Menu

Threat Intelligence

Threat Intelligence Services

- Advanced Security and Threat Intelligence Services and Research

- Correlation and analysis of over 30 billion dark data events a day

Security & Privacy

Signalling Protection

Securing core infrastructure and services

- SS7 Signalling Protection

- Diameter Signalling Protection


Messaging Security

Resolving complex messaging security problems

SPAM & Phishing

Revenue Assurance

Messaging Revenue Protection

SMS Grey Route and SIMBOX protection

- secures wholesale SMS revenues

- prevents revenue loss to International, National and SIMBOX Networks

The AdaptiveMobile Blog

Ireland’s Call , Careful Now

There has been a surge of reports recently in Ireland about missed calls being received by Irish mobile phone users, who then ring back these numbers generating the missed calls and are then charged large amounts of money. What is happening here is a form of mobile fraud called Wangiri, and the goal here is to social engineer/trick people into ringing back these numbers, causing their account to be deducted several euros at a time.

 

Wangiri

Wangiri is a Japanese word that literally means ‘one ring and cut’. Initially used to describe a form of communication using number of ring-tones, it now means specifically this kind of fraud. As could be guessed from the name, a fraud type based on this seems to have been first used and reported in the early 2000’s (2002) in Japan. How the scam works is as follows:

  1. the fraudsters will initiate thousands of calls, often to random target numbers.
    • The number that is displayed as being the dialling (originating) number is normally a foreign phone number, which is unknown to the owner of the target number
  2. The fraudster will cease (cut) the call immediately after it rings

    • If a recipient is fast enough to answer the call in this initial ring period they will hear silence or sometimes a meaningless pre-recorded message like “You are on hold for the finance department”
  3. For a certain percentage of people, due to curiosity or habit, will see this missed call and dial it back, at this point they will be charged money for making this call (and staying on it) and the fraudsters will receive a % of this money.

    • This percentage of people that rings back is called the callback rate, and fraudsters will try to maximise this as much as possible

The originating number that will appear in the missed call is normally a number in a foreign country, and crucially, this is a Premium Rate Number (PRN) or some other high-cost number. A PRN is a number billed at a different rate to ordinary numbers, normally much higher, and this money comes directly from the victim who makes the call back to it.

Example volume of received Wangiri calls by Irish Mobile Subscriber

In these cases, the fraudsters have obtained (through legal or illegal means) ranges of Premium Rate Numbers in countries around the world, ensuring that they get a percentage cut of the money that accrues to these numbers when people dial them. One technical fact most don’t realise is that the calling number displayed – the Premium rate number - doesn’t actually mean that the phone ringing you is in that country. i.e. even though the number you receive says it is in Liberia (+231), this does not mean that a phone in Liberia is ringing you.  In most cases the Fraudster will have connected to systems that allows them to dial remotely and set these PRN numbers as the dialling party. This allows the fraudster to cycle through different Premium Rate Number ‘ranges’ over time, and can make blocking after the fact quite difficult.

 

Camscéim Aisghlaoch

There have already been a few incidents of Wangiri calls in Ireland in 2017, however, this latest attack over the last few days seems to have been of particularly high volumes. Basing it on our own experiences (AdaptiveMobile Ireland personal) up to 30% of Irish numbers could potentially have been affected. If this is repeated throughout the country it would be an enormous volume of call requests, and initial news reports do indicate that it was indeed at an unprecedented scale.

More typical, is that the calls seem to be using a range of numbers from several different countries. In Ireland, over the last few days, Wangiri calls with numbers from the following countries have been reported:

  • (+43) Austria
  • (+212) Morocco
  • (+216) Tunisia
  • (+231) Liberia
  • (+235) Chad
  • (+247) Ascension Island
  • (+252) Somalia
  • (+269) Comoros

Map of Origin of Callback Numbers used in Recent Wangiri Attacks

And there is highly likely to be others. The recent attack ins the last week are not an isolated attack however, in the past few weeks PRNs from several other countries including:

  • (+678) Vanuatu
  • (+381) Serbia
  • (+676) Tonga
  • (+222) Mauritania
  • (+248) Seychelles
  • (+674) Nauru

had been reported in an earlier ‘wave’. This use of multiple country ranges over time is to be expected. As explained earlier, it’s not that the Wangiri calls are actually coming from these countries, but that ranges from these countries are being used. Fraudsters performing Wangiri attacks will normally have many PRN ranges they can swap and cycle through to execute the attack, and the attacks will continue for as long as the Fraudsters believe they can make money.

On that point, it’s too early to judge the success rate for these attacks. But within the telecom fraud industry, call back rates for Wangiri can potentially be surprisingly high – an ‘effective’ attack can be up to between 10 to 15%. Even assuming a lower call back rate of 1% - based on the potential volume - the impact to Irish mobile phone user of tens of thousands of calls each being charged several euro over the course of a few days can quickly add up over time.

 

Missed Call Scam

As stated earlier, it’s likely, that even if incoming Wangiri calls using these numbers are blocked in the future, that more attacks will continue with new PRN ranges from additional countries. In the long-run the best defences would be for the mobile operators affected to invest in systems that identify the attacks pro-actively as they happen, and block before they can affect Irish mobile phone users

For now, the best advice would be to:

  1. Do not answer calls that you don’t recognise from abroad
  2. If you do ring back, hang up as soon as possible – even if you still hear a ‘ringing tone’. In many cases the fraudsters will play a recording of a ringing tone and you may think the call has not connected, but you will be charged the longer you stay on
  3. Report this call, and the sender of it, to your operator, so they can try to prevent the source range
    • As additional counter-measure if you are getting really hassled with incoming calls would be to block numbers or number ranges on your handset. However, for this you may always be playing ‘catch-up’ as the fraudster use new numbers and ranges.

Ireland certainly isn’t alone in being targeted by this scam, Wangiri is a common phenomenon and there are many examples of equivalent attacks in other countries now and in the past. Sometimes the fraudsters make unique modifications that are performed to improve the call back rate but in general the pattern is quite similar since those first attacks in Japan 15 years ago. In the short-term Irish mobile phone users will have to stay vigilant, and if in doubt when receiving a call, don’t answer.

Latest news from AdaptiveMobile