Collaborative, Open Source, Agnostic Call

Analytics and Fraud Analysis

Nir Simionovich, CEO
Greenfield Technologies Ltd
 Don’t be a fraud Ostrich
Nir Simionovich, Chief Architect
The Humbug Project
 /usr/share/doc/fraud/PRIMER
The issue at hand:
“Global loss of $80 billion per year, making telecom
fraud a bigger business than international drug
trafficking” – CFCA Report 2009
• Phoenix-based Communications Fraud Control Association (CFCA)
estimates the annual telecom fraud losses worldwide to be in the
range of $72-80 billion U.S. dollars in contrast to the organization’s
previous (1999) estimate of $12 billion
• More CFCA 2009 survey numbers:
• 4.5% revenue leakage on average
• 91% said global fraud losses increased or stayed the same
• 78% said fraud trended up or stayed the same in their Company
/usr/share/doc/fraud/PRIMER

CFCA Fraud Losses By Category - 2009

 /usr/share/doc/case/religious-npo
• During the course of Yom-Kipur 2009, one of
Israel’s well established religious NPOs had
suffered a fraud attack on their PBX system
• Yom-Kipur is the Jewish day of penance, during
which, Jewish people don’t work, don’t browse
the Internet and specifically don’t talk on the
phone (apart from emergencies)
• It is fairly logical to assume that during Yom-
Kipur, an NPO’s PBX system, specifically a
religious one will not initiate calls
 /usr/share/doc/case/religious-npo
• A malicious user was able to register to the PBX
from remote
• Later investigation showed repetitive password
patterns and open UDP ports on the firewall
• During the 26 hours of the Yom-Kipur holiday,
the PBX system had been de-frauded
• The lump sum of fraud had racked up to:

$ 24,000 !!!
 /usr/share/doc/case/religious-npo
• During the course of Yom-Kipur 2009, multiple
PBX systems were compromised in the same
manner
• Most of these systems were installed by the
same Asterisk integrator – distributing their own
brew of PBX system (Asterisk+FreePBX+Gentoo)
• Capital loss to organization during Yom-Kipur
2009:

Over $200,000 !!!

 /usr/share/doc/case/IP-Centrex
• An IP-Centrex provider in the North of Israel,
during April 2010 had suffered an attack
• Platform was based on Elastix and VMWARE
• A poorly configured Voicemail system enabled
users dialing back from the voicemail
• During a period of almost 3 weeks, over 25
different VM’s were compromised – each PBX
suffered ~$2000 worth of fraud

Over $55,000 !!!

 /usr/share/doc/case/Services-Call-Center
• During September 2010, a call center has
suffered sever losses due to a hacked FreePBX
installation
• The installed platform included a way to modify
configuration files by hand – then applying them
• Due a integrator provided backdoor, the
attacker was able to create a new context and SIP
user, then passing calls with NoCDR() records
saved

Over $22,000 !!!

 /usr/share/doc/case/summary
• While the carriers involved were capable of
identifying the fraud, the information had been
relayed to the customer only 24-48 hours later
• All customers were required to pay the fees of
the fraud
• When analyzing the fraud attack, several key
elements were identified:
 /usr/share/doc/case/summary
1. Attacks occurred in a defined time frame
during the day
2. The attacks had originated calls to similar
destinations: Swiss Mobile and Belgium
Mobile
3. The attacks were done in short bursts of
traffic, then a large amount of traffic following
4. One attack originated from China, the other
one from the Palestinian Authority and one
from Turkey (based on IP addresses)
/home/humbug/Pictures/i-have-a-dream
 /home/humbug/fraud/in-the-future
1. PBX owners will be alerted of fraud attacks as
they are happening
2. PBX owners will no longer be at the mercy of
their carriers
3. PBX owners will collaborate information
around the world, shortening the time
required to identify fraud
4. PBX owners will not be required to pay an arm
and a leg to monitor their PBX losses
5. Open Source analytical engines will replace
platforms like Cvidya and ECtel.
/home/humbug/fraud/in-the-future

PBX Owners will use:

http://www.humbuglabs.org
 /usr/share/doc/humbug/ABOUT
• Founded 2009
• Collaborative, Open Source, Agnostic expense
assurance and call analytics for your PBX
• Topographical fraud analysis and voice traffic
measurement
• As our data networks grow, our ability to detect
anomalies and fraud patterns increases
• Completely secured and encrypted data storage !
• First community RC1 planned for 14/11/2010 !
 /usr/share/doc/humbug/SAAS
• Initially, Humbug is delivered as a SAAS for
Asterisk based systems
• Connectivity to the SAAS is available through an
encrypted API
• The connecting client is fully open sourced
• Currently correlating over 500,000 records per day
• Currently servicing both PBX owners, Tier-3
operators and an MVNE
/usr/share/doc/humbug/SAAS-ARCHITECTURE
United Kingdom Israel United States

Encry
pted
API te d API
p
Encry

Analytical Web GUI

Cloud
API
Cluster

Database
Cluster
 /usr/share/doc/humbug/FRAUD-FACTS
• Fraudsters are becoming more and more
resourceful
• Fraudsters are caught when they become greedy
• Greed (or plain capital shortage) can turn an
integrator into a fraudster – it’s very tempting
• In order for a fraud attack to be successful across
the globe – it requires great resources from the
fraudster
• Always expect fraud to originate from the least
expected source
 /usr/share/doc/humbug/SAAS-Facts
• Humbug is not a fail-2-ban or security system – it is
a monitoring system. Your IT security is up to you!
• It is fairly complicated to identify small scale fraud,
however, when utilizing multiple sources the
patterns emerges.
• Fraud is usually based on long distance fraud or toll
fraud – repetitive patterns can be observed across
the network
• We trust no one – fraudsters hook up their systems
to our SAAS – trying to increase noise/signal ratio
 /usr/share/doc/humbug/ROADMAP
• Initial services include Analytical Engine services
• Initial community release includes the Analytical
Engine
• SAAS based Fraud Analysis offering is planned for
Q2 2011
• CPE based licensing for Fraud Analysis is planned
for Q4 2011
• SAAS users will be offered telephony fraud
insurance services – planned for Q3 2012
/usr/share/doc/humbug/QUESTIONS?

http://www.humbuglabs.org
/usr/share/doc/humbug/CONTACT
Nir Simionovich
nirs @ humbuglabs.org
nirs @ greenfieldtech.net

http://www.humbuglabs.org
http://www.greenfieldtech.net
http://www.simionovich.com
http://www.asterisk.org.il