GSMA Arab World,

Kuwait, 14.4.2014.

SMS fraud and SPAM guidelines

by Infobip

www.infobip.com

2014 / Infobip public

Introduction

SMS service today 22yrs later

High popularity and volumes

Very high ROI, but decending revenues

Diverse: P2P, A2P, P2A, M2M

Rich ecosystem and mash connectivity

Popular fraud chanell

High customer impact and churn threat

Challenging control and monetization

www.infobip.com

2014 / Infobip public

The
The first
first SMS
SMS message
message ever:
ever:
by
Vodafone
UK
by Vodafone UK
on
on 33 December
December 1992
1992
from
from Neil
Neil Papworth
Papworth of
of Sema
Sema Group
Group
using
using aa personal
personal computer
computer
to
to Richard
Richard Jarvis
Jarvis of
of Vodafone
Vodafone
using
an
Orbitel
901
using an Orbitel 901 handset
handset
text
was
Merry
Christmas.
text was Merry Christmas.
The
The first
first commercial
commercial SMS
SMS message:
message:
Initally
Initally only
only free
free network
network notification
notification
First
commercial
SMS
in
First commercial SMS in 1993
1993
by
Radiolinja(Telia)
Finland
by Radiolinja(Telia) Finland
Only
Only NOKIA
NOKIA supported
supported SMS
SMS
Slow
Slow adoption
adoption due
due to
to fraud
fraud (0.4
(0.4
SMS/sub/month
SMS/sub/month in
in 1994)
1994)
On-net
only
by
1999
On-net only by 1999 due
due to
to SMS
SMS
spoof
spoof
In
In 2000.
2000. averages
averages 25
25 SMS/sub/month
SMS/sub/month

Fraud types by GSMA

Described in:
SMS Fake

AA.50 SMS fraud critera

AA.70/AA.71 SMS fraud prevention

BA.43 SMS handbook

Denial of
Service (DoS)
Fraud

Unexpected
DLR

Increased by lowering communication price

and increasing demand

Fraud is affecting all aspects of network

performance

www.infobip.com

2014 / Infobip public

Own GT fake

GSMA defined
fraud

SMS Spoof

SMS
phishing

GT Scanning
SMS Spam

360 network impact

Customer...
...expirence
...perception
...churn
Brand...

...perception
...value
...integrity

Operational...

www.infobip.com

2014 / Infobip public

...cost
...load
...efficency

Service...

Network...

...stability
...credibility
...delivery

...cost
...load
...stability

SMS Fraud managment

www.infobip.com

Collectio
n

Analysis

Alerting

Actions

SS7 probes

SCCP and
MAP

Real-time

Contact
roaming
partner

Existing STP
add-ons

Behevioral

Near-real time

Block source

Dedicated
STPs

Volumetrics

Internal

Report

NRTRDE

TAP validation

3rd party

Rate collection

2014 / Infobip public

Basics of SMS fraud enviroment

Operator A

Operator C

SMS-MO

SMSC
Signalling
Provider

Signalling
Provider

SS7

Operator B
SMS-MT

www.infobip.com

2014 / Infobip public

Operator A is the sending Operator

Operator B will receive the message
Operator C is normally not involved in the
message flow
The Signalling Provider represents the
international signalling Network

SMS Fake

Classification criteria in AA.50:

Own Address Criteria

Incorrect Operator Link Set Criteria

Unexpected End Message Criteria

Abnormal Load Criteria

No Address Found Criteria

MAP Only Fake Criteria

Illegal Message Contents Criteria*

MAP error unidentified subscriber Criteria

FSM_ACK
>2%
A

All MAP or SCCP level manipulation on SMS MT indicating fake

identity is used on either B or C side
www.infobip.com

2014 / Infobip public

FSM_SM

SMS Spoof

Classification cirteria in AA.50:

MSISDN Criteria
B

Location Criteria

Unusual Traffic Pattern Criteria LocUp (outbound)/SMSMO

> [0,5] normal

TAP with SMSC billing tickets comparison

<= [0,5]

Operator compliants critera

SS7 criteria
Incorrect Carrier Link Set Criteria
Comparison MAP SCCP criteria
A
Manipulated SMS MO from foregin VLR to home SMSC

www.infobip.com

2014 / Infobip public

GT Scanning

Multiple SMS MO sent from one location trying to

access any open GTs to be able to send free SMS
Multiple SRI_SM sent on random or consecutive
parts of the range to detect ANY response
Used for data collection and database creation
Used to detect network weakness unsecured
nodes
Ease up future attacks and create high network
load
Forbidden by GSMA

www.infobip.com

2014 / Infobip public

SRI_SM for MSISDN

SRI_SM for MSISDN+1
SRI_SM for MSISDN+2
SRI_SM for MSISDN+3
SRI_SM for MSISDN+4
SRI_SM for MSISDN+5
SRI_SM for MSISDN+6

SMS flooding

Extraordinary traffic volume during limited time

period
Can be aimed at HLR, MSC, BSC or even BS to
the single MSISDN
Can be done unintentionally by 3rd party
attempting bulk SMS or SPAM delivery
Usual in case of manual filtering to abuse delay
in blocking
Impacts network performance and stability

FSM_SM for MSISDN

FSM_SM for MSISDN
FSM_SM for MSISDN
FSM_SM for MSISDN
FSM_SM for MSISDN
FSM_SM for MSISDN
FSM_SM for MSISDN

10

www.infobip.com

2014 / Infobip public

SMS SPAM and content fraud

SMS SPAM indicated unsolicited delivery regardless of content

Subtype of SPAM aims to abuse receivers behavior to generate profit
Call for prize, SMS XXXX to confirm, Visit URL: XXXX to see
SPAM can range from harmless marketing over interconnection generating
artifical communication to serious money theft

GSMA initative to facilitate centralized SPAM managment

using a universal short code (7726 (S-P-A-M) or 33700)

local and to a global collection, aggregation and reporting service

Submitted to GSMA SPAM Reporting service

11

www.infobip.com

2014 / Infobip public

How to manage fraud

Cooperation within ecosystem: operators, signaling providers, content

providers...
Technical readiness to detect, analyze and alert on fraud incident
Operational readiness with trained Revenue assurance departments
Timely communication and tracking:

Incident

Report to
source

Respond.
in 24 hrs

NO

Sanctions

YES
NO

Report

Resolved
in next 24
hours

YES

Resolution
12

www.infobip.com

2014 / Infobip public

Prevention 1. educate

Rather than reactively, act to prevent fraud from happening in a first

place:
1. Educate subscribers: Dont reply, Dont trust, Report
2. Keep your staff trained and aware of threat to cut down response
time
3. Cooperate with your signaling and DCH providers and demand
their support
4. Create minimal response time procedures and keep track of
implementation
5. Have your teams to track your partner reputation
6. Join GSMA Security Group and Messaging Anti-Abuse Working
Group (MAAWG)

Prevention 2. make it harder

Fraudsters will usually know how well your network is protected before
attack, so:
1. Real-time live detection systems and NRTRDE, rather than black
box
2. Use real-time alarming and dedicated response personnel (own or
managed)
3. Ask your provider on possible exchange of data with foreign probes
4. Monitor both SS7 layers SCCP and MAP, track consistency
5. Keep awareness of all SS7 channels SMS, USSD and HLR
6. Keep track of CDR, SMS filter, 7726 and TAP files correlations

Sanctions
1. Reporting Company Information
Name:
Company:
Address:
Contact Phone:
E-mail:
2. Suspected Fraudulent Operator Information (Please provide all Information known)
CTO Name or other
contact:
Company:
Address:
Contact Phone:
E-mail:
3. Criteria Identified
Yes/No
Proof/Comments/Traces/Information
1.1 SMS Fake SS7
1.1.1
1.1.2
1.2 SMS Fake Other
1.2.1
2.1 SMS Spoof SS7
2.1.1
2.1.2
2.1.3
2.2 SMS Spoof Billing
2.2.1
2.3 SMS Spoof Other
2.3.1
2.4 Signalling
Providers
2.4.1
2.4.2
3.0 Operator Behaviour

Maximize data collection

Via GSMA: sanctions@gsm.org
Unilateral sanctions
Use Group leverage
Keep it confident
Be persistant

Conclusion

Messaging is valuable communication channel

MNOs need to protect its integrity and credibility
Requires cooperation of whole ecosystem
High technical and operational readiness
Proper fraud management will return all around benefits for networks,
content providers and subscribers

Thank you!