEX WАTCH 434845D09050205245504C49D0A14120524
http://bit.ly/1ArcpRU http://www.harmful_link.com/some_spam.html
...easy to avoid
Campaign text variation
"Do you wanna feel and taste real Jakarta massage? Call me now 088005557240 xxaz"
Homograph variation
GET REPLICA ROLEX WATCH GET REPLICA ROLEX WATCH 43484541 50205245504C4943
URI camouflaging
http://bit.ly/1C0crhE http://www.harmful_link.com/some_spam.html
Campaign Switching Once caugth move to another campaign
11. Let´s group the campaigns
Text variant Text
similarity
"URGENT! Your Mobile No 08705482542 was awarded a $100 Bonus today! This is our 2nd
attempt to contact YOU! Register with ref code BIXDFQU at www.goo.gl/1C0crhE"
100%
"URGENT! Your Mobile No 08705482542 was awarded a $100 Bonus today! This is our 2nd
attempt to contact YOU. Register now with ref code BIXDFQU at www.goo.gl/1C0crhE"
90%
"URGENT! Your Mobile No 08705482542 was awarded a $100 Bonus today! This is our 2nd
attempt to contact YOU! Register now with ref code AHMTSLI at www.goo.gl/1C0crhE"
80%
"URGENT: Your Mobile Nr 08705482542 was awarded an $100 Bonus Caller today.
This is our 2nd attempt to contact YOU. Register now with raf code CIXDFQU at www.goo.gl/1C0crhE"
70%
"Attention! Your Mobile Number 08705482542 was awarded a $100 Bonus today! We made 2
attempts to contact YOU! Please register at www.goo.gl/1C0crhE with the reference code AHMTSLI"
40%
"URGENT! We are trying to contact U.Todays draw shows that you have won a $100 prize
GUARANTEED. Call 090 5809 4507 from land line. Claim 3030. Valid 12hrs only"
20%
BASE
12. Finding the verge
0
20
40
60
80
100
120
140
0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000
BURSTFOR300SWINDOW
MSG/DAY
Traffic distribution
Human behaviour Anti Flood match Spam detection
Max.
Daily limit
Bursting SIM farms
Constant rate SIM farms
Const rate limit
Burst rate limit
13. Being smart
Find the fastest rate as possible
before it gets blocked by any
anti flood solution
Loop to verify message has
been accepted and delivered
Distinguish, between
human and robot
Rate
checker
Canary
account
Social
diagram
14. Adaptive techniques
Combine all together
All is triggered by Volumetric
Focus on Originated address
Focus on Fingerprint of the message
Focus on URL in the message content
Focus on Phone number in the message content
Temporary or permanent ban
Repeating suspicious pattern in one or more
filter leads to blocking of message
15. SMS firewall position
FW is triggered by SMS-C via SMPP or Diameter
SMS-C already spent some resources
SMS-C may be overloaded by huge incoming traffic
Even the traffic is supposed to be dropped it consumed
licenses and network resources
FW receives the traffic by STP overlay or FrontEnd proxy
Any suspicious traffic is dropped on the border (STP)
SMS-C is not abusing by detected/blocked spam
SMS
layer
Signalling
layer
17. Further SMS analysis
Attack name Attack description
1
Inconsistent
SMS source
Sources of the SendRoutingInfoForSM and ForwardSM signaling messages related to the same short
message are different. This indicates an attempt to bypass an inter-operator charging system.
2
ForwardSM
(open SMS-C)
A short message of an outbound roamer was sent to an open SMS-C instead of home one in order to
bypass short message charging in roaming
3
ForwardSM
(incorrect OA format)
A mobile originating SMS was sent with incorrect address format of the SMS-C or MSISDN
parameters in order to fool an inter-operator charging system.
4
ForwardSM
(Home SMS-C spoofing)
A mobile terminating SMS was sent with a spoofed SMS-C address by an address from the System
owner range in order to bypass an inter-operator charging system
5
ForwardSM
(foreign SMS-C spoofing)
A mobile terminating SMS was sent with a spoofed SMS-C address by an address from foreign range
in order to bypass an inter-operator charging system
6
ForwardSM
(A2P SMS)
A mobile terminating SMS from an external connection contains a TP-originating-address in
Alphanumeric format in order to bypass charging of the A2P SMS traffic.
7
Spoofed MO
SMS sender
In MO-ForwardSM, the SCCP CgPA does not correspond to address of a node where the subscriber is
registered. This can be an attempt to spoof the SMS sender address.
18. Delivering
Security
Audit
Monitor
Protect
Auditing provides essential
visibility to fully understand your
ever-changing network risks.
Non-stop real-time detecting is essential
for verifying the effectiveness of network
security and supporting rapid detection
and mitigation.
Completely secure
your network by
addressing both
generic vulnerabilities
and the threats that
actually affect you as
part of an ongoing
process.
by Positive
Technologies