VOIP Services Utilized for Fraud Proliferate Across Russian-Language Underground

One barrier to online fraud is that some transactions require a phone call – either made or received – for confirmation. While this measure has long presented a significant hurdle to criminals attempting to make online purchases using compromised bank or online retail accounts, it appears to be becoming less and less effective as a security measure. Indeed, some criminals have recently demonstrated their ability to bypass this type of telephone verification to make fraudulent online transactions by leveraging various Voice over Internet Protocol (VOIP) services.

Flashpoint has recently observed three VOIP services in particular that have been gaining traction among Russian-speaking cybercriminals seeking to make fraudulent online transactions:     

Narayana

A previously-private VOIP service named “Narayana” – a Sanskrit term meaning “an individual who offers sanctuary” – was first advertised on two different Russian-language cybercriminal forums in the first quarter of 2017. According to an advertisement, Narayana boasts the following features:

• Supports Session Initiation Protocol (SIP), a protocol that defines elements of telephone calls and multimedia communication sessions made over IP networks, allowing any smartphone, computer, or IP telephone to use the service
• SIM cards based on the GSM (Global System for Mobile communication) standard for almost any country on earth, allowing phone calls and Internet access
• Free iNum number for each user. iNum is a platform for making free international calls between numbers within the network
• Creation of a virtual number for receiving calls and SMS messages in more than ten different countries
• Extended inbound call routing through Direct Inward Dialing (DID)
• Availability of “pitch shifting,” which shifts the tone of the speaker’s voice
• Ability to redirect and respond to incoming SMS messages on Jabber (XMPP)
• Assurance that no customer personal data is saved, including IP addresses or user-agent information
• Ability to block third parties, including roaming partners, from seeing any call information
• Options for making inexpensive phone calls from Russia to the U.S. with reduced audio to confirm transactions and transfers made with compromised payment information
• Support for forced TLS/ SRTP (Transport Layer Security)/ (Secure Real-time Transport Protocol) encryption during SIP calls to prevent traffic interception

Much of Narayana’s appeal among Russian-speaking cybercriminals also stems from it’s ease of use and affordability. Upon registering an account with Narayana’s website, users are assigned phone numbers as well as login credentials for the service’s SIP server where caller ID configurations can be altered. The cost of renting a virtual number varies by country but begins at 10 euro per month; purchasing an international SIM card through the service costs 30 euro.

Image 1: The personal information page for a Narayana user; overlaid text is Flashpoint’s translation.

SIP24

Another VOIP service called SIP24 was first advertised on an elite Russian-language cybercrime forum in June 2016. Although SIP24 and Narayana have similar features and functionality, SIP24 is available by invitation only, has reportedly higher call quality, and has additional features and restrictions aimed to bolster security. Specifically, SIP24 has banned caller IDs displaying Russian numbers for both domestic and international calls; the service also encourages the complementary use of freeware “Zoiper” to further enhance security and anonymity.

SIP Killer

SIP Killer is another VOIP service that has been discussed on and off for several years on various Russian-language cybercrime forums, as well as on AlphaBay prior to the market’s takedown. SIP Killer is used primarily to enable “call-flooding” — a tactic where criminals send high volumes of call traffic over a VOIP service in an effort to render a particular call service unavailable.

In fact, in December 2016, a well-known member of a Russian-language hacking forum offered a popular tutorial on how to carry out call-flooding attacks via SIP Killer. According to this individual, all a user needs to do is register ten to fifteen accounts on the website “Zadamra,” then click the “Settings” tab and then “SIP settings.” After entering login data, the SIP Killer is launched and the user can carry out call-flooding for a variety of malicious ends, including preventing the call verification of fraudulent orders. The goal is to overload a victim’s telephone with so many calls that legitimates calls — such as those seeking to verify or inform a victim of an online order or transaction — become “buried” and go unnoticed, or never make it through to the intended recipient.

Assessment

Given cybercriminals’ longstanding interest in online transaction fraud and widespread determination to circumvent anti-fraud protections, VOIP services that enable users to rent virtual phone numbers and purchase SIM cards for countries around the world will likely continue to proliferate throughout the Deep & Dark Web, and it is important to recognize that instances of online transaction fraud have the potential to increase as a result. This information is especially relevant for financial institutions and e-commerce retailers, many of which may be unable to differentiate between legitimate transaction confirmation calls and fraudulent ones made and/or received by criminals using VOIP services.