Anti-fraud: Difference between revisions

From VoIPmonitor.org
(Update Fraud: sequential documentation - clarify destination number detection and leave number field empty for any destination)
(Rewrite: cleaner structure, added diagram, consolidated content)
 
Line 5: Line 5:
= Anti-Fraud Detection =
= Anti-Fraud Detection =


VoIPmonitor provides built-in anti-fraud detection capabilities through GeoIP-based alerts and monitoring features.
VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.


== Overview ==
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart LR
    subgraph Detection
        A[CDR/Register Data] --> B{GeoIP Lookup}
        B --> C[Country/IP Analysis]
    end
    subgraph Alert Types
        C --> D[Country Destination]
        C --> E[CDR Country Change]
        C --> F[Register Country Change]
        C --> G[Sequential Pattern]
        C --> H[Failed Register]
    end
    subgraph Response
        D & E & F & G & H --> I[Email Alert]
    end
</kroki>


Anti-fraud features help detect:
== Configuration ==
* Unauthorized international calls (toll fraud)
* Account hijacking attempts
* Credential stuffing attacks
* Unusual calling patterns


== Configuration ==
All anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.
 
{{Note|1=Anti-fraud features require GeoIP configuration. See [[#GeoIP Integration|GeoIP Integration]] below.}}


Anti-fraud alerts are configured in '''GUI → Alerts → Anti Fraud'''.
== Alert Types ==


=== Country/Continent Destination Alert (Realtime) ===
=== Country/Continent Destination ===


Detects calls to specific countries or continents in real-time. Useful for detecting toll fraud where compromised accounts are used to make expensive international calls.
Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.


'''Configuration:'''
'''Configuration:'''
* Select target countries/continents to monitor
* Set threshold for number of calls
* Set threshold for number of calls
* Select target countries/continents
* Configure notification recipients
* Configure notification recipients


=== Change CDR Country Alert ===
=== Change CDR Country ===


Detects when the IP country of caller or callee changes between calls. This can indicate:
Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.
* Account compromise (calls from unusual locations)
* SIP credential theft


'''Configuration:'''
'''Configuration:'''
* Whitelist trusted countries (Exclude countries)
* Whitelist trusted countries (Exclude countries field)
* Apply filters by phone numbers or IP addresses
* Apply filters by phone numbers or IP addresses


=== Change REGISTER Country Alert ===
=== Change REGISTER Country ===
 
Detects when a device registers from a different country than expected. This is a strong indicator of:
* Account hijacking
* Stolen SIP credentials
* Unauthorized device registration


'''Use case:''' If a user normally registers from Germany but suddenly registers from a different country, this alert triggers.
Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.


=== Fraud: Sequential Alert ===
'''Example:''' User normally registers from Germany but suddenly registers from Russia → alert triggers.


Detects sequential calling patterns, which is useful for identifying unusual traffic patterns such as:
=== Fraud: Sequential ===


* A single destination number receiving a high volume of calls from any source
Detects high-volume sequential calling patterns to destination numbers within a time window.
* Repeated calls to a specific destination number over a short time period
* Call volume spikes to a specific destination
* Single IP making a high volume of calls to the same destination number
 
This alert type focuses on detecting patterns based on call count within a time window, grouped by destination number or source IP.
 
'''Parameters:'''


{| class="wikitable"
{| class="wikitable"
|-
|-
! Parameter !! Description !! Examples
! Parameter !! Description !! Example Values
|-
|-
| '''interval''' || Time window in seconds for counting calls || 600 (10 minutes), 3600 (1 hour)
| '''interval''' || Time window (seconds) for counting calls || 600 (10 min), 3600 (1 hour)
|-
|-
| '''limit''' || Maximum number of calls allowed - alert when exceeded || 100, 500
| '''limit''' || Max calls allowed before alert triggers || 50, 100, 500
|-
| '''number field''' || Target destination number (leave empty for ANY) || Empty or specific number
|}
|}
{{Warning|1='''Critical:''' Leave the number field '''empty''' to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.}}


'''Configuration Steps:'''
'''Configuration Steps:'''
# Navigate to '''GUI → Alerts → Anti Fraud'''
# Create new alert with type '''Fraud: sequential'''
# Set '''interval''' (e.g., 600 for 10 minutes)
# Set '''limit''' (e.g., 100 calls)
# '''Leave number field empty''' to apply to ANY number
# Configure recipient email
# Save


To alert when a large volume of calls is made to any single destination number within a short period:
'''Example Configurations:'''
 
1. Navigate to '''GUI → Alerts → Anti Fraud'''
2. Create a new alert with type '''Fraud: sequential'''
3. Set '''interval''' to your desired time window (e.g., 600 for 10 minutes)
4. Set '''limit''' to your maximum call count threshold (e.g., 100 calls)
5. **Leave the number field empty** in the alert filter - this applies the rule to ANY number
6. Configure recipient email addresses
7. Save the alert
 
'''How It Works:'''
 
The alert triggers when the number of calls '''to any single destination number''' exceeds the '''limit''' threshold within the specified '''interval''' time window. Each destination number is evaluated independently - if any single number exceeds the threshold within its own time window, the alert fires.
 
{{Note|1=Leaving the number field empty is the key to detecting calls to ANY destination. If you specify a number, the alert only applies to that specific number. With an empty number field, the system monitors all destination numbers and alerts when any one of them exceeds the configured limit.}}
 
'''Example Use Cases:'''


{| class="wikitable"
{| class="wikitable"
Line 93: Line 89:
! Scenario !! interval !! limit !! number field
! Scenario !! interval !! limit !! number field
|-
|-
| Detect >100 calls to any single number in 10 minutes || 600 seconds || 100 || Leave empty
| >100 calls to any number in 10 min || 600 || 100 || Empty
|-
|-
| Warn when any destination gets >500 calls in 1 hour || 3600 seconds || 500 || Leave empty
| >500 calls to any number in 1 hour || 3600 || 500 || Empty
|-
|-
| Identify high-volume attack (>50 calls in 5 minutes) || 300 seconds || 50 || Leave empty
| >50 calls in 5 min (high-volume attack) || 300 || 50 || Empty
|-
|-
| Monitor specific premium rate number (>200 calls in 30 min) || 1800 seconds || 200 || Enter number
| Monitor specific premium number || 1800 || 200 || Specify number
|}
|}


{{Tip|1=This alert type is different from concurrent calls alerts. Concurrent calls alerts detect how many calls are active simultaneously at one moment, while Fraud: sequential alerts detect the total call count over a time window, regardless of whether calls overlap or end before new ones begin.}}
{{Tip|1='''Fraud: sequential vs concurrent calls:''' Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.}}


=== SIP Failed Register Alert ===
=== SIP Failed Register ===


Detects brute-force attacks and credential stuffing by monitoring failed registration attempts from a single IP address.
Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.


'''Parameters:'''
{| class="wikitable"
* '''threshold''' - Maximum number of failed attempts before alert
|-
* '''interval''' - Time window in seconds for counting attempts
! Parameter !! Description
|-
| '''threshold''' || Maximum failed attempts before alert
|-
| '''interval''' || Time window (seconds) for counting attempts
|}


== GeoIP Integration ==
== GeoIP Integration ==


Anti-fraud features rely on GeoIP services for IP-to-country resolution. Configure GeoIP in '''GUI → Settings → System Configuration → GeoIP'''.
Anti-fraud alerts require GeoIP for IP-to-country resolution.


'''Priority of GeoIP processing:'''
'''Configuration:''' GUI → Settings → System Configuration → GeoIP
# MaxMind API
 
'''Processing priority (fallback mechanism):'''
# MaxMind API (commercial, highest accuracy)
# IPInfoDB API
# IPInfoDB API
# Local GeoIP database
# Local GeoIP database (GeoIPCity.dat or MySQL tables)
# Free portals
# Free portals (backup)


See [[CountryGrouping]] for detailed GeoIP configuration.
For detailed GeoIP configuration, see [[Order_of_GeoIP_processing]].


== Best Practices ==
== Best Practices ==


* Configure alerts for high-risk destinations (premium rate numbers, high-cost countries)
* '''Toll fraud prevention:''' Configure Country/Continent Destination alerts for premium rate countries
* Set up Change REGISTER Country alerts for all critical accounts
* '''Account protection:''' Enable Change REGISTER Country for all critical accounts
* Regularly review failed registration patterns
* '''Brute-force protection:''' Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
* Combine with IP Groups for more granular control
* '''Volume monitoring:''' Use Fraud: sequential with empty number field to catch attacks on any destination
* '''Granular control:''' Combine with [[Groups|IP Groups]] for provider-specific monitoring


== Related Topics ==
== See Also ==


* [[Alerts]] - General alert configuration
* [[Alerts]] - General alert configuration and email setup
* [[CountryGrouping]] - GeoIP features and country grouping
* [[Order_of_GeoIP_processing]] - GeoIP configuration details
* [[Groups]] - IP and telephone number groups for filtering
* [[Groups]] - IP and telephone number groups for filtering
* [[Register]] - SIP registration monitoring


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' VoIPmonitor anti-fraud detection guide covering GeoIP-based alerts for toll fraud prevention. Features include: Fraud: sequential alerts (detect sequential calling patterns using interval/limit parameters - useful for detecting high volume calls to any single destination number within short time period), Country/Continent Destination alerts (real-time detection of calls to specific countries), Change CDR Country alerts (detect IP country changes between calls indicating account compromise), Change REGISTER Country alerts (detect device registration from unexpected countries indicating credential theft), and SIP Failed Register alerts (detect brute-force attacks by monitoring failed registration attempts). All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud. CRITICAL: To configure Fraud: sequential for detecting high volume calls to ANY single destination number, leave the number field empty in the alert filter. The alert triggers when any single destination number exceeds the limit threshold within the interval time window. Parameters are interval (time window in seconds) and limit (maximum number of calls before alert). This is different from concurrent calls alerts which detect simultaneous calls at one moment, while Fraud: sequential detects total call count over time window regardless of overlap.
'''Summary:''' VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.


'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, continent alert, Change CDR Country, Change REGISTER Country, SIP failed register, brute-force, credential stuffing, account hijacking, international calls, premium rate, fraud prevention, Fraud: sequential, sequential alert, interval, limit, time window, call count, high volume calls, destination number, leave number field empty, call volume spikes
'''Keywords:''' anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring


'''Key Questions:'''
'''Key Questions:'''
* How do I configure an alert for a large volume of calls to any single destination number?
* How do I configure Fraud: sequential alert for destination numbers?
* How do I detect unusual traffic patterns to a single destination?
* How do I detect high volume calls to any single number within a short period?
* Do I leave the number field empty or specify a number in Fraud: sequential?
* What is the Fraud: sequential alert type?
* What are the interval and limit parameters in Fraud: sequential?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do I configure anti-fraud alerts in VoIPmonitor?
* How do I detect toll fraud in VoIPmonitor?
* How do I detect toll fraud in VoIPmonitor?
* What is the Change CDR Country alert?
* What is the Fraud: sequential alert and how do I configure it?
* How do I detect high volume calls to any destination number?
* Should I leave the number field empty in Fraud: sequential?
* What is the difference between Fraud: sequential and concurrent calls alerts?
* How do I detect account hijacking in VoIPmonitor?
* How do I detect account hijacking in VoIPmonitor?
* How do I configure alerts for international calls?
* How do I configure alerts for international calls?
Line 159: Line 160:
* How do I detect brute-force attacks on SIP registration?
* How do I detect brute-force attacks on SIP registration?
* How does VoIPmonitor use GeoIP for fraud detection?
* How does VoIPmonitor use GeoIP for fraud detection?
* What is the difference between Fraud: sequential and concurrent calls alerts?

Latest revision as of 16:47, 8 January 2026


Anti-Fraud Detection

VoIPmonitor provides GeoIP-based anti-fraud alerts to detect toll fraud, account hijacking, and brute-force attacks.

Configuration

All anti-fraud alerts are configured in GUI → Alerts → Anti Fraud.

ℹ️ Note: Anti-fraud features require GeoIP configuration. See GeoIP Integration below.

Alert Types

Country/Continent Destination

Real-time detection of calls to specific countries or continents. Primary use case: detecting toll fraud where compromised accounts make expensive international calls.

Configuration:

  • Select target countries/continents to monitor
  • Set threshold for number of calls
  • Configure notification recipients

Change CDR Country

Detects when the IP country of caller or callee changes between calls - indicates potential account compromise or SIP credential theft.

Configuration:

  • Whitelist trusted countries (Exclude countries field)
  • Apply filters by phone numbers or IP addresses

Change REGISTER Country

Detects device registration from unexpected countries - strong indicator of credential theft or account hijacking.

Example: User normally registers from Germany but suddenly registers from Russia → alert triggers.

Fraud: Sequential

Detects high-volume sequential calling patterns to destination numbers within a time window.

Parameter Description Example Values
interval Time window (seconds) for counting calls 600 (10 min), 3600 (1 hour)
limit Max calls allowed before alert triggers 50, 100, 500
number field Target destination number (leave empty for ANY) Empty or specific number

⚠️ Warning: Critical: Leave the number field empty to monitor ALL destination numbers. The alert fires when ANY single destination exceeds the limit within the interval.

Configuration Steps:

  1. Navigate to GUI → Alerts → Anti Fraud
  2. Create new alert with type Fraud: sequential
  3. Set interval (e.g., 600 for 10 minutes)
  4. Set limit (e.g., 100 calls)
  5. Leave number field empty to apply to ANY number
  6. Configure recipient email
  7. Save

Example Configurations:

Scenario interval limit number field
>100 calls to any number in 10 min 600 100 Empty
>500 calls to any number in 1 hour 3600 500 Empty
>50 calls in 5 min (high-volume attack) 300 50 Empty
Monitor specific premium number 1800 200 Specify number

💡 Tip: Fraud: sequential vs concurrent calls: Sequential alerts count total calls over a time window. Concurrent alerts detect simultaneous active calls at one moment. Use sequential for detecting volume spikes, concurrent for capacity monitoring.

SIP Failed Register

Detects brute-force and credential stuffing attacks by monitoring failed registration attempts.

Parameter Description
threshold Maximum failed attempts before alert
interval Time window (seconds) for counting attempts

GeoIP Integration

Anti-fraud alerts require GeoIP for IP-to-country resolution.

Configuration: GUI → Settings → System Configuration → GeoIP

Processing priority (fallback mechanism):

  1. MaxMind API (commercial, highest accuracy)
  2. IPInfoDB API
  3. Local GeoIP database (GeoIPCity.dat or MySQL tables)
  4. Free portals (backup)

For detailed GeoIP configuration, see Order_of_GeoIP_processing.

Best Practices

  • Toll fraud prevention: Configure Country/Continent Destination alerts for premium rate countries
  • Account protection: Enable Change REGISTER Country for all critical accounts
  • Brute-force protection: Set SIP Failed Register with low threshold (e.g., 10 attempts in 60 seconds)
  • Volume monitoring: Use Fraud: sequential with empty number field to catch attacks on any destination
  • Granular control: Combine with IP Groups for provider-specific monitoring

See Also

AI Summary for RAG

Summary: VoIPmonitor anti-fraud detection guide using GeoIP-based alerts. Alert types: (1) Country/Continent Destination - real-time detection of calls to specific countries for toll fraud prevention; (2) Change CDR Country - detects IP country changes between calls indicating account compromise; (3) Change REGISTER Country - detects registration from unexpected countries indicating credential theft; (4) Fraud: sequential - detects high-volume calling patterns using interval (time window in seconds) and limit (max calls) parameters, CRITICAL: leave number field empty to monitor ALL destination numbers; (5) SIP Failed Register - detects brute-force attacks via failed registration monitoring. Configuration path: GUI → Alerts → Anti Fraud. Requires GeoIP configuration (Settings → System Configuration → GeoIP) with MaxMind API as highest priority.

Keywords: anti-fraud, toll fraud, fraud detection, GeoIP, country alert, Change CDR Country, Change REGISTER Country, Fraud sequential, interval, limit, number field empty, SIP failed register, brute-force, credential stuffing, account hijacking, premium rate numbers, sequential pattern detection, call volume monitoring

Key Questions:

  • How do I configure anti-fraud alerts in VoIPmonitor?
  • How do I detect toll fraud in VoIPmonitor?
  • What is the Fraud: sequential alert and how do I configure it?
  • How do I detect high volume calls to any destination number?
  • Should I leave the number field empty in Fraud: sequential?
  • What is the difference between Fraud: sequential and concurrent calls alerts?
  • How do I detect account hijacking in VoIPmonitor?
  • How do I configure alerts for international calls?
  • What is the Change REGISTER Country alert?
  • How do I detect brute-force attacks on SIP registration?
  • How does VoIPmonitor use GeoIP for fraud detection?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Anti-fraud&oldid=10024"