This month’s winning answers came from Maheedhar Bose Juvva in India, Lionel Griache at ProactiveRA, and Guy Howie from BIAAS.
IRSF fraud usually involves multiple hacked PBXs, all in different geographical locations to avoid detection. The more PBXs involved makes it harder to trace back to the source, especially if it involves international borders. It is not uncommon for at least 4 PBXs (as in this example) to be involved in IRSF fraud, and in reality, many other International operator’s CDRs would need to be considered because IRSF rarely involves a single operator.
To solve LTT-02 you have to first identify the number relating to São Tomé, which has a country code of 239. In IRSF/PBX hacking, the hijacked PBX is usually set to call forward to another number (C-number). So, a quick search of column C of the CDR data reveals the number 2392204071 in cell C77 of the switch file. The number in cell B77 (4485861595789) relates to the customer who complained to the CFO, and the data in cell A77 (4485855998974) appears to be where the fraud originated from.
However, as IRSF fraud usually involves multiple PBXs being hacked, a quick search of the CDR data shows the A-number in cell A77 (4485855998974) also appears in cell C67, which belongs to another PBX customer, that has also been hijacked and had their number set to call forward. The originator of the fraud now appears to come from 4485860241398, which is located in cell A67.
Another search shows 4485860241398 also appears in cell C90, which reveals yet another PBX customer has been hacked and elaborates the extent some fraudsters will go to hide their traces. Repeating the same process of searching numbers back to the originating source, finally stops at cell A50 (4485863051726 – Fervex Systems) which is the answer to LTT-02. The linkage is illustrated here in the following file.
The next LTT will be published on Monday 18th March.
Disclaimer: none of the data in the CDR file is real, and no frauds were ever committed by, or involved the named parties or numbers appearing in the file.