A frightening insight into international revenue share fraud

International Revenue Share Fraud (IRSF) has been responsible for hundreds of millions of dollars’ worth of fraud losses to the telecommunications industry over many years. Despite a lot of work by Carriers and supporting organisations over the past 8 or 9 years, the problem remains, and is likely to remain for at least a few more years before there is some agreement within the industry to take what actions are required to prevent a carriers revenue from finding its way into fraudsters pockets.

There have been a number of initiatives which have been successful at reducing the impact (value) of individual incidents of IRSF, such as NRTRDE and ‘Hot number range databases’, however the incidents of IRSF continue to grow, mainly with a shorter timeframe but still with significant fraud losses. The number of International Revenue Share number resellers also continues to grow, and we are aware of over 115 of these currently, which is a +500% increase since 2009. It is important to state that not all number resellers are fraudsters. Some are legitimate businesses offering numbers for content services, tele-voting etc, and these provide a reasonably safe revenue stream. However there are many others who openly encourage fraud and will provide their numbers to anyone with little concern about how these callers are going to pump traffic into them.

Most International Revenue Share number resellers will provide a schedule of ‘Test Numbers’ on their websites, some available for a visitor to their website to access, and others requiring a visitor to complete a registration process before these test numbers can be viewed. Typically, if a potential customer (or fraudster) wishes to do business with a number reseller, he must first confirm that the country and number range he wishes to call is accessible from the country he is calling from, and from the device he intends to use. This may for example be a stolen GSM handset with a UK Simcard roaming in Spain and wanting to call Somalia, or a compromised PBX in the Philippines through which he wishes to transfer calls to Gambia.

This potential customer (or fraudster) will use one of the number providers test numbers to confirm the routing he requires is possible. Once confirmed, the customer (or fraudster) will then make application to the number provider for 1 or more revenue share numbers at that location which he can use on a revenue share basis. Generally, this will not be the test number, as this goes back to the number providers Test or Rate Card for use by the next person looking for access to that country. Many number providers will change these test numbers frequently, often at least every few months. The numbers may not be discarded, but handed back to the number providers ‘wholesaler’ who may re-issue the test numbers to another of their resellers.

There is often a time lapse of 15 minutes to 3 hours between the time the first call to a test number is made and the IRSF actually commences. This allows the fraudster to make contact with the Number Reseller, obtain revenue share numbers at that location, check that this number works, set up call diverts or international call forwarding etc. He may also want to allow time for other members of his criminal gang to get to different parts of the city so that their use of multiple SIMs may not be obvious from one cell site.

The time lapse between these test numbers being called and a full scale IRSF attack commencing provides a great opportunity for fraud detection, assuming that these test numbers are known.

These test calls are generally easy to identify when analysing call records from an IRSF attack. They will be short calls, between 1 and 10 to the same or similar numbers, before the traffic inflation starts. Often there will be further test calls during an IRSF attack, and these will be terminated to test that a new number range the fraudster wishes to use is also available from their location and calling device.