Telephone system hacking (PBX hacking) refers to an abuse method that leads to damages in the telecommunications industry of up to USD 5 billion globally every year (see Communications Fraud Control Association (CFCA), Worldwide Telecom Fraud Survey, 2013). In this type of hacking, the perpetrators (hackers or fraudsters) gain unauthorized access to a telecommunications system, usually business customers' private bank exchanges or internet routers having telephone functions, in order to tamper with these PBX systems and generate telephone calls fraudulently, mostly to international numbers. This tampering involves setting up call forwarding to international destinations, exploiting routing functions of voice mailboxes, or setting up additional extensions that the perpetrator can use.
The perpetrators use the telephone systems they have tampered with to generate huge amounts of traffic to international destination numbers, from which they generate a revenue share. This is referred to as International Revenue Share Fraud (IRSF). These IRSF destination numbers can be international premium-rate numbers which provide the perpetrators with a direct revenue share from incoming telephone calls.
In many cases, hackers also use numbers or number lanes in countries having very high call termination charges. The call termination charge is payable when an international telephone call is terminated by an interexchange carrier in the network of a local exchange operator. Owing to high operating costs, foreign local exchange operators, for example in small Pacific Island states or sparsely populated countries, charge particularly high termination charges. Criminal organizations act as carriers in the international telecoms industry, and purport to terminate phone calls to these countries at low prices. In reality, however, the traffic is not terminated, but instead the termination charges are retained. Since the traffic has often been artificially generated by PBX system hacking, the “caller” often does not realize that no termination has taken place. This type of traffic is often described as short-stopping.
Telecoms providers therefore have a significant interest in the early detection and prevention of such artificially generated phone traffic from compromised telephone systems. To detect this fraudulently generated traffic, most telecoms providers operate abuse detection systems, which process the traffic data, detect artificially generated traffic or mass traffic using preconfigured rules, and alert the operator. Most of these abuse detection systems function in a rule-based manner.
In a rule-based abuse detection system, the number of calls and traffic minutes to particular international destination numbers and/or the charges incurred therefor are counted over a particular period of time. If one or more of these parameters exceeds a threshold configured in the rule, an alarm is triggered. Subsequently, the suspected abuse is usually checked manually. Other measures can then be taken, such as informing the affected customer or blocking the line for foreign calls.
However, the disadvantage of this detection method using threshold-based rules is that a certain amount of damages has to be incurred first before the threshold is reached and the alarm is triggered. Therefore, the traffic generated fraudulently before the threshold is reached leads to a certain amount of “base damages”, which have to be borne by the telecoms service provider and/or its affected customers. Higher damages are only prevented by detecting abuse and taking counter-measures. In addition, this method leads to the risk that the hackers systematically seek to stay below the threshold and still generate artificial traffic over a longer period of time.
However, the abuse detection system administrator cannot set the thresholds too low because this runs the risk of false alarms. In particular, data-protection rules on data reduction and data economy and the secrecy of telecommunications dictate that the thresholds not be set too low, so as to prevent normal telecoms traffic triggering an alarm in the system.
Another counter-measure against IRSF widely used in the telecoms industry is the blocking of already flagged IRSF destination number lanes, i.e. numbers and blocks of numbers that have already been used in the past for artificially generated traffic by hacked PBX systems. These flagged destination numbers or B-numbers are also referred to as “Hot B Numbers” and the corresponding lists as “Hot B Number Lists”. As a precautionary measure, a PBX service provider can block the destination numbers or number lanes originating from the Hot B Number Lists, such that international calls can no longer be made to these destinations and no more termination charges can be fraudulently generated either.
However, the risk with these blocks on Hot B Numbers is that numbers from legitimate foreign telecoms subscribers may also be inadvertently blocked. Some perpetrators seeking to take revenue shares from international termination charges also use number ranges that are actually assigned to legitimate subscribers. For example, the perpetrators generate traffic to these destinations from hacked PBX systems while at the same time preventing regular traffic to said destinations. The legitimate subscribers can then temporarily not be reached by phone. This is also referred to as “number hijacking”. If the numbers or number lanes are then blocked by telecoms providers in order to prevent IRSF, the subscribers in question can no longer be called, which may lead to complaints to the telecoms providers.
Another disadvantage of the block is that telecoms providers generally do not know how long the perpetrators will use the numbers or number lanes to generate termination charges. Typically, the numbers are only abused for a limited period of time, and the perpetrators regularly change the numbers or number ranges to be abused. Therefore, the number blocks also have to be lifted after a certain period of time. If this is done too early, additional damages may be incurred; if this is done too late, the block lists may become too large and exceed the capacity in the network elements.
There is therefore a great need for devices and methods for detecting abuse in telephone networks that both enable particularly rapid detection of abuse attempts in order to prevent costs being incurred, and prevent the numbers of legitimate telecoms subscribers being erroneously or inadvertently blocked.