Statistics on fraudulent access involving Slovenia mobiles
Reconstruction of CDR
file from syslogs of the kamalio SIP router
and list of IP addresses and subnets for an immediate blacklisting
[]
Created on 2010-11-04 by Yannick Vaucher
Switzernet.com
Statistics on fraudulent access involving Slovenia mobiles
2.1. Statistics per country being called
2.2. Statistics over the from user field being used
2.3. Statistics over the phone number being called
4. Calls to Slovenia-Mobile-Kosovo Ipkonet
4.1. Comparison of syslog and vendor records
4.2. The number of simultaneous calls to Slovenia mobiles
5. Intensity of IP connections
1. Introduction
This document gathers our researches on the data we collected after the October 2010 fraud.
Our experimental SIP server installed for testing and developments of the ACD quality routing [152] [152] [152] [152] [152] [152] [152] [152] [152] and of the system designated for the routing of emergency calls [152] was hacked in October 2010. The first call log via the hacked server is dated October 13th. A significant volume is registered during the weekend from 2010-10-15 through 2010-10-17 [152] [152] [152] [152] [152]. The fraudulent traffic was terminated via the hacked server to several destinations. The server was not integrated into the main billing system, and the calls were not accounted in the central CDR database. For discovering the traffic details only syslog files [152] [152] [152] of the hacked UNIX server are used.
The kamailio server [152] [152] [152] logged the SIP transactions via unix syslog service. This document provides the output CDR file of fraudulent calls (section 2.4), different statistics on the number of simultaneous calls and destinations dialed (sections 2.1, 2.2, 2.3, 3, and 4.2), and several hypothesis for possible motives of the fraud (section 4.2). Plus, it shows the retrieval of the IP addresses appearing in syslog fles. The retrieved data is sampled over 1-minute intervals. All IP addresses appearing in an interval are recorder with the numbers of their occurrences.
Authorities processing the complaint in relation with the fraudulent calls to Slovenia mobiles can find, in this document, additional statistics related to the traffic.
2. Call Data Records (CDR)
The CDR file containing the output values can be downloaded in section 2.4. Next sections show several statistics resulting from the CDR file. The statistics per country, per from-user field, and per destination number are shown in sections 2.1, 2.2, and 2.3 (also available in the Excel file of section 2.4).
2.1. Statistics per country being called
|
Country |
Code |
Calls |
Minutes |
ACD |
|
Slovenia |
386 |
25'594 |
153'239.7 |
6.0 |
|
Sierra Leone |
232 |
6'553 |
32'224.2 |
4.9 |
|
Somalia Republic |
252 |
10'801 |
24'779.6 |
2.3 |
|
Guinea |
224 |
5'021 |
12'659.3 |
2.5 |
|
Israel |
972 |
28 |
118.4 |
4.2 |
|
Macedonia |
389 |
6 |
4.7 |
0.8 |
|
Zimbabwe |
263 |
1 |
0.2 |
0.2 |
2.2. Statistics over the from user field being used
|
From user |
Calls |
Minutes |
ACD |
|
101 |
19'765 |
76'851.3 |
3.9 |
|
asd300 |
1'778 |
22'211.1 |
12.5 |
|
0000 |
1'648 |
19'234.2 |
11.7 |
|
000000000000 |
8'534 |
18'356.5 |
2.2 |
|
0000000 |
2'008 |
16'017.6 |
8.0 |
|
kalnas600 |
4'451 |
13'818.2 |
3.1 |
|
dehka |
4'272 |
10'121.5 |
2.4 |
|
000000 |
868 |
9'974.5 |
11.5 |
|
foaad_saa |
147 |
6'993.3 |
47.6 |
|
7777 |
605 |
6'424.5 |
10.6 |
|
55202033 |
324 |
4'294.3 |
13.3 |
|
kalnas500 |
271 |
4'036.9 |
14.9 |
|
1111 |
204 |
2'923.7 |
14.3 |
|
888888888 |
350 |
2'374.3 |
6.8 |
|
888 |
110 |
1'745.6 |
15.9 |
|
123 |
138 |
1'362.1 |
9.9 |
|
hisham1970 |
813 |
1'339.9 |
1.6 |
|
0000000000 |
468 |
1'224.7 |
2.6 |
|
684168 |
779 |
863.6 |
1.1 |
|
111111111111 |
85 |
583.6 |
6.9 |
|
11 |
71 |
550.9 |
7.8 |
|
asdf500 |
98 |
365.9 |
3.7 |
|
shikso |
37 |
335.2 |
9.1 |
|
marryaina123-1001 |
17 |
282.4 |
16.6 |
|
999 |
13 |
168.4 |
13.0 |
|
karam155 |
8 |
146.4 |
18.3 |
|
RAMY250 |
10 |
117.2 |
11.7 |
|
00000000 |
58 |
117.0 |
2.0 |
|
5555555 |
6 |
101.0 |
16.8 |
|
133 |
21 |
48.2 |
2.3 |
|
10 |
19 |
32.2 |
1.7 |
|
1001 |
24 |
7.2 |
0.3 |
|
anonymous |
2 |
2.0 |
1.0 |
|
441932376101 |
1 |
0.6 |
0.6 |
|
250 |
1 |
0.1 |
0.1 |
2.3. Statistics over the phone number being called
The table of phone numbers being dialed shows only the top used numbers. The full list is available in the CDR Excel file (section 2.4).
|
To |
Calls |
Minutes |
ACD |
|
0038643281239 |
1'178 |
19'643.7 |
16.7 |
|
0038643281242 |
2'521 |
11'744.3 |
4.7 |
|
0038643281460 |
5'267 |
11'048.3 |
2.1 |
|
0038643281244 |
3'583 |
8'592.0 |
2.4 |
|
0023224000936 |
276 |
8'249.4 |
29.9 |
|
0023224000935 |
1'361 |
7'005.9 |
5.1 |
|
0038643281094 |
490 |
6'757.5 |
13.8 |
|
002522200377 |
1'613 |
6'564.5 |
4.1 |
|
0038643281081 |
356 |
5'629.6 |
15.8 |
|
0023224006762 |
649 |
5'587.6 |
8.6 |
|
0038643281286 |
1'711 |
5'524.6 |
3.2 |
|
0038643281494 |
557 |
5'304.5 |
9.5 |
|
0038643281461 |
2'259 |
5'176.2 |
2.3 |
|
0038643281287 |
366 |
4'794.5 |
13.1 |
|
0038643281463 |
695 |
4'732.7 |
6.8 |
|
0038643281289 |
330 |
4'618.0 |
14.0 |
|
0038643281098 |
779 |
4'604.2 |
5.9 |
|
0023224000938 |
2'966 |
4'385.7 |
1.5 |
|
0038643281234 |
358 |
4'065.5 |
11.4 |
|
0038643281498 |
370 |
3'840.6 |
10.4 |
|
0038643281288 |
271 |
3'811.6 |
14.1 |
|
0038643281230 |
291 |
3'742.0 |
12.9 |
|
0038643281233 |
321 |
3'741.3 |
11.7 |
|
0038643281499 |
319 |
3'711.6 |
11.6 |
|
0038643281238 |
462 |
3'619.9 |
7.8 |
|
0038643281231 |
316 |
3'566.2 |
11.3 |
|
002522200378 |
1'387 |
3'554.2 |
2.6 |
|
0023224006772 |
919 |
3'546.2 |
3.9 |
|
0038643281232 |
292 |
3'472.5 |
11.9 |
|
0038643281497 |
243 |
3'391.4 |
14.0 |
|
0038643281465 |
505 |
2'886.7 |
5.7 |
|
0038643281496 |
272 |
2'866.9 |
10.5 |
|
0038643281466 |
374 |
2'706.8 |
7.2 |
|
002522168653 |
592 |
2'477.0 |
4.2 |
|
0038643281241 |
166 |
2'323.9 |
14.0 |
|
0038643281476 |
155 |
2'292.1 |
14.8 |
|
002522168765 |
195 |
1'884.5 |
9.7 |
|
002522168898 |
403 |
1'867.7 |
4.6 |
|
002522168652 |
878 |
1'840.3 |
2.1 |
|
0022479910583 |
134 |
1'714.2 |
12.8 |
|
0022479910596 |
493 |
1'678.0 |
3.4 |
|
0038643281080 |
218 |
1'654.7 |
7.6 |
|
0022479910594 |
326 |
1'484.4 |
4.6 |
|
0022479910584 |
90 |
1'214.6 |
13.5 |
|
0022479910595 |
413 |
1'198.1 |
2.9 |
|
0022479910597 |
396 |
1'171.2 |
3.0 |
|
0022479910598 |
376 |
1'125.4 |
3.0 |
|
0023224001570 |
92 |
1'024.9 |
11.1 |
|
0038643281190 |
240 |
949.9 |
4.0 |
|
0023222291848 |
29 |
931.9 |
32.1 |
|
0022479910585 |
117 |
835.0 |
7.1 |
|
0038643281464 |
110 |
791.9 |
7.2 |
|
0022479910589 |
191 |
776.4 |
4.1 |
2.4. CDR file
|
Description: |
CDR file created from syslog |
|
File: |
|
|
Size: |
1.66MB |
3. Traffic distribution chart
The following chart shows the evolution of the distribution of the traffic by countries. The data is presented for hourly intervals. The values represent the number of concurrent parallel calls lasting during a given hour. First the fraudulent traffic was using the connections of Verizon. When Verizon detected the fraud and suspended the calls, the flow interrupted for a couple of hours and then restarted using this time the routes of Colt.
The following two records show the first and last calls routed via Verizon:
Time: 2010-10-13 13:13:22
From: 101
To: Israel
Phone: 00972599870738
Duration: 00:00:05
Via: verizonbusiness.com
Time: 2010-10-16 18:09:12
From: dehka
To: Sierra Leone
Phone: 0023224000938
Duration: 00:00:46
Via: verizonbusiness.com
The fraudulent traffic was interrupted when Verizon detected the fraud and decided to block the calls. In a couple of hours the fraudulent traffic began again, and this time via Colt. The following two records show the first and last calls routed via Colt. The fraud was detected by Colt on Sunday and the calls were blocked.
Time: 2010-10-16 20:55:18
From: 250
To: Israel
Phone: 00972599916699
Duration: 00:00:07
Via: colt.net
Time: 2010-10-17 23:07:44
From: 000000000000
To: Somalia Republic
Phone: 002522168598
Duration: 00:00:19
Via: colt.net
|
Description: |
Distribution chart by hours |
|
File: |
|
|
Size: |
2.18MB |
4. Calls to Slovenia-Mobile-Kosovo Ipkonet
When Verizon’s fraud department detected the pattern, the records of suspected calls to Slovenia were sent to us.
4.1. Comparison of syslog and vendor records
The CDR generated by ourselves from syslog files was compared with the CDR of Verizon containing the calls to Slovenia mobiles. Calls of both CDR matched accurately most of the time. The records in two files were often identical except a time shift from 32 to 34 seconds due to a wrong time on one of the sides.
|
Description: |
Vendor and syslog CDR comparison |
|
File: |
|
|
Size: |
12.8MB |
The following records represent the first and last calls appearing in the fraud report of Verizon for calls to Slovenia mobiles:
Time: 2010-10-15 01:48:46
To: 38643281227
Duration: 191 seconds
Time: 2010-10-16 18:08:58
To: 38643281463
Duration: 16
4.2. The number of simultaneous calls to Slovenia mobiles
The entire traffic of 7’554’889 seconds or of 125’914.8 minutes, representing a charge of CHF 38'035.47 (without VAT) was sent to 32 phone numbers only. Except businesses handling simultaneous hot line calls, the multiple answers to the same phone number suggest a fraud. The following table shows the number of parallel calls to each specific individual mobile phone number. The first row of the table contains the 32 mobile phone numbers in question. The rows that follow represent one-hour intervals. The values appearing under individual phone numbers represent the average number of concurrent calls to that specific phone during the entire period of 1-hour intervals.
The table shows that for example during the entire hour from 2010-10-16 04:00 to 04h59 there were in average as many as 34 simultaneous calls to a single phone number +38 64 32 81 23 9, generating a total duration of 2’057.65 minutes during this single hour and corresponding to a cost of CHF 621.56 (per 1 hour and per 1 phone number). The number of simultaneous calls per single phone number reached as high as 91 parallel calls and the total number of parallel simultaneous calls to Slovenia mobiles reached as high as 180 parallel calls (a capacity of 6 full E1 lines).
In case of real mobile phone subscribers, we see neither a technical possibility nor an economical benefit for sending 126'000 minutes to 32 mobile phones in about one day. It is possible that a vendor of Verizon, or a vendor of its vendor provided a wrong answer supervision for all calls to Slovenia mobiles. Such an intermediary fake vendor would benefit from the traffic and can be therefore in the origin of the fraudulent calls. The final owner of the range of numbers in the destination country (such as a small MVNO, OLO, or PNS) can also benefit from the incoming traffic and therefore is also a hypothetical suspect for the origin of the fraudulent traffic.
The following chart is the graphical version of the previous table. The horizontal positions of histograms represent the hours. The total height of histograms at a given hour is the number of simultaneous calls to Slovenia mobiles. Different colors represent one of the 32 individual mobile phone numbers. The height of a single histogram of a single color is the number of simultaneous calls to the corresponding single mobile phone number. For example the chart shows that starting from 6 o’clock in the morning of October 16th, during one hour, there were 91 simultaneous calls to a single mobile phone subscriber +38643281239.
|
Description: |
Simultaneous calls per phone |
|
File: |
|
|
Size: |
1.08MB |
5. Intensity of IP connections
The following chart shows the number of IP records per hour estimated to be the source of fraudulent transactions.
[xls]
5.1. Statistics per subnet
The top subnets retrieved from syslog during the fraud are shown in the table below. The geo location of IP addresses can be estimated via one of the 4 links accompanying the IP address subnet. If the IP address is still not found, try the 5th solution ipligence.com [152] by typing in the three octets in question followed by “1” for the 4th one.
|
The first 3 octets of the IP Address |
Number of occurrences |
ip-address-lookup-v4.com |
geoiptool.com |
ipgetinfo.com |
hostip.info |
|
188.161.135. |
26540 |
||||
|
188.161.239. |
22329 |
||||
|
188.161.237. |
20321 |
||||
|
188.161.134. |
13342 |
||||
|
188.161.231. |
9788 |
||||
|
188.161.240. |
8699 |
||||
|
188.161.136. |
8628 |
||||
|
188.161.234. |
8262 |
||||
|
188.161.236. |
7931 |
||||
|
188.161.235. |
7637 |
||||
|
188.161.147. |
7582 |
||||
|
188.161.229. |
6545 |
||||
|
188.161.230. |
5739 |
||||
|
41.206.155. |
5300 |
||||
|
95.35.232. |
4946 |
||||
|
109.253.235. |
3846 |
||||
|
188.161.238. |
3820 |
||||
|
41.206.148. |
3448 |
||||
|
188.161.228. |
2794 |
||||
|
188.161.144. |
2242 |
||||
|
188.161.133. |
2148 |
||||
|
41.206.158. |
1894 |
||||
|
188.161.140. |
1888 |
||||
|
41.206.153. |
1846 |
||||
|
109.253.170. |
1632 |
||||
|
188.161.220. |
1562 |
||||
|
188.161.141. |
1440 |
||||
|
127.0.0. |
994 |
||||
|
202.60.88. |
808 |
||||
|
109.253.86. |
756 |
||||
|
41.206.151. |
584 |
||||
|
41.206.149. |
486 |
||||
|
188.161.233. |
450 |
||||
|
188.161.232. |
360 |
||||
|
41.206.156. |
326 |
||||
|
188.161.137. |
318 |
||||
|
91.121.40. |
308 |
||||
|
188.161.142. |
248 |
||||
|
91.121.39. |
244 |
||||
|
188.161.227. |
232 |
||||
|
188.161.139. |
230 |
||||
|
74.115.6. |
206 |
||||
|
188.161.146. |
198 |
||||
|
188.161.143. |
172 |
||||
|
188.161.138. |
112 |
||||
|
91.121.49. |
110 |
||||
|
91.212.226. |
104 |
||||
|
91.121.63. |
100 |
||||
|
188.165.0. |
74 |
||||
|
188.161.241. |
66 |
||||
|
41.206.150. |
48 |
||||
|
76.191.104. |
48 |
[xls]
6. Conclusions
As we can see in the traffic received, the fraudsters have made little traffic just before the week-end. This may be for testing the line and to prepare the real fraud.
No traffic was made in parallel toward vendors. So they used the first access until they needed the second one. It took very few hours for the fraudster to find and pass via the second vendor after the first one was interrupted.
What we can also see is that the first number dialed in each vendor was in Israel. This can be for testing purpose and the fraudster could be close to those numbers.
7. References:
Fraud reports [152] [152] [152] [152] [152] [152] [152] [152]:
http://switzernet.com/3/public/101102-fraud-stats/ (this page)
http://switzernet.com/3/public/101029-fraud-slovenia/
http://switzernet.com/3/public/101028-fraud-slovenia/
http://switzernet.com/public/060801-web/news_detail.php?id=167
http://switzernet.com/public/060801-web/news_detail.php?id=166
http://switzernet.com/3/folders/101018-fraud-slovenia/ (login: fraud)
http://mirror2.switzernet.com/3/folders/101018-fraud-slovenia/ (login: fraud)
http://www.fedpol.admin.ch/content/fedpol/fr/misc/conform.html
ACD quality routing [152] [152] [152] [152] [152] [152] [152] [152] [152]:
http://switzernet.com/public/091020-acd-routing/
http://www.unappel.ch/2/public/091020-acd-routing/
http://unappel.ch/public/091020-acd-routing/
http://intarnet.com/2/public/091020-acd-routing/
http://parinternet.ch/2/public/091020-acd-routing/
http://switzernet.com/public/091029-ACDstat/
http://unappel.ch/public/091029-ACDstat/
http://switzernet.com/public/091217-doc-acd-routing/
http://en.wikipedia.org/wiki/Least-cost_routing
Emergency numbers [152]:
http://unappel.ch/folders/101004-emergency-calls-planning/ (login: ofcom)
Kamalio/OpenSER SIP server/router [152] [152] [152]:
Perl regular expressions [152] [152]:
http://switzernet.com/3/public/101024-regex/
http://perldoc.perl.org/perlre.html
References on syslog file format [152] [152] [152]:
http://www.facetcorp.com/tnotes/facetwin/tn_syslog.html
http://lists.rtpproxy.org/pipermail/users/2009-May.txt
References on SIP transactions versus dialogs [152] [152] [152] [152]:
http://www.iptel.org/sip_transaction
http://www.ietf.org/rfc/rfc2543.txt
http://www.ietf.org/rfc/rfc3261.txt
8. Glossary
CDR stands for Call Data Records
ACD stands for Average Call Duration
UTC stands for Universal Time Coordinated
CET stands for Central European Time
CEST stands for Central European Summer Time
MVNO stands fro Mobile Virtual Network Operator
OLO stands for Other Licensed Operator
PNS stands for Personal Numbering Service
9. Syslog and CDR files
This section groups all files used along this research. The list contains files with raw syslog records as well as files showing different statistics. The reference that contains the call records and is not heavy to open is the output CDR file [101013+6-14'cdr.xls].
|
Description: |
All transactions of answered calls |
|
File: |
|
|
Size: |
3.69 MB |
|
Description: |
Call Data Records in Text format |
|
File: |
|
|
Size: |
1.29MB |
|
Description: |
Calls sharing the same call-id |
|
File: |
|
|
Size: |
7.21MB |
Call Data Records created from the syslog file:
|
Description: |
CDR file created from syslog |
|
File: |
|
|
Size: |
1.66MB |
|
Description: |
Distribution chart by hours |
|
File: |
|
|
Size: |
2.18MB |
|
Description: |
Vendor and syslog CDR comparison |
|
File: |
|
|
Size: |
12.8MB |
|
Description: |
Simultaneous calls per phone |
|
File: |
|
|
Size: |
1.08MB |
* * *
Copyright © 2010 by Switzernet