<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I had built a system not so long ago that tracked day over day
traffic from my network by destination NPA/NXX and was able to
pinpoint this sort of thing by simply looking for seismic
deviations from the norm (volume or cost). Sure we would get
occasional false positives when a new customer with a really
specific marketing business might turn up, but it really wasn't
hard to build and resulted in a good measure of safety from a
backstop perspective. <br>
</p>
<p>We just used the systems output to focus manual investigations,
not to power an automated system. Too much risk in automating
domestic traffic cutoffs. <br>
</p>
<p>FWIW we were an end-user network, not a wholesale network so we
didnt get the random sampling that wholesalers might which would
likely have changed some of the knobs on my selected criteria. <br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 6/17/2019 7:20 PM, Matthew Yaklin
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN6PR16MB3075AE9CF575BDF9144550F8DAEA0@BN6PR16MB3075.namprd16.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
I am not sure if this is feasible for someone to do easily so I do
not bother you too much... but does anyone have a spreadsheet of
the nanp npa-nxx(s) you keep a very close eye on for fraud? I am
not sure how well we keep an eye on such things here. I would like
to explore it more. Naturally we keep an very close watch on
international and brute force attacks.<br>
<br>
Matthew Yaklin<br>
Network Engineer<br>
FirstLight<br>
359 Corporate Drive │ Portsmouth, NH 03801<br>
Mobile 603-845-5031<br>
<a class="moz-txt-link-abbreviated" href="mailto:myaklin@firstlight.net">myaklin@firstlight.net</a> | <a class="moz-txt-link-abbreviated" href="http://www.firstlight.net">www.firstlight.net</a><br>
This email may contain FirstLight confidential and/or privileged
information. If you are not the intended recipient, you are
directed<br>
not to read, disclose or otherwise use this transmission and to
immediately delete same. Delivery of this message is not intended<br>
to waive any applicable privileges.<br>
<br>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
VoiceOps <a class="moz-txt-link-rfc2396E" href="mailto:voiceops-bounces@voiceops.org"><voiceops-bounces@voiceops.org></a> on behalf of
Robert Dawson <a class="moz-txt-link-rfc2396E" href="mailto:rdawson@alliedtelecom.net"><rdawson@alliedtelecom.net></a><br>
<b>Sent:</b> Monday, June 17, 2019 7:18:43 PM<br>
<b>To:</b> Paul Timmins; Paul Timmins; <a class="moz-txt-link-abbreviated" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] 605-562 - Arbitrage scam?</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:HelveticaNeue-Bold}
@font-face
{font-family:HelveticaNeue}
@font-face
{font-family:HelveticaNeue-Italic}
@font-face
{font-family:Tahoma}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.x_MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.x_MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.x_msonormal0, li.x_msonormal0, div.x_msonormal0
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
p.x_msonormal00, li.x_msonormal00, div.x_msonormal00
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
p.x_msochpdefault, li.x_msochpdefault, div.x_msochpdefault
{margin-right:0in;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif}
span.x_emailstyle19
{font-family:"Calibri",sans-serif;
color:windowtext}
span.x_EmailStyle22
{font-family:"Calibri",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div link="blue" vlink="purple" lang="EN-US">
<div class="x_WordSection1">
<p class="x_MsoNormal">Interesting that you haven’t really
seen that much domestic . . . I’d say that domestic fraud
accounts for at least 40% of the attempts we have seen over
the last year or so, with another 40% to NANP “island”
destinations (DR in particular) and the remaining to
international. Definitely different than a few years back
when almost everything was to African destinations.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">The fraudsters are very smart and
evolve over time, always have to be vigilant!</p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-top:solid #B5C4DF 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"><b><span style="font-size:12.0pt;
color:black">From: </span>
</b><span style="font-size:12.0pt; color:black">Paul
Timmins <a class="moz-txt-link-rfc2396E" href="mailto:ptimmins@clearrate.com"><ptimmins@clearrate.com></a><br>
<b>Date: </b>Monday, June 17, 2019 at 6:48 PM<br>
<b>To: </b>Robert Dawson
<a class="moz-txt-link-rfc2396E" href="mailto:rdawson@alliedtelecom.net"><rdawson@alliedtelecom.net></a>, Paul Timmins
<a class="moz-txt-link-rfc2396E" href="mailto:paul@timmins.net"><paul@timmins.net></a>, <a class="moz-txt-link-rfc2396E" href="mailto:voiceops@voiceops.org">"voiceops@voiceops.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:voiceops@voiceops.org"><voiceops@voiceops.org></a><br>
<b>Subject: </b>RE: [VoiceOps] 605-562 - Arbitrage
scam?</span></p>
</div>
<div>
<p class="x_MsoNormal"> </p>
</div>
<div>
<div>
</div>
</div>
<div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black">I can just augment my existing one we
developed in house easily enough. But the new behavior
that's concerning is hacked endpoints calling the
numbers. I'm used to "traffic pumping" being free
services people actually want leveraging arbitrage,
but attracting fraudulent traffic from hacked handsets
isn't something I've ever seen on domestic traffic
before.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black">Bold, since it implies there's revenue
share, and federal law can reach a tribe in a way that
the usual banana republic telco fraud in the 3rd world
can't.</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black">-Paul</span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black"> </span></p>
</div>
<div>
<div class="x_MsoNormal" style="text-align:center"
align="center"><span style="font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black">
<hr width="100%" size="0" align="center">
</span></div>
<div id="x_divRpF615861">
<p class="x_MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black">From:</span></b><span
style="font-size:10.0pt;
font-family:"Tahoma",sans-serif;
color:black"> VoiceOps
[<a class="moz-txt-link-abbreviated" href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>] on behalf of Robert
Dawson [<a class="moz-txt-link-abbreviated" href="mailto:rdawson@alliedtelecom.net">rdawson@alliedtelecom.net</a>]<br>
<b>Sent:</b> Monday, June 17, 2019 6:25 PM<br>
<b>To:</b> Paul Timmins; <a class="moz-txt-link-abbreviated" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] 605-562 - Arbitrage
scam?</span><span style="font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black"></span></p>
</div>
<div>
<div>
<p class="x_MsoNormal"><span style="color:black">Jumping
in on this one late – Pine Ridge is most
well-known for the Ogala Lakota reservation that
is located there. Numbers are in fact owned by
Native American Telecom which is tribally owned
and has had traffic pumping charges levelled
against them as someone else mentioned. Payday
lenders have used tribal law for years to get
around usury laws, there was one company that was
charging something like 900% effective interest.
Repayment on a $10k loan was something like $75k.
Wondering if they can somehow skirt Federal
telecom law too?</span></p>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
<p class="x_MsoNormal"><span style="color:black">Paul,
you are 100% correct – any fraud detection system
that is only looking at International destinations
would not pick it up . . . you definitely need
something that can, at a minimum, be configured to
look at call velocity and volume to US
destinations. I can make a recommendation if you
are interested.</span></p>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
<p class="x_MsoNormal"><span style="color:black">Rob</span></p>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
<div style="border:none; border-top:solid #B5C4DF
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"><b><span
style="font-size:12.0pt; color:black">From: </span>
</b><span style="font-size:12.0pt; color:black">VoiceOps
<a class="moz-txt-link-rfc2396E" href="mailto:voiceops-bounces@voiceops.org"><voiceops-bounces@voiceops.org></a> on behalf
of Paul Timmins <a class="moz-txt-link-rfc2396E" href="mailto:paul@timmins.net"><paul@timmins.net></a><br>
<b>Date: </b>Wednesday, May 29, 2019 at 4:54 PM<br>
<b>To: </b>Matthew Yaklin
<a class="moz-txt-link-rfc2396E" href="mailto:myaklin@firstlight.net"><myaklin@firstlight.net></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:voiceops@voiceops.org">"voiceops@voiceops.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:voiceops@voiceops.org"><voiceops@voiceops.org></a><br>
<b>Subject: </b>Re: [VoiceOps] 605-562 -
Arbitrage scam?</span><span style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="color:black;
background:white">Yeah, what makes it notable in
this case is it seems like it's dead air calls
and hacked phones like traditional international
fraud, not free conference call services.</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
</div>
<div>
<p class="x_MsoNormal"><span style="color:black">On
5/29/19 4:16 PM, Matthew Yaklin wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<div id="x_divtagdefaultwrapper">
<p><span style="font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black">Nevermind.. you meant interstate
calling fraud detection systems I assume.
Sorry. Please ignore me. I just reread again.</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black"> </span></p>
<div id="x_Signature">
<div id="x_divtagdefaultwrapper">
<div>
<p class="x_MsoNormal"><b><span
style="font-size:10.0pt;
font-family:HelveticaNeue-Bold;
color:#000048">Matthew Yaklin</span></b><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048">Network Engineer</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><b><span
style="font-size:10.0pt;
font-family:HelveticaNeue-Bold;
color:#AEFF00">FirstLight</span></b><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:"Arial",sans-serif;
color:#0078D7">359 Corporate Drive │
Portsmouth, NH 03801</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048">Mobile 603-845-5031</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048"><a
href="mailto:myaklin@firstlight.net"
moz-do-not-send="true">myaklin@firstlight.net</a>
|
<a href="http://www.firstlight.net"
moz-do-not-send="true">www.firstlight.net</a></span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">This email may contain
FirstLight confidential and/or
privileged information. If you are not
the intended recipient, you are
directed</span></i><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">not to read, disclose or
otherwise use this transmission and to
immediately delete same. Delivery of
this message is not intended</span></i><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">to waive any applicable
privileges.</span></i><span
style="color:black"></span></p>
</div>
<p class="x_MsoNormal"><span
style="font-size:12.0pt; color:black"> </span><span
style="color:black"></span></p>
</div>
</div>
</div>
<div class="x_MsoNormal" style="text-align:center"
align="center"><span style="color:black">
<hr width="100%" size="0" align="center">
</span></div>
<div id="x_divRplyFwdMsg">
<p class="x_MsoNormal"><b><span
style="color:black">From:</span></b><span
style="color:black"> VoiceOps
<a href="mailto:voiceops-bounces@voiceops.org"
moz-do-not-send="true"><voiceops-bounces@voiceops.org></a>
on behalf of Matthew Yaklin
<a href="mailto:myaklin@firstlight.net"
moz-do-not-send="true"><myaklin@firstlight.net></a><br>
<b>Sent:</b> Wednesday, May 29, 2019 4:14:02
PM<br>
<b>To:</b> Paul Timmins; <a
href="mailto:voiceops@voiceops.org"
moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> Re: [VoiceOps] 605-562 -
Arbitrage scam? </span></p>
<div>
<p class="x_MsoNormal"><span style="color:black"> </span></p>
</div>
</div>
<div>
<div id="x_x_divtagdefaultwrapper">
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black">Paul,</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black">Why do you
mention international toll fraud when that
is an area code and exchange for</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black">Pine Ridge
South Dakota?</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black">And just
imagining how small that company must be
wouldn't a logical guess be more like they
just messed up in some fashion?</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black">But in your
defense that telecom company is fishy and
Sprint tried to sue them. I am not sure what
ended up happening. Typical crap with free
conf stuff and having traffic sent to a high
cost area...</span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<p><span style="font-size:12.0pt;
font-family:"Times New
Roman",serif; color:black"> </span></p>
<div id="x_x_Signature">
<div id="x_x_divtagdefaultwrapper">
<div>
<p class="x_MsoNormal"><b><span
style="font-size:10.0pt;
font-family:HelveticaNeue-Bold;
color:#000048">Matthew Yaklin</span></b><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048">Network Engineer</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><b><span
style="font-size:10.0pt;
font-family:HelveticaNeue-Bold;
color:#AEFF00">FirstLight</span></b><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:"Arial",sans-serif;
color:#0078D7">359 Corporate Drive │
Portsmouth, NH 03801</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048">Mobile 603-845-5031</span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><span
style="font-size:8.0pt;
font-family:HelveticaNeue;
color:#000048"><a
href="mailto:myaklin@firstlight.net"
moz-do-not-send="true">myaklin@firstlight.net</a>
|
<a href="http://www.firstlight.net"
moz-do-not-send="true">www.firstlight.net</a></span><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">This email may contain
FirstLight confidential and/or
privileged information. If you are
not the intended recipient, you are
directed</span></i><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">not to read, disclose
or otherwise use this transmission
and to immediately delete same.
Delivery of this message is not
intended</span></i><span
style="color:black"></span></p>
</div>
<div>
<p class="x_MsoNormal"><i><span
style="font-size:8.0pt;
font-family:HelveticaNeue-Italic;
color:black">to waive any applicable
privileges.</span></i><span
style="color:black"></span></p>
</div>
<p class="x_MsoNormal"><span
style="font-size:12.0pt; color:black"> </span><span
style="color:black"></span></p>
</div>
</div>
</div>
<div class="x_MsoNormal" style="text-align:center"
align="center"><span style="color:black">
<hr width="100%" size="0" align="center">
</span></div>
<div id="x_x_divRplyFwdMsg">
<p class="x_MsoNormal"><b><span
style="color:black">From:</span></b><span
style="color:black"> VoiceOps
<a
href="mailto:voiceops-bounces@voiceops.org"
moz-do-not-send="true"><voiceops-bounces@voiceops.org></a>
on behalf of Paul Timmins
<a href="mailto:paul@timmins.net"
moz-do-not-send="true"><paul@timmins.net></a><br>
<b>Sent:</b> Wednesday, May 29, 2019 3:50:35
PM<br>
<b>To:</b> <a
href="mailto:voiceops@voiceops.org"
moz-do-not-send="true">voiceops@voiceops.org</a><br>
<b>Subject:</b> [VoiceOps] 605-562 -
Arbitrage scam? </span></p>
<div>
<p class="x_MsoNormal"><span
style="color:black"> </span></p>
</div>
</div>
<div>
<div>
<p class="x_MsoNormal"><span
style="color:black">Is anyone else seeing
lots of long duration calls to the 605-562
<br>
exchange that when you dial the respective
number, it supervises to dead <br>
air?<br>
<br>
Seems like a new kind of toll fraud that
international fraud detection <br>
systems won't catch.<br>
<br>
-Paul<br>
<br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org"
moz-do-not-send="true">VoiceOps@voiceops.org</a><br>
<a
href="https://puck.nether.net/mailman/listinfo/voiceops"
moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/voiceops</a></span></p>
</div>
</div>
</div>
</blockquote>
<p><span style="font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black"> </span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
</blockquote>
</body>
</html>