Understanding and Detecting International Revenue Share Fraud

Merve Sahin (SAP Security Research), Aurélien Francillon (EURECOM)

Premium rate phone numbers are often abused by malicious parties (e.g., via various phone scams, mobile malware) as a way to obtain monetary benefit. This benefit comes from the ‘revenue share’ mechanism that enables the owner of the premium rate number to receive some part of the call revenue for each minute of the call traffic generated towards this number. This work focuses on International Revenue Share Fraud (IRSF), which abuses regular international phone numbers as the so-called International Premium Rate Numbers (IPRN). IRSF often involves multiple parties (e.g., a fraudulent telecom operator in collaboration with a premium rate service provider) who collect and share the call revenue, and is usually combined with other fraud schemes to generate call traffic without payment. Although this fraud scheme has been around for several years, it remains to be one of the most common fraud schemes, reportedly leading to billions of dollars of losses every year. In this paper we explore the IRSF ecosystem from multiple angles, via: (i) A telephony honeypot that observes IRSF attempts towards an unused phone number range (i.e., a phone number gray space), (ii) A dataset of more than 3 Million test IPRNs and more than 206K test call logs we collected from several online IPRN service providers during 4 years, and finally, (iii) A real- world call data set from a small European operator, involving 689K call records, that we analyze to find IRSF cases. By leveraging our observations from (ii), we propose several Machine Learning features that can be used in IRSF detection. We validate our approach on the dataset in (iii), achieving 98% accuracy with a 0.28% false positive rate in detecting the fraudulent calls.