PRISM IRSF TEST NUMBER DATABASE - The most effective IRSF detection tool available.

The PRISM International Revenue Share Test Number Database was initially made available in August 2013 to a number of CSP's on payment of a modest annual subscription.

From analysis of call records associated with IRSF incidents, it became apparent that preceding most attacks, test calls were being made to confirm that a country and number range could be reached from the device a fraudster was using, and the country he was calling from. These test numbers were generally taken from a schedule of test numbers available from an IPRN Resellers website or rate card. Once the calling availability is confirmed, the fraudster will then apply to the IPRN Reseller for one or more numbers to use for his IRSF activity. There would typically be a delay of between 30 minutes to 24 hours from the test numbers being called at the IRSF ‘call pumping’ activity starting.

Recognising the value of these test numbers as an early warning of an IRSF attack, Yates Fraud Consulting Limited initiated a project to analyse IRSF call records to test the value of using test numbers as an indicator of a new, or pending IRSF attack. YFCL then worked with FRSLAB (www.frslabs.com) and developed PRISM as a database of all known IPR Test Numbers that were available from IPRN Resellers. This database was initially made available to CSP's in mid-August 2013, and at that time contained 17,000 test numbers which had been obtained from 60 IPRN Resellers. Those CSP's using PRISM very quickly realised its value and PRISM has now become a critical component of their anti-fraud strategy.

Since August 2013, PRISM has continued to be improved by YFCL and FRSLABS and as at June 2018, it now contains over 1.15 million IPR test numbers from 221 countries, sourced from monitoring over 160 IPRN Providers, along with other sources of information. These numbers are constantly being changed by some IPRN Providers, so YFCL and FRSLABS are updating the PRISM numbers every 2 weeks to ensure these remain current, typically adding between 75,000 and 100,000 new numbers to the database every month.

The quantity of IPR numbers being provided for use each month by the IPRN Providers continues to increase, and between June 2017 and May 2018 the numbers have increased from 122,491 to 299,686 , an increase of 145%. 

PRISM is now being used by around 60 Communication Service Providers including some of the largest mobile operators in the world, other Mobile and Fixed network operators, MVNO’s, VoIP Operators and OTT Service Providers. All users of PRISM now regard the early warning the database provides of a new or pending IRSF attack as a critical component of their Fraud Management strategy, with most crediting PRISM for detecting between 75 and 80% of their IRSF attacks. We are frequently asked by non-PRISM users to assess what value PRISM could have been to help detect IRSF attacks they have suffered. A recent example (May 2018) where a carrier wished they had implemented PRISM earlier is;

The victim in this case is a provider of Fixed, Mobile and Broadband services. Following some network maintenance in May 2018, their network firewall was not secured adequately after the work was completed. This vulnerability was discovered by a hacker/fraudster and exploited.

Through this unauthorised access, the Fraudster/s discovered the office PBX along with the ability to dial out using their Directory Assist number. The Fraudster started making IRSF calls at 7.00am on a Saturday morning, and continued making multiple calls through the weekend until the fraud was discovered the following Tuesday morning. The compromised network access was then secured. During this 4-day period, over 14,250 calls were made to 37 Countries, with most (almost 14,000) terminating on the Belarus country code.  

Had PRISM been used by this CSP, and they had a procedure in place to receive and react to fraud alerts over a weekend, then there is no doubt that this IRSF attack would have been detected before the fraudster/s had the opportunity to make use of this PBX vulnerability for more than one hour.

Of the 14,250 calls made, most to known IRSF destinations, there were 562 unique numbers called in 37 destination country codes. Almost 14,000 of these calls were to 336 Belarus numbers. All 562 called numbers were checked against the PRISM database, and 371 of these (66%) were an exact match. An additional 103 called numbers (19%) were matches to the last digit, with many of these being a continuation of a range which had been matched in the ‘100% match’ category.

It should be noted that some of the countries called are not considered a high risk for IRSF, and it is unlikely that these destinations would be receiving any targeted monitoring through a CSP’s FMS. However, had PRISM been utilised by this Operator, every call in to the 371 numbers that were a 100% match with a PRISM number would have generated a fraud alert.

With multiple calls to many of these numbers, a total of 759 fraud alerts would have been generated from a PRISM number match, during the 4 days of this fraud. Over 20 of these would have been generated during the first hour of the fraud. Had these alarms been generated, and investigated, a further 6375 calls would have been identified as a partial match with PRISM (to the last digit).

Further analysis of PRISM discovered that 304 of the numbers that generated an exact match between the IRSF and the PRISM numbers, along with another 41 of the partial numbers (61% of the total), had been advertised by two known IPRN Providers, so it is likely these two have provided the numbers used in the attack. This is valuable information to support any LEA investigation.

The losses associated with this attack could have been prevented through a very small investment in this valuable fraud prevention tool. Most PRISM customers acknowledge that they have recovered more than the annual access cost to PRISM through the first IRSF case detected. 

For further information on PRISM go to the White Pages TAB and open the PRISM Introduction and PRISM FAQ files. 

PRISM 'WILDCARD' DATABASE

In addition to PRISM, a second database has been developed to capture the number ranges these 1.15 million numbers represent, by replacing the last 2 digits of each PRISM number with wildcards. This 'Wildcard' database contains over 7 million numbers and has become a valuable detection tool for Wangiri Fraud, recognizing that most IRSF or Wangiri Fraud attacks will utilize a range of numbers made available to fraudsters.

PRISM NEW NUMBERS DATABASE

Some users prefer to download only the new numbers located each fortnight, so a separate download function is provided to download only the new numbers - numbers that are not already in the database.

PRISM CLIENT

Any CSP's who wish to subscribe to PRISM, but do not have the benefit of an in-house Fraud Management System, or other Fraud Monitoring Tool should follow this link 'Information on PRISM Client' for information on this tool, which has been developed by FRSLABS specifically for analysing call records against the PRISM database. The PRISM Client has in-built code to actually identify Test Calls and IRSF traffic based on the A-NO used for Test Calls and Devices used by A-NO when making the test call. This is in addition to the smart rules filter which will generate an alarm once a Test number is called, with additional alarms when further calls to high risk destinations are completed. We are also able to recommend other low cost FMS Providers if a system is required.

While other providers of IPRN databases are starting to enter the market, PRISM is without doubt the most complete and proven IPRN Database available, and does not require the purchase of any other vendor specific solutions to support it. PRISM can be used in association with any in-house or vendor supplied FMS, providing it has the ability to manage a 'B' number hotlist.

YFCL is the owner and inventor of PRISM however it is now also being made available by other selected vendors. 

For further information on PRISM, click here for the PRISM FAQ document or complete the Contact form for further information