Intelligent Solutions

Which one number do 95% of VoIP attackers dial?

Simon Woodhead

Simon Woodhead

15th December 2015

It is some time since we published our VoIP Fraud Analysis in 2013 so an update is overdue (and coming). In there we introduced the notion of “test numbers” – innocent looking ordinary landline numbers that the bad guys dial to test they have a valid compromise of your or your customers’ equipment.

Calls to these test numbers precede an actual attack and at the time were completely unknown to the commercial feeds and generally overlooked in the subsequent attack. But we knew that if they were blocked, the victim compromise wasn’t proven. The good news then was that we knew these from our extensive research and they were blocked across the network, regardless of how customers do or don’t configure the dozens of other fraud controls. As far as we can tell, we’re still alone in identifying these and there are surprisingly few of them.

The way our original honeypot works is pretty simple and whilst the data it provides is really valuable we felt the need to update it. We’ve proto-typed its replacement and for want of a better description have ‘gone large’! We’ll be talking about what this means and how you can use the data produced early next year but today we wanted to revisit the idea of these test numbers.

The test numbers are hidden in plain sight by prefixes of varying length and complexity. The bad guys cycle through batches of 1000 different prefix combinations to find one that works with the victim, even if that turns out to be no prefix at all. Stripping these off is an imperfect science but in the prototype we’ve made it far more dynamic in order to arrive at a real-time list of active numbers rather than trying to determine them after the event.

We’re pretty pleased with the results! 95% of the attacks seen on the network today have dialled just one number. The other 5% have dialled two more. That’s amazing isn’t it? Of course there’s thousands and thousands of combinations of differing lengths but they boil down to just three numbers.

In previous years we’ve tried to remind customers to configure fraud settings if they hadn’t already, given the propensity for attacks during the quiet Christmas hours. You can see our 2013 post “4 quick ways to help stay safe from VoIP fraud this Christmas” to implement just some of our unique features in time for the festive season.

This year, we wanted to remind you of our tangible efforts in this space and what they mean for your business. Anybody can claim fraud protections but the proof is in it saving you and your customers money. This Christmas, when you’re rightly away from work, you have a choice between marketing hype or tangible protections based on many years of research. Enjoy an extra roast potato safe in the knowledge that any calls on your account to these test numbers will be blocked in real-time by us. We won’t simply tell you after the event how much you’ve spent!

Related posts