Forensic Research & Criminology International JournalReview ArticleOpen AccessA study on internet bypass fraud: national securitythreatAbstractVolume 7 Issue 1 - 2019Internet bypass fraud is one of the most complicated fraud types in the recent times.Telecom regulators and mobile operators face a staggering revenue loss since bypassfraud is proving to be the most prolific and costly frauds. The gateway equipmentssuch as fixed, Voice over Internet Protocol(VoIP), Global System for Mobilecommunication(GSM), Code Division Multiple Access (CDMA), VOIP to GSM, fixedline gateway are used to terminate international inbound calls to local subscribers bydeviating traffic away from legal interconnect gateways. Operators sending outboundinternational traffic connect to interconnect operators with lower rates, leading totermination of network operator’s loss of revenue. Bypass fraud is considered illegalsince those who undertake it are not licensed to provide telecommunication services.Bypass fraud is also considered as a national security threat since terrorist groups usethis device to make calls which appears to be a local call. This paper focuses on thestudy of bypass fraud as a National security threat. Further this study also suggests themethods for mitigating such security threat.Kala NIntroductionWhat is Bypass fraud?A call via a legitimate path/route will be bypassed so that thereis a revenue loss.1 Generally for making national or internationalcalls, rates are fixed by regulators in a country or by an individualor group of operators. Bypass fraud is prevalent in countries wherethere is a difference in rates between the retail calling, national callingand international calling. Moreover in some countries, internationalgateways are monopolized by government operators. The fraudstersmake use of difference in rates and ensure that there are enough profitsfor them and serve as the key motivating factor to invest in procuringthe equipments and GSM connections for conducting a large scaleBypass fraud. In countries where the international to nationalterminating charge margins are low, nil or negative, the bypass fraudeither does not exists or is conducted a very low scale. It is one of thelatest and most severe threats to a telecom operator’s revenue. It is anunauthorized exploitation or manipulation of an operator’s network.This can happen in two ways:i. SIM Box Interconnect Fraudii. GSM Gateway FraudSuch methods make fraudsters gain incentives to evade such hightariff interconnects and deliver costly international calls illicitly.Fraudsters use Voice over Protocol – Global System for MobileCommunications (VOIP-GSM) gateways also called as “SIM Boxes”,which are used to receive incoming calls (via wired connections) anddeliver them to a cellular voice network. It appears as if it is througha local call appearing from a customer’s phone. This practice notonly dramatically degrades the network experience for legitimatecustomers violating the telecommunication laws in many countriesbut also extremely profitable for simboxers/fraudsters resulting inrevenue loss significantly.2Cellular networksCommonlyusedstandardSubmit Manuscript rensic Res Criminol Int J. 2019;7(1):31‒35.Assistant Professor &Director, Centre for Cyber Forensics andInformation Security, University of Madras, IndiaCorrespondence: Kala N, Assistant Professor &Director,Centre for Cyber Forensics and Information Security, Universityof Madras, Chennai- 600 005, India, EmailReceived: October 25, 2018 Published: February 06, 2019communication is a set of Global System for Mobile Communication(GSM). Majority of countries such as United States, Europe, Africaand Asia use GSM for mobile communication and is popularly calledas 2G cellular networks and subsequently evolved into UniversalMobile Telecommunications Service (UMTS-3G) and Long TermEvolution(LTE-4G). A smart card called Subscriber Identity Module(SIM) is being used by GSM and it manages the SIM card thatcarries the identity and placed on any device authorized to operateon a carrier’s. Every communication transaction in network iscryptographically authenticated. SIM cloning was prevalent in therecent past which negated guarantee of specific SIM card attribution.Latest advanced technology SIM cards have hardware securityand practical key recovery protections that prevents card cloning.Additionally, GSM standards uses audio codec called GSM FullRate (GSM-FR) which is also frequently implemented in Voice overInternet Protocol (VOIP) software.3Voice over internet protocolVoice over Internet Protocol (Voice over IP, VoIP and IP telephony)is a methodology and group of technologies for the deliveryof voice communications and multimedia sessions over InternetProtocol (IP) networks, such as the Internet. The terms Internettelephony, broadband telephony, and broadband phone servicespecifically refer to the provisioning of communications services(voice, fax, SMS, voice-messaging) over the public Internet, ratherthan via the public switched telephone network (PSTN). There aretwo ways in which clients can complete a VoIP call. Firstly, a callcan be completed exclusively using internet; secondly calls mightalso be routed from/to a VoIP client to a Public Switching TelephoneNetwork (PSTN) through a VoIP gateway. The transport is similar totraditional telephony network. It uses special media codec’s protocolto encode audio and video. Popular VoIP providers are Skype, Vonageand Google which uses both IP-only and IP-PSTN calls. Step by stepprocess for a VoIP is given below:i. VoIP calls are setup using text based protocol called as SessionInitiation Protocol (SIP).31 2019 Kala. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permitsunrestricted use, distribution, and build upon your work non-commercially.

A study on internet bypass fraud: national security threatii. SIP function is to establish which audio codec will be used forthe call.iii. Once a call connection has been established audio flowsbetween the callersiv. It uses Realtime Transport protocol (RTP) for this purposev. This is typically carried over User Datagram Protocol (UDP)vi. There are many codec’s are mandatory, although some areoptional.vii. When GSM-FR is implemented outside of cellular network andsometimes used by VoIP software.SimboxSimbox is a device used as part of a VoIP gateway installation.It contains a number of SIM cards, which are linked to the gatewaybut housed and stored separately from it. A SIM box can have SIMcards of different mobile operators installed, permitting it to operatewith several GSM gateways located in different places. The SIM boxoperator can route international calls through the VoIP connection andconnect the call as local traffic, allowing the box’s operator to bypassinternational rates and often undercut prices charged by local mobileCopyright: 2019 Kala32network operator’s that connects VoIP calls to GSM voice network.It does not use data network. Simbox device requires one or moreSIM cards to wirelessly connect VoIP call to GSM network. A Simboxacts as a VoIP client whose audio input and output are connected to aMobile Phone. These devices have strong market in private enterprisetelephone networks. Such private enterprise use GSM gateways withthe permission of the licensed telecommunications provider and thiscauses to tariff reduction enabling them to pay often at lower costfor terminating a call. However, this is possible and legal only fordomestic calls. It is enabled by Voice over Internet Protocol (VOIP)Global System for Mobile Communication (GSM). The equipmentis called SIM Boxes and the same is illustrated in Figure 1. In thisprocess Simboxing connects the VOIP calls to a local cellular voicenetwork through a collection of SIM cards and cellular radios. Ina normal course the calls will be received by the network serviceprovider and call tariffs will be charged. In Simboxing, calls willbypass the normal course of connection, appearing to originate fromcustomer phone, to a network provider. The calls are delivered at asubsidized domestic rate instead or international rate. Such an activityhas its negative impact availability, reliability and quality of servicefor legitimate consumers. Moreover, it also creates network hotspotsby injecting huge volume of tunneled calls, thereby causing revenueloss to network operators.Figure 1 Simbox.Interconnect bypass fraud using simboxingMost common implementation of interconnect bypass fraud4 isknown as SIM Boxing. Fraudsters use simbox bypass the internationalcalls and make it appear as if it is a domestic call causing revenue lossto telecom operators. There is a high demand for GSM-VoIP gatewaysspanning a wide range of features; numbers of concurrent calls aresupported. Some of them have only limited functionality, whileothers hold several simcards and also supports a variety of audiocodecs in a “SIM server”. Sometimes one or more radio interfacescalls using the “Virtual SIM cards” from the server. This preventslocation based fraud detection. Miscreants, utilize this and commitsthe fraud. The cost of simbox equipment goes upto 200,000 USD. Atypical international call which is routed through a regulated licensedinterconnect is illustrated in the Figure 2. Let us assume client A islocated in India and client B is located in UK. In a typical call, whenclient A is calling client B, the call is routed through the telephonenetwork in India (labeled as “Foreign PSTN core”) to an interconnectbetween client A and client B network in UK. This passes throughclient B’s domestic network (labeled as “Domestic PSTN Core”) andcommunication establishes between client A and client B. If clientA and client B are not in neighboring countries, there can be manyinterconnects and intermediary networks. This is very critical theconnections are heavily monitored for billing purpose and quality.It can be seen that VoIP calls initiated from services such as Skypethat terminates on a mobile phone also passes through regulatedinterconnect. A Simbox call is represented in Figure 3. A Simboxedinternational call avoids regulated interconnect by routing the call to aSimbox which completes the call using the local cellular network. Ina simbox case, client A call is routed through domestic network, butinstead of passing through the regulated interconnect, the call is routedover internet protocol (VoIP) to simbox in the destination country. Indoing so, the simbox places a separate call on the cellular networkin the destination country, then routes the audio from IP call into thecellular call, which is routed to client B through the domestic network.The same is illustrated in Figure 3. The main disadvantage here isneither of end users is aware that the call is being routed through asimbox. This causes a contractual breach of trust between two InternetService Providers (ISPs) who have agreed to route traffic betweentheir networks. The intermediaries own profit from reduced prices.Two types of attack can take place. Firstly, hijacking of internationalcall; secondly, hijacking and re-injecting of an international call.First type has been described above. In the second type, Simboxesre-inject telecom voice traffic into the mobile network masked asmobile customers and operator has to pay for the re-injected calls.5 Ingeneral there are three types of routes that are used in communicationnetworks. They are:i. White Route: both source and destination have legaltermination.Citation: Kala N. A study on internet bypass fraud: national security threat. Forensic Res Criminol Int J. 2019;7(1):31‒35. DOI: 10.15406/frcij.2019.07.00262

Copyright: 2019 KalaA study on internet bypass fraud: national security threatii. Black Route: both source and destination have illegaltermination.33iii. Grey Route: the termination is legal for one entity or country,but illegal for the other end.Figure 2 Typical international call routed through regulated licensed interconnect.4Figure 3 A Sim box international call.4GSM gateway interconnect devicesInterconnect systems, such as gateways, allows voiceinteroperability between otherwise incompatible radio communicationssystems. Interoperability is achieved by retransmitting voice overinterconnected radio subscriber both mobile as well as portableunits. Linking incompatible radio frequency bands and systems canbe relatively easy and effective. Interconnect deployment requiresa new strategy and operational procedures. The gateway approachto interoperability has significant potential, considering the ease ofgateway deployment and relatively low cost when compared to widearea radio system. A gateway is a type of interconnect system. Theycan also connect trunked talk groups, encrypted networks, publictelephone systems, and cellular or satellite phone connections. Mostgateway devices are mobile and portable, but many are used inpermanent configurations.6Interconnect bypass fraud global scenarioAccording to a survey conducted by Communication Fraud ControlAssociation (CFCA), in the year 2015, the revenue loss amounts to 3.77 Billion USD. According to this survey, top 10 countries wherethe fraudulent calls originated, is listed in Table 1. Further surveypoints out the percentage of top five frauds, in which interconnectBypass fraud in network is around 5%, whereas in roaming status,interconnect bypass fraud amounts between 20 – 25%. This can beseen evidently from the following Figure 4. Authorities in US say thatthe hackers were involved in an international crime ring that scammedtelecommunication companies out of an estimated 50million USDin last few years. FBI most wanted list of cyber criminals havebeen arrested by authorities in their native Pakistan. Serbian Policecracks down on illegal SIM Box Scheme. According to Serbia’sinterior Ministry in cooperation with the special department of cybercrime of Prosecutor’s Office and the Ministry of Interior Macedoniahave identified miscreats using Simboxes to bypass internationalcommunications via VoIP and making low-cost calls in Serbia. Morethan 40,000 SIM cards were found in Macedonia of mobile operatorsfrom Serbia, Croatia, Slovenia, Albania, Bosnia and Herzegovina.There are incidents in Ghana where the fraudsters connived withpartners abroad to route internet calls via VoIP to make it appear asif the call is a local one. Even. The seized Simcards and connectingdevices are illustrated in Figure 5. There has been incidence whereeven women have been arrested for alleged simbox fraud.7Table 1 Country wise fraudulent calls in percentage based on call origin.CountriesFraudulent calls percentageUnited %Somalia3%United Kingdom2%Dominican Republic1%Egypt1%Figure 4 Seized sim cards and simbox.Citation: Kala N. A study on internet bypass fraud: national security threat. Forensic Res Criminol Int J. 2019;7(1):31‒35. DOI: 10.15406/frcij.2019.07.00262

Copyright: 2019 KalaA study on internet bypass fraud: national security threat34Figure 5 Percentage comparison of Simbox fraud in network vs. roaming.5Interconnect bypass fraud Indian scenarioii. Simbox detection using Fraud Management systems (FMS)Recently, in India, a techie has been arrested for operatingtelephone exchange for a Pakistan spy. According to the sources theUttar Pradesh8 Anti-Terrorism squad have busted an illegal telephoneexchange and spying racket causing national security threat. This acthas been committed by a software engineer from south Delhi and tenothers from Lucknow and other parts of UP. The exchanges were notonly making lakhs of rupees by routing international calls bypassingthe legal gateways. These systems were used for Pakistan’s InterService Intelligence (ISI) to call Army officials to elicit informationfrom them. The racket was busted after the defence ministry andArmy alerted the military intelligence in Jammu & Kashmir. ISI hasbeen spying over and innocent victims have been sharing information.Intelligence officials unearthed the racket and found illegal networkwas using Simbox to carry out their spying activities. The callersbased in Pakistan, Bangladesh made calls using VoIP through Simboxand connected to receivers in India. The receivers in India could onlysee Indian numbers on their phone screens. The law enforcementauthorities have recovered 16 SIM BOX units, 140 prepaid cards,10 mobile phone and 28 data cards and five laptops. The SIM Boxrecovered from the suspects is illustrated in Figure 6.iii. Unusual flows and volumesiv. Unusual called number spreadsv. A-typical traffic peaks for on-net trafficvi. Many SIM card identities (IMSIs) to a single equipmentidentity (IMEI)vii. Use of only one cell siteviii. An absence of SMS, data or roaming service useHybrid analysis: Call generation providers and FMS toolsproviders collaborate to pool their alerts in order to more efficientlydetect the characteristics described above.i. Network traffic analysisii. Call Data Record (CDR) Analysisiii. Features extracted from CDR data are utilized to build adecision tree that can be used to distinguish between legitimateand Simbox accounts.Features include: total number of outgoing calls, incoming calls,number of SMS originating and SMS terminating, total number ofhand over and the total number of different location.9AmmitSimbox detection tool focuses on loss rate and simbox codec.Moreover, simbox detection based on measurable differencesbetween true GSM and tunneled VoIP audio. Ammit is the first systemto combat simboxing using call audio.10Mocean simbox detectorThe detection of Simbox tracks the calls based on caller lineidentification.11Figure 6 Simbox recovered from Accused.5Countermeasures for interconnect bypassfraudMost common approaches to detect Bypass fraud are:i. Bypass route detection through call generationStatistical profiling systemIdentification based on monitoring complex call patterns includingoutgoing call count, distinct destinations ratio, cell sites used,incoming to outgoing call ratio and so on. It is also called statisticalprofiling based detection. Other type of detection mocean Simboxdetector which has capabilities to distinguish between the normalinternational call traffic path and simbox bypass international trafficpath.Citation: Kala N. A study on internet bypass fraud: national security threat. Forensic Res Criminol Int J. 2019;7(1):31‒35. DOI: 10.15406/frcij.2019.07.00262

Copyright: 2019 KalaA study on internet bypass fraud: national security threatFraud management system (FMS)FMS system includes the following detection systems:i. Traffic analysisii. International Mobile Subscriber Identity (IMSI) number/Integrated Circuit Card ID (ICCID) series analysisiii. International Mobile Equipment Identity number.12ConclusionTelecommunication networks in developing nations rely uponthe tariffs collected through regulated licensed interconnects in orderto subsidize the cost of their deployment and operation. FraudstersBypass the legal connection and commit fraudulent activity usingsimboxes by tunneling traffic from VoIP connection into a genuinenetwork unauthorized way. In this study an attempt has been made toidentify the different ways interconnect bypass occurs. Further, thisstudy has also identified the different devices used to commit suchfraudulent activity. Moreover, a comparison between the currentscenario from global perspective and Indian perspective has beenmade. Focus has been made to identify how the antisocial elementand miscreants use such methodology and cause a national securitythreat across the globe. Finally, different fraud management systemsthat are currently in vogue have been discussed.13AcknowledgmentsNoneConflicts of interest35References1. Alphabet revenues rise 22% in Q4 marked by record contribution fromGoogle Other, higher expenses. 2019.2. Subex-telecom-fraud-alerts.3. Telecom fraud - introduction, types & solutions.4. Bradley Reaves. Boxed Out: Blocking Cellular Interconnect BypassFraud at the Network Edge. 24th USENIX Security Symposium. 2015.5. Ilona Murynets. Analysis and Detection of Simbox Fraud in MobilityNetworks. 2015.6. MOCEAN. SIM –Box Detector. 2015.7. Woman arrested for alleged SIM Box fraud. 2016.8. Uttar Pradesh ATS busts international call racket spying on Army units,11 arrested. 2017.9. Simbox product. 2015.10. Fighting SIMBOX Fraud: We will root out simbox fraud in GhanaAfriwave. 2015.11. Techie Arrested For Operating a Telephone Exchange for Pakistan’s SpyAgency in Delhi. 2016.12. Mahmood A Khan, Syed Yasir Imtiaz, Mustafa Shakir. AutomaticMonitoring & Detection System (AMDS) for Grey Traffic. Proceedingsof the World Congress on Engineering and Computer Science 2015 VolII WCECS. 2015.13. Mueller’s prosecutor tipped CNN off to armed FBI raid – Roger Stone’slawyer. 2019.The author declares that there are no conflicts of interest.Citation: Kala N. A study on internet bypass fraud: national security threat. Forensic Res Criminol Int J. 2019;7(1):31‒35. DOI: 10.15406/frcij.2019.07.00262

bypass the normal course of connection, appearing to originate from customer phone, to a network provider. The calls are delivered at a subsidized domestic rate instead or international rate. Such an activity has its negative impact availability, reliability and quality of service for legitim