SMS FRAUD

• Tweet

• Tweet

SMS Fraud is growing rapidly and is becoming a significant issue for all GSM Operators. Nowadays GSM operators are facing numbers of issues related to SMS problem such as Spamming, Spoofing, Fake SMS and illegal use of SMSC Address. Fraud SMS cause :

• Revenue leakage due to faked SMS traffic and SMS spoofing.
• Unpredictable loads on the network due to SMS flooding.
• Increasing Complaint from Mobile subscriber due to SMS Spamming.

Please register to download this file. Its Free
  Basics of SMS Fraud (552.4 KiB, 426 hits)

GSM Association official document IR.70 defines each SMS fraud case and their technical aspects. Another GSMA document lists a number of criteria that can identify where an Operator is suspected of fraudulent activity with regards to SMS Fraud Faking & Spoofing.

SMS FRAUD DETECTION AND IDENTIFICATION:

SMS are SS7 signaling messages, which can be monitored with Signaling Surveillance Systems. For SMS Fraud detection two points in the wireless network have to be monitored:

• International SCCP/MAP gateway (IGP).
• The MAP interface to the SMS Center (SMS-C).

So it can be done at the STP (signaling transfer point) by using signaling surveillance system because STP is interfacing SMS-C with external (other than HPLMN) network nodes.

SMS Fraud can be identified primarly by high level survey then low level SS7 message examination which inludes :

Volume Analysis of SMS

• Incoming SMS versus Outgoing
• Frequency Analysis – looking at variations over time

SS7 Message Examination

• Unused MSISDN or IMSI
• Inconsistencies between protocol layers
• Unusual structure or data
• Incomplete transactions

SMS FRAUD CASES:

GSMA document IR.70 defines following 5 cases of SMS fraud :

• Spamming Case
• Flooding case
• Faking Case
• Spoofing Case
• GT Scanning

SMS SPAMMING:

Spamming is an action where the subscriber receives an unsolicited SMS. As an unsolicited SMS, the subscriber did not request to receive this message. The act of spamming does not define the content but only the fact that the SMS was received without solicitation. The content of the spam SMS is incidental to the act. The spam SMS may take on various forms of content to include: commercial information, bogus contest and other message generally intended to invite a response from the receiver. It is important to note that the SMS could be sent from a valid originator and may be correctly billed to the sender.

Technical Aspect : In the Spamming case, there are no specific technical aspects. The spamming Originator could be a single person, a commercial company or a mobile operator.

SMS FLOODING :

When a large number of messages are sent to one or more destinations the act is called SMS flooding. These messages may be either valid or invalid. The value or parameter used to define flooding is the extraordinary number of messages sent. The flooding parameter is compared to the average or normally expected load, and the expected peak value of a selected message flow. When the parameter is unusually high, without other explanation, then this is considered ‘flooding’.

Technical Aspect : The sending of the messages in a case of ‘flooding’ is within the normal methods of sending messages. Consequently, there is no specific technical aspect for this case.

SMS FAKING :

A fake SMS is originated from the international C7 Network and is terminated to a mobile network. This is a specific case when SCCP or MAP addresses are manipulated. The SCCP or MAP originator (for example: SMSC Global Title, or A_MSISDN) is wrong or is taken from a valid originator.

Technical Aspect : The delivery of a Mobile Terminated SM is in two parts –

1. The SMS-C uses the destination MSISDN to address a MAP message <Send Routing Information for Short Message>, to the Home Location Register (HLR) for that customer to find out whether the MSISDN is valid, can receive SMS, and if so, to determine the current switch (MSC) that the destination user is registered on. The HLR responds to the SMS-C with the information.
2. The SMS-C sends the actual text of the SM to the currently registered MSC and a MAP message <Forward Short Message>. The MSC responds to confirm the message was delivered, and generates a CDR containing all relevant information including the SMS-C address.

In the faking case, the first part is done exactly as described above. However, the second part is changed so that the source address in the MAP message <Forward Short Message> is changed, often to someone else’s SMS-C address. The manipulation of the SMS-C address causes any inter-PLMN SM accounting to be in error, and means that any policing against the apparent Spam generator harms innocent parties and is ineffective against the real Spam generator.

The faking of the source address in the SCCP called party Global Title and the Service Centre Address in the MAP message <Forward Short Message> whilst having the correct equivalent address in the MAP message <Send Routing Information for Short Message> is impossible without considerable efforts by the technical staff running the SMS-C. In other words, it does not happen either by accident, faulty configuration data or as the result of raw text messages received from the Internet. It happens because in most cases it requires a software patch on the SMS-C. Therefore; any instances of this happening are as the result of direct action by SMS-C staff, and probably in conjunction with assistance from the staff of the Associated PLMN.

SMS SPOOFING :

The spoofing case is related to an illegal use of the HPLMN SMS-C by a third party. In this case, a SMS MO with a manipulated A-MSISDN (real or wrong) is coming into the HPLMN network from a foreign VLR (real or wrong SCCP Address).

Technical Aspect :

• To a HPLMN point of view, one subscriber is roaming and sending a SMS. In fact, this is not a real subscriber; the message is not sent by a real mobile but is generated from a specific system with a C7 application.
• The A-MSISDN being used may in fact be real or not depending on the screening in place in the HPLMN SMS-C (Screening on CC+NDC or No A-MSISDN screening in place).

GT SCANNING :

The GT scanning is the fact to send SMS MO to all Global Title address from one mobile operator in order to find unsecured SMS-C (SMS-C that are not controlling the A number).

Technical Aspect :

• Multiple SMS Forward SM Submits are received, generally, from the same mobile MSISDN with the Called SCCP Address and Service Centre Address incremented on each attempt. It would  appear that individuals using a mobile with a computer connection are instigating these scans.
• The easiest of these scans to spot are sequential in nature scanning 10,000 GT at a time. It has also been seen randomized scans, though on sorting the data it is clear that blocks are being scanned.
• This type of messaging is picked up in normal statistics in monitoring expected and unexpected combinations of direction, GT and message type.
• There can be no valid reason for such scanning of networks other than locating unsecured SMSC. With simpler computer integration with mobiles and SMS emulation software readily available this type of activity is likely only to increase. It would be desirable for such activities to be reported to the Home PLMN of the originating MSISDN in order to have service removed.