Anti-fraud: Difference between revisions
(Rewrite: cleaner structure, added diagram, consolidated content) |
(Fix prerequisites: Country/Continent Destination uses phone prefixes (International rules), not GeoIP. Add prerequisites table by alert type.) |
||
| Line 5: | Line 5: | ||
= Anti-Fraud Detection = | = Anti-Fraud Detection = | ||
VoIPmonitor provides | VoIPmonitor provides anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks using phone number prefix detection and GeoIP. | ||
<kroki lang="mermaid"> | <kroki lang="mermaid"> | ||
| Line 11: | Line 11: | ||
flowchart LR | flowchart LR | ||
subgraph Detection | subgraph Detection | ||
A[CDR/Register Data] --> B{ | A[CDR/Register Data] --> B{Analysis} | ||
B --> | B --> C1[Phone Prefix Detection] | ||
B --> C2[GeoIP Lookup] | |||
end | end | ||
subgraph Alert Types | subgraph Alert Types | ||
C1 --> D[Country Destination] | |||
C2 --> E[CDR Country Change] | |||
C2 --> F[Register Country Change] | |||
B --> G[Sequential Pattern] | |||
B --> H[Failed Register] | |||
end | end | ||
subgraph Response | subgraph Response | ||
| Line 30: | Line 31: | ||
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''. | All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''. | ||
{{Note|1= | {{Note|1=Different alert types have different prerequisites - see each alert type for specific requirements.}} | ||
== Alert Types == | == Alert Types == | ||
| Line 36: | Line 37: | ||
=== Country/Continent Destination === | === Country/Continent Destination === | ||
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls. | Real-time detection of calls to specific countries or continents based on '''phone number prefixes'''. Primary use case: detecting toll fraud where compromised accounts make expensive international calls. | ||
{{Warning|1=This alert uses '''phone number prefix detection''', NOT GeoIP. It analyzes the destination number to determine the target country.}} | |||
'''Prerequisite:''' Configure '''GUI → Settings → Country Prefixes''' with the '''International rules''' tab properly set up. This defines how phone number prefixes map to countries/continents. | |||
'''Configuration:''' | '''Configuration:''' | ||
| Line 113: | Line 118: | ||
|} | |} | ||
== GeoIP | == Prerequisites by Alert Type == | ||
{| class="wikitable" | |||
|- | |||
! Alert Type !! Requirement !! Configuration Location | |||
|- | |||
| '''Country/Continent Destination''' || Phone number prefixes with International rules || GUI → Settings → Country Prefixes (International rules tab) | |||
|- | |||
| '''Change CDR Country''' || GeoIP (auto-installed) || GUI → Settings → System Configuration → GeoIP | |||
|- | |||
| '''Change REGISTER Country''' || GeoIP (auto-installed) || GUI → Settings → System Configuration → GeoIP | |||
|- | |||
| '''Fraud: Sequential''' || None || — | |||
|- | |||
| '''SIP Failed Register''' || None || — | |||
|} | |||
{{Note|1=GeoIP data is installed automatically with the GUI. The '''Change CDR Country''' and '''Change REGISTER Country''' alerts work out of the box. However, '''Country/Continent Destination''' requires manual configuration of the International rules.}} | |||
=== GeoIP Configuration (for IP-based alerts) === | |||
GeoIP is used by '''Change CDR Country''' and '''Change REGISTER Country''' alerts for IP-to-country resolution. | |||
'''Configuration:''' GUI → Settings → System Configuration → GeoIP | '''Configuration:''' GUI → Settings → System Configuration → GeoIP | ||
| Line 141: | Line 165: | ||
* [[Groups]] - IP and telephone number groups for filtering | * [[Groups]] - IP and telephone number groups for filtering | ||
* [[Register]] - SIP registration monitoring | * [[Register]] - SIP registration monitoring | ||
== AI Summary for RAG == | == AI Summary for RAG == | ||
Latest revision as of 15:44, 23 January 2026
Anti-Fraud Detection
VoIPmonitor provides anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks using phone number prefix detection and GeoIP.
Configuration
All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.
ℹ️ Note: Different alert types have different prerequisites - see each alert type for specific requirements.
Alert Types
Country/Continent Destination
Real-time detection of calls to specific countries or continents based on phone number prefixes. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.
⚠️ Warning: This alert uses phone number prefix detection, NOT GeoIP. It analyzes the destination number to determine the target country.
Prerequisite: Configure GUI → Settings → Country Prefixes with the International rules tab properly set up. This defines how phone number prefixes map to countries/continents.
Configuration:
- Select target countries/continents to monitor
- Set threshold for number of calls
- Configure notification recipients
Change CDR Country
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.
Configuration:
- Whitelist trusted countries (Exclude countries field)
- Apply filters by phone numbers or IP addresses
Change REGISTER Country
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.
Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.
Fraud: Sequential
Detects high-volume sequential calling patterns to destination numbers within a time window.
| Parameter | Description | Example Values |
|---|---|---|
| interval | Time window (seconds) for counting calls | 600 (10 min), 3600 (1 hour) |
| limit | Max calls allowed before alert triggers | 50, 100, 500 |
| number field | Target destination number (leave empty for ANY) | Empty or specific number |
⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.
Configuration Steps:
- Navigate to GUI → Alerts → Anti Fraud
- Create new alert with type Fraud: sequential
- Set interval (e.g., 600 for 10 minutes)
- Set limit (e.g., 100 calls)
- Leave number field empty to apply to ANY number
- Configure recipient email
- Save
Example Configurations:
| Scenario | interval | limit | number field |
|---|---|---|---|
| >100 calls to any number in 10 min | 600 | 100 | Empty |
| >500 calls to any number in 1 hour | 3600 | 500 | Empty |
| >50 calls in 5 min (high-volume attack) | 300 | 50 | Empty |
| Monitor specific premium number | 1800 | 200 | Specify number |
💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.
SIP Failed Register
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.
| Parameter | Description |
|---|---|
| threshold | Maximum failed attempts before alert |
| interval | Time window (seconds) for counting attempts |
Prerequisites by Alert Type
| Alert Type | Requirement | Configuration Location |
|---|---|---|
| Country/Continent Destination | Phone number prefixes with International rules | GUI → Settings → Country Prefixes (International rules tab) |
| Change CDR Country | GeoIP (auto-installed) | GUI → Settings → System Configuration → GeoIP |
| Change REGISTER Country | GeoIP (auto-installed) | GUI → Settings → System Configuration → GeoIP |
| Fraud: Sequential | None | — |
| SIP Failed Register | None | — |
ℹ️ Note: GeoIP data is installed automatically with the GUI. The Change CDR Country and Change REGISTER Country alerts work out of the box. However, Country/Continent Destination requires manual configuration of the International rules.
GeoIP Configuration (for IP-based alerts)
GeoIP is used by Change CDR Country and Change REGISTER Country alerts for IP-to-country resolution.
Configuration: GUI → Settings → System Configuration → GeoIP
Processing priority (fallback mechanism):
- MaxMind API (commercial, highest accuracy)
- IPInfoDB API
- Local GeoIP database (GeoIPCity.dat or MySQL tables)
- Free portals (backup)
For detailed GeoIP configuration, see Order_of_GeoIP_processing.
Best Practices
- Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
- Account protection: Enable Change REGISTER Country for all critical accounts
- Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
- Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
- Granular control: Combine with IP Groups for provider-specific monitoring
See Also
- Alerts - General alert configuration and email setup
- Order_of_GeoIP_processing - GeoIP configuration details
- Groups - IP and telephone number groups for filtering
- Register - SIP registration monitoring
AI Summary for RAG
Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.
Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring
Key Questions:
- How do I configure anti-fraud alerts in VoIPmonitor?
- How do I detect toll fraud in VoIPmonitor?
- What is the Fraud: sequential alert and how do I configure it?
- How do I detect high volume calls to any destination number?
- Should I leave the number field empty in Fraud: sequential?
- What is the difference between Fraud: sequential and concurrent calls alerts?
- How do I detect account hijacking in VoIPmonitor?
- How do I configure alerts for international calls?
- What is the Change REGISTER Country alert?
- How do I detect brute-force attacks on SIP registration?
- How does VoIPmonitor use GeoIP for fraud detection?