This week, Europol issued its Cyber-Telecom Crime Report 2019. The 57-page report, by cybersecurity firm Trend Micro Research and Europol’s European Cybercrime Centre (EC3), states that it was “written to serve as a guide of sorts to help stakeholders in the industry navigate the telecom threat landscape.”
The report is divided into seven principal sections:
- The Perpetrators: This section states that telecom fraud “is increasingly originating in countries normally considered ‘third world’ or failed states” and is “increasingly being used to prop up failing economies.” It cites several factors as drivers of telecom fraud, including “the reduced cost and increased availability of telecom equipment capable of hacking intercarrier trust, the availability of information on the topic, and the flattening (homogenization) of telecom deployments in 4G,” as well as “the overlap of specific economies — the cost of telecom deployments drops due to economic commonalities driven by the need for automation. Examples of these include rising telecom costs, competition from nontraditional telecom providers, and market saturation.” The report also states that the annual cost of telecommunications subscription fraud “is estimated by some to reach up to more than US$12 billion, while others foresee the actual losses to be far greater, estimating it to be between 3 percent and 10 percent of the operators’ gross revenues.” It reviews the principal means of “cashing out” SIM card accounts for the criminals’ benefit, including SIM card billing fraud, customer self-management website accounts, enterprise telecom management, and insider trading.
- Evolution of Telecom Fraud: This section explains the evolution of network operations, from circuit switching to packet switching to “data-switched” network.
- Threat Model Components for Telecom Crime: This section sets out the threat model components for SIM fraud, device types, network types, telecom application types, and customer application types.
- Threat Modeling Telecom Infrastructure: This section covers SIM card accounts, SMS and premium SMS, trunking (i.e., the establishment of bulk call management routing), roaming, and radio.
- Physical Telecom Infrastructure Attacks Facilitating Telecom Fraud: This section describes significant categories of attacks, such as SIM box fraud, international revenue share fraud, prepaid charging abuse, intermarket/interconnect bypass fraud, tromboning (i.e., modifying a running call to make it faster and better) and reverse bypass fraud
- Network-Based Telecom Fraud: This section discusses other attacks, such as Private Branch Exchange (PBX) (i.e., a computer responsible for routing revenue-generating traffic) hacking, subscription fraud, wangiri fraud (i.e., use of an automated fraud infrastructure or autodialer that calls many people, and, for each victim who calls that number back, “becomes the originator of the call (and therefore the one who has responsibility to pay for it)”), and voice phishing (“vishing”).
- Noteworthy Real-World Cases of Telecom Fraud: This section presents two cases that have been anonymized and made generic, but that provide details about the approaches the criminals used.
In conclusion, the report notes that
[t]he emphasis at hacker conferences are on the low-risk ease of attacks, the financial revenue from attacks, interesting information learned as a side effect of attacks as all motivators for this uptick in cybertelecom attacks. Additional motivators drawing attention to this class of attack are the very lucrative employment opportunities for individuals with CyTel security/hacking/fraud skills.
The report recommends that telecommunications companies “provide the needed types of support, training, and investment to engage entities like the Europol EC3 CyTel working group.” It notes that intelligence and techniques can be shared in that group “for the greater good,” and that [n]on-European entities and national law enforcement groups have joined as well, and benefit from the reduced effort and complexity in performing law enforcement actions.” It also touts the importance of cyber-telecom intelligence fusion through three approaches: (1) the concept of a global telecom network with unified threat intelligence between telecommunications service providers, between law enforcement, and between providers themselves”; and (2 “[o]ther Europol criminology- and intelligence-sharing groups such as Airline Fraud (Global Airline Action Days) and Euro Money Mule Action (EMMA) operations.
Note: Both information-security and fraud compliance teams should read the report closely – whether to establish or update their understanding of cyber-telecom fraud trends and techniques. The sophistication of many of these techniques makes it all the more important that companies maintain robust cyber-defenses and include key information from the Europol report in internal briefings and training for executives and employees.