In a conversation with GO Malta about Fighting CLI Spoofing

Voice over Internet Protocol (VoIP) networks are extremely popular for their ability to save costs, support innovations like 5G, and roll out features such as video calling. With the workforce becoming increasingly distributed,businesses and customers want affordable international calling plans that support mobility. Some estimate that the VoIP market will reach US $30 billion by 2025.

However, IP networks have vulnerabilities that expose them to risk.

Arvind Rao, Director of Business Solutions Consulting at Subex Limited, and Charmaine Galea Triganze, Fraud Prevention Officer at GO (Malta), recently presented at the CFCA Educational event, where they discussed the problem of CLI Spoofing at GO. According to Arvind, “VoIP-based attacks constitute roughly 45% of all fraud security events today, as per the recent CFCA report. In fact, out of the top 10 fraud methods recorded by CFCA, 6 of them are related to VoIP-based attacks.”

(In case you missed the event, the conversation below offers the main highlights.)

To provide a context of what was happening at GO, Charmaine recalls, “We were getting reports from broadband customers, internal employees, retail customers, and business customers that something wasn’t right. Someone would receive a call that originated from Italy, an EU country, but it would be their relative based out of Canada or Australia. As these reports increased, we started investigating the CDRs in our existing fraud management solution, and the data was conflicting, showing the number was from Italy or any other EU country. That was when we called Subex to do a proof of concept. What we found was quite alarming.”

Since the EU works on an origin-based rating, rogue carriers were exploiting a loophole to pay lower terminating charges. As the investigation deepened, more concerns surfaced. Caller ID spoofing was wreaking havoc: Scam calls had increased during the pandemic. Scamsters began spoofing numbers of well-known businesses in Malta. Customers, trusting of EU numbers, were prone to pick up these calls. Apart from being a nuisance to retail customers, it created immense ecosystem challenges.

GO collaborates with law enforcement to aid criminal investigations by providing information about a suspect’s call records or location. However, in many cases, the data passed on from CDRs turned out to be incorrect. Charmaine states, “The police would complain, stating they asked for a specific person’s records but based on the data we shared, it was implausible that the suspect made these calls from the number provided.” It was compromising the operator’s reliability.

One of the most telling stories Charmaine narrates was how spoofed numbers were disrupting Malta’s emergency services. “People would call emergency services, request assistance, and hang up. On tracing the call, emergency services would be dispatched to the location only to find confused people wondering why the police were at their door! You can understand that the emergency department was not happy. They repeatedly asked us to stop the spoofed calls or at least sieve out the genuine ones from spoofed numbers so they would know which to ignore and which to respond to. But the existing system was not able to give us this information.”

Modern problems need modern solutions

Arvind explains why, “Traditional fraud management systems which are reactive, transaction-based and rely entirely on call detailed records, are not best suited for addressing these VoIP based frauds in real-time.”

To visualize this, let’s consider the standard OSI stack starting from Layer 1 to Layer 7 and walk through what happens during a CLI spoofing attack.

CLI spoofing attacks typically begin with a port scan at Layer 3, wherein a program looks to identify what services are running on the network. Once discovered, probing or brute force attacks ensue, after which the attack moves to the application layer or layer 7. “This is where we start seeing breaches,” says Arvind. “However, many lower-level attacks and failed attacks are not monitored, as no records or transactions are generated. Thus, traditional fraud management won’t kick in. Moreover, such systems do not track these failed attempts.”

“Here is where signaling security systems make a difference,” adds Arvind. ” A robust signaling-based detection and prevention system monitors signaling information across the layers and look for malicious behavior. From a technical aspect, they observe network packet captures, usually using port mirroring in a non-intrusive manner, without causing any network lag. Using shallow and/or deep packet inspections to identify markers or threat signatures like SIPvicious software as the user-agent. Apply other detection measures such as heuristics-based detection and look for a relationship between A and B numbers, including looking for calls made or from unallocated numbers.”

The issue of unallocated numbers is an important marker of fraud as this highlights a behavior wherein the random dialer/program showcases malicious behavior.

Put into the mix of using an AI/ML-based approach for further identifying hidden correlations and patterns, a robust solution can be deployed. In fact, such a trifecta approach was enabled by Subex at Go Malta to address the CLI spoofing fraud.

A host of benefits

Charmaine is glad because since implementing Subex’s signaling security solution, GO can stop calls directed to unallocated numbers. “We started charging the highest terminating rates for calls to unallocated numbers from partner carriers, and soon, this practice reduced drastically, saving us revenue.”

The solution also performs several other tasks, such as analyzing error codes and using advanced AI/ML to analyze dialing patterns and identify spikes in traffic using anomaly detection. “We didn’t know much about monitoring signaling traffic, but Subex provided us with the right training to understand SIP signaling,” she declares.

Subex’s extensive (the world’s largest) honeypot network is an added advantage. It provides threat intelligence from external databases and has a repository of over 55,000 different malicious signatures and more than 8,000 malicious IP addresses to give operators an edge in addressing technical frauds.

Insights from the solution are also helping Go Malta do other things apart from improving assistance to law enforcement agencies and protecting its customer from spoofed calls. Charmaine notes, “Our business clients were using international platforms, so we found a way to offer them local solutions, which gave us more revenue while helping them save costs.” Customer satisfaction, a foundational lever at GO, has also risen because customers are duly informed when a number is spoofed.

Follow the money

Can a signaling-based defense mechanism give operators a leg up on dealing with new-age frauds?

“Absolutely!” asserts Arvind. “It ticks off the three main goals for fraud management, i.e., to widen fraud coverage, reduce fraud run-time, and improve the fraud hit ratio.”

Malta is already leveraging the much-needed boost. Recently, the commissioner of police set up a task force between three major operators in Malta (including GO), banks, and postal services. Charmaine opines, “There is no single way to fight fraud. CLI spoofing affects all of us because people are lured into disclosing financial information, affecting banks too. Only through ecosystem cooperation can we make sure that fraudsters don’t make a financial profit.”

Warmly referring to GO’s anti-fraud solutions as ‘her toys,’ Charmaine quips, “As I say, ‘Follow the money. The more toys we have, the better we can track the fraudsters, and the stronger our defense!”

Meet our experts to discover the features of Subex’s Signaling Security Solution.

Schedule a meeting!

Co Authors :

Get started with Subex
Request Demo Contact Us
Request a demo