Phone-based fraud scheme IRSF is stealing billions each year

• Phone-based fraud scheme IRSF centers around premium phone numbers.
• Phone fraudsters via IRSF scheme are redirecting large quantities of telephony traffic to premium numbers by installing malware on PCs and mobile phones, automating calls from stolen or hijacked SIM cards, and more.

Telephony experts and security researchers observed a phone-based fraud scheme which is much more lucrative than other fraud schemes. The phone-based fraud scheme is known as the International Revenue Share Fraud (IRSF). The IRSF scheme centers around premium phone numbers.

The estimated losses through IRSF scheme range between $4 billion and $6.1 billion.

Premium phone numbers and IPRNs

Premium phone numbers have been introduced to support automatic phone-based purchases. Customers can call a premium phone number at a specific fee which allows the caller to access a website, initiate a product delivery at their home, or activate other services.

Premium phone numbers became popular with the International Premium Rate Number (IPRN) billing portal service. IPRNs charge telephone providers a high fee to take up a call and the telecom companies pass down these costs to customers through monthly invoices. The company who rented a premium number from the IPRN also earns a small cut for driving callers to the premium number. The more calls an IPRN receives, the more money it can charge telephone providers and customers.

Modus Operandi of phone fraudsters

IPRNs allowed phone fraudsters to exploit their networks. These attackers via IRSF scheme are redirecting large quantities of telephony traffic to premium numbers through various methods listed below.

• Installing malware on PCs and mobile phones, thereby initiating phone calls without the caller's knowledge.
• Automating calls from stolen or hijacked SIM cards.
• Hacking telephony servers and making calls to premium numbers in the absence of employees.
• Callback spam, making missed calls to users from premium phone numbers, hoping users will call back and get an automatic charge.

However, telephone operators have implemented filters for detecting traffic spikes via premium number blocks. This made the phone fraudsters to change their modus operandi. They are now using the same methods listed above but aren't calling premium numbers directly. The attackers are making calls to legitimate phone numbers that a malicious transit operator silently redirects to a premium phone number.

Merve Sahin and Aurelien Francillon’s Analysis on IRSF scheme

Sahin and Francillon's analysis on IRSF scheme has uncovered the fact that these malicious IPRN providers have networks of premium phone numbers worldwide, primarily in Africa, the former Soviet space, and South American islands.

“Basically what we did was to test those test portals for about three years. In total, we have been collecting more than 1.3 million test [phone] numbers and 150K test call logs,” said Sahin, reported ZDNet.

Sahin and Francillon's findings include the following.

• The test numbers are never used for actual fraud.
• Certain IPRN providers sometimes abuse unallocated phone numbers.
• Certain IPRNs change the premium numbers that are used for fraud frequently.

The duo had developed an algorithm that uses the insight into IPRN test portals they obtained during the past three years. They have tested their algorithm on real-world call records which contains fraudulent IRSF calls, obtained from a European telecom operator. The test results proved that their algorithm achieved a much higher accuracy in detecting IRSF schemes with a relatively smaller quantity of false positives.