October 15, 2017

5 Frauds on the Rise – Network Operators are Fortifying Against These (re GSMA IR.70 and IR.71)

In early May, hackers exploited an SS7 vulnerability and emptied the bank accounts of O2-Telefonica customers. The buzz on that had hardly died when news of another SS7 attack was doing the rounds. In this occurrence, the attacker sent an InsertSubscriberData packet to an SGSN, instructing the SGSN to change a particular subscriber’s settings. The likely aim would’ve been to redirect the user’s data connection so the attacker could eavesdrop on data communications.

These occurrences do not surprise us.

The current discussion regarding vulnerabilities in the SS7 network was brought to the forefront by the 60 Minutes news program back in April 2016, and by articles in the Washington Post. Previously, presentations given by Tobias Engel and Karsten Nohl at the Hacker conference Chaos Communication Congress 31c3, December 2014, in Hamburg Germany addressed these issues. Some of these scenarios have shaken the network – and network operators – to their very core. Of course, fraud has been around for quite some time. But it is on the rise.

Having written a recent post titled “Standard Short Message Service procedures open the door to Mass IMSI collection” I thought it would be interesting to write a post covering SMS fraud as defined in GSMA PRD IR.70/71.  These documents date all the way back to 2003 and cover SMS fraud scenarios including SMS:

  • Spamming
  • Flooding
  • Faking
  • Spoofing
  • SMS Phishing

SMS Spamming

SMS Spamming is defined as a condition where the subscriber receives unsolicited SMS messages. These messages could be sent by mobile phones or by third parties connected to Short Message Service Centers. The impact of this condition is that the Subscribers Quality of Experience can be affected and ultimately lead to subscriber churn.

One method is repetitive content checks at the SMS-C including analysis of the sending party.  The use of an SMS Router and SMS Firewall can be instrumental in stopping SMS Spamming and its potential impact on subscribers’ service satisfaction.

SMS Flooding

SMS Flooding is defined as a large quantity of messages sent to one or more destinations within the network. The quantity is determined in comparing the traffic to the average volume of traffic.  Increase in traffic can cause major network or nodal implications including Denial of Service conditions.

Monitoring of traffic levels and the origination of traffic. Once the presence of SMS Flooding is recognized the SMS Firewall can be used to stop or throttle the traffic from the point of origin.

SMS Faking

SMS Faking is defined as sending an SMS Message with the A-party or sender’s address manipulated.  This address can be a totally fake address or it can be a valid number within the home network of the fake message.  This type of fraud can be used as a stand alone threat or used in conjunction with the Spamming Fraud case. In either case this type of fraud can leave the mobile operator and their true subscribers at financial risk.

Monitor traffic from foreign SMSCs, paying special attention to Signalling Connection Control Part Addresses (Global Title Translations) and Mobile Application Part (MAP) addresses.

SMS Spoofing

SMS Spoofing occurs when a fraudulent party manipulates address information in order to impersonate a user who has roamed onto a foreign network.  The attacker uses the fraudulent address, which may be an actual subscriber’s number, to submit messages to the home network. Frequently, these messages are addressed to destinations outside the home network – with the home SMSC essentially being “hijacked” to send messages into other networks.

The result of this type of fraud is multifaceted.

  1. The home network provider might incur termination charges from its partners for delivering the messages.
  2. These messages may be of concern to interconnect partners because their subscribers may complain about spam and thus these messages can reduce the interconnected partner’s subscribers’ Quality of Experience.
  3. If the attacker uses a real subscriber’s address to send messages, this subscriber might be billed for the fraudulent messages.

To detect this type of fraud the network operator can verify if the subscriber number (MSISDN) used is valid in their network. If the MSISDN is not valid then the operator can decide not to deliver the messages.  If the MSISDN is valid then the network operator checks the current location of the subscriber in the Home Location Register (HLR) and compares it against the MSC of the sent message in question and if they are different then the mobile operator can choose not to deliver the messages.  Additionally, the network can then contact the network operator that sent the message for further investigation.

SMS Phishing

SMS phishing occurs when a fraudulent party uses social engineering techniques to gain confidential information such as passwords or credit card details from a subscriber.  SMS messages are sent to subscribers.  These messages appear as if they are from trustworthy sources and are used to entice subscribers to send their confidential information. These types of attacks are at the minimum an annoyance to subscribers and at most can cause severe financial impacts.

These types of threats are in most cases low volume message attacks and as such pass under the radar of volume based controls. Due to the nature of these attacks, network operators need to implement content based checking methodologies to stop these types of threats from impacting their subscriber base.


It is inevitable that these types of fraud attacks will continue to increase. The level of sophistication of the fraudsters is also on the rise. These types of SMS fraud threats coupled with those discussed in the SS7 Fraud Ebook should be of great concern to network operators and subscribers alike.  It seems that the only way to mitigate the impact is to implement SMS Spam/Fraud systems as described in the SS7 Fraud Ebook.

Categorised in:

October 15, 2017