Gsma PRD Ir.70 Sms Ss7 Fraud
Gsma PRD Ir.70 Sms Ss7 Fraud
Gsma PRD Ir.70 Sms Ss7 Fraud
Copyright Notice
Copyright © 2015 GSM Association
Disclaimer
The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept
any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document.
The information contained in this document may be subject to change without prior notice.
Antitrust Notice
The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.
V4.0 Page 1 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
Table of Contents
1 Introduction 3
1.1 Executive Summary 3
1.2 Definition of terms 3
1.3 References 3
1.4 SMS call-flow 3
2 Spamming Case 5
2.1 Defintion 5
3 Flooding Case 6
3.1 Definition 6
3.2 Technical Aspect 6
4 Faking Case 6
4.1 Defintion 6
4.2 Technical Aspect 7
5 Spoofing Case 9
5.1 Definition 9
5.2 Technical Aspect 9
6 GT Scanning 11
6.1 Definition 11
6.2 Technical aspect 11
7. Open SMS-C Case 11
7.1 Definition 11
7.2 Technical aspect 12
Document Management 14
Document History 14
Other Information 14
V4.0 Page 2 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
1 Introduction
1.1 Executive Summary
Many Mobile operators are facing with SMS problems (Spamming, Fraud or illegal use of
their SMS-C addresses).
The document:
Defines each SMS Fraud case
Describes technical aspects for each case
1.3 References
Ref Doc Number Title
[1] IR.71 SMS SS7 Fraud Prevention
[2] BA.43 SMS Handbook
[3] AA.50 SMS Fraud Criteria
V4.0 Page 3 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
C7 CARRIER
International C7 Network
HLR
IGP
IGP STP
SMSC STP
C7 CARRIER
SMSC
BSS
SMSC : Short Message Service Center
STP : Signalling Transfert Point
Non Mobile Operator / HLR : Home Location Register
IGP : International Gateway Point
Third Party VLR : Visited Location Register
Mobile Network A BSS : Base Station Subsystem
SS7 : Signalling System N°7
First, you will find in this figure the C7 architecture with all the necessary nodes.
The International Gateway Point (IGP) is the gate to the C7 Network for roaming or SMS
interworking services.
Below, the message flow related to the normal SMS sending:
BSS
STP SMS-C
MSC / VLR
Subscriber A
MAP «Forward Short Message / SMS Submit »
Step two: the SMS-C recovers the VLR address and the IMSI of the recipient subscriber:
V4.0 Page 4 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
International C7
Network
MAP « Send Routing Info for Short Message »
International C7
Network
BSS
SMS-C STP IGP IGP STP MSC / VLR
Subscriber B
MAP «Forward Short Message / SMS Deliver»
2 Spamming Case
2.1 Defintion
Spamming is an action where the subscriber receives an unsolicited SMS. As an unsolicited
SMS, the subscriber did not request to receive this message.
The act of spamming does not define the content but only the fact that the SMS was
received without solicitation. The content of the spam SMS is incidental to the act. The spam
SMS may take on various forms of content to include: commercial information, bogus
contest and other message generally intended to invite a response from the receiver.
It is important to note that the SMS could be sent from a valid originator and may be
correctly billed to the sender.
Technical Aspect
In the Spamming case, there are no specific technical aspects. The spamming Originator
could be a single person, a commercial company or a mobile operator.
A normal way of sending could be used through the SMSC like described below:
V4.0 Page 5 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
SMSC
STP
MSC / VLR
BSS
Mobile Network A
The SMS is submitted by a mobile phone or by a third party connected to the SMS-C
(Content provider for example).
3 Flooding Case
3.1 Definition
The act of flooding is when a large number of messages are sent to one or more
destinations. These messages may be either valid or invalid. The value or parameter used to
define flooding is the extraordinary number of messages sent.
The flooding parameter is compared to the average or normally expected load, and the
expected peak value of a selected message flow. When the parameter is unusually high,
without other explanation, then this is considered ‘flooding’.
3.2 Technical Aspect
The sending of the messages in a case of ‘flooding’ is within the normal methods of sending
messages. Consequently, there is no specific technical aspect for this case.
4 Faking Case
4.1 Defintion
A fake SMS is originated from the international C7 Network and is terminated to a mobile
network. This is a specific case when SCCP or MAP addresses are manipulated. The SCCP
or MAP originator (for example: SMSC Global Title, or A_MSISDN) is wrong or is taken from
a valid originator.
V4.0 Page 6 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
In the faking case, the first part is done exactly as described above. However, the second
part is changed so that the source address in the MAP message <Forward Short Message>
is changed, often to someone else’s SM-SC address. The manipulation of the SM-SC
address causes any inter-PLMN SM accounting to be in error, and means that any policing
against the apparent Spam generator harms innocent parties and is ineffective against the
real Spam generator.
The faking of the source address in the SCCP called party Global Title and the Service
Centre Address in the MAP message <Forward Short Message> whilst having the correct
equivalent address in the MAP message <Send Routing Information for Short Message> is
impossible without considerable efforts by the technical staff running the SM-SC. In other
words, it does not happen either by accident, faulty configuration data or as the result of raw
text messages received from the Internet. It happens because in most cases it requires a
software patch on the SM-SC. Therefore; any instances of this happening are as the result
of direct action by SM-SC staff, and probably in conjunction with assistance from the staff of
the Associated PLMN.
V4.0 Page 7 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
Consequently, it is fair to state that the “Faking Case” can only be caused by deliberate
activities by a Spam-generating PLMN, a Spam-sponsoring PLMN, or a Spam-generating
SM-SC operator acting in conspiracy with a PLMN.
The figure below describes the example of a third party using the real SMSC address from
another mobile network. The SMS is sent to a real subscriber of mobile network B (The
originator must have the correct IMSI) or could be sent to a wrong IMSI (Just to generate C7
Overload).
The IMSI can be recovered by detecting the “Send Routing Information for Short Message".
In this case, the third party must use their own real SCCP / MAP SMSC address.
International C7 Network
IGP
IGP
Mobile Network B
SMSC
HLR
STP
STP
MSC / VLR
BSS
Subscriber B
Mobile Network A
The third party could send the SMS to all VLRs of mobile network B if he cannot recover the
location of the subscriber (SRI for SM blocked by Mobile Network B).
The A_MSISDN could be wrong or manipulated.
Below displays the transaction flow, for the SMS delivery:
V4.0 Page 8 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
International C7
Network
SMS-C MSC / VLR
STP
THIRD PARTY
TCAP Begin, MAP « Forward Short Message SMS Deliver», Called Party Address = GT of VLR B
Calling Party Address = GT of real SMSC from another Network, IMSI B = real or fake one
International C7
Network
TCAP End, MAP « Forward Short Message SMS Deliver», Called Party Address = GT of the real SMSC
SMS-C A
5 Spoofing Case
5.1 Definition
The spoofing case is related to an illegal use of the HPLMN SMS-C by a third party.
In this case, a SMS MO with a manipulated A-MSISDN (real or wrong) is coming into the
HPLMN network from a foreign VLR (real or wrong SCCP Address).
5.2 Technical Aspect
To a HPLMN point of view, one subscriber is roaming and sending a SMS. In fact, this is not
a real subscriber; the message is not sent by a real mobile but is generated from a specific
system with a C7 application.
The A-MSISDN being used may in fact be real or not depending on the screening in place in
the HPLMN SMS-C (Screening on CC+NDC or No A-MSISDN screening in place).
V4.0 Page 9 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
The figure below describes the case with a real A-MSISDN and real VLR SCCP address
from another Mobile Network.
International C7 Network
IGP
IGP
Mobile Network B
SMSC
HLR
STP
STP
MSC / VLR
BSS
Mobile Network A
The Map message "Forward Short Message / SMS Submit acknowledge" is sent to the real
VLR.
If the billing is made from the SMS-C data, the real subscriber will be invoiced. If the Billing is
made from the TAP file, no one will be invoiced.
Below the message flow for the SMS Delivery:
International C7
Network
THIRD PARTY STP SMS-C
TCAP Begin, MAP « For ward Short Message SMS Submit», Calling Party Address = GT of another VLR
International C7
Network
TCAP End, MAP « Forward Short Message SMS Submit», Called Part y Address = GT of the real VLR
MSC / VLR
V4.0 Page 10 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
6 GT Scanning
6.1 Definition
The GT scanning is the fact to send SMS MO to all Global Title address from one mobile
operator in order to find unsecured SMS-C (SMS-C that are not controlling the A number).
6.2 Technical aspect
Multiple SMS Forward SM Submits are received, generally, from the same mobile MSISDN
with the Called SCCP Address and Service Centre Address incremented on each attempt.
It would appear that individuals using a mobile with a computer connection are instigating
these scans.
The easiest of these scans to spot are sequential in nature scanning 10,000 GT at a time. It
has also been seen randomised scans, though on sorting the data it is clear that blocks are
being scanned.
This type of messaging is picked up in normal statistics in monitoring expected and
unexpected combinations of direction, GT and message type.
There can be no valid reason for such scanning of networks other than locating unsecured
SMSC. With simpler computer integration with mobiles and SMS emulation software readily
available this type of activity is likely only to increase. It would be desirable for such activities
to be reported to the Home PLMN of the originating MSISDN in order to have service
removed.
7.1 Definition
An open SMS-C is a SMS-C that accepts SMS submissions from mobile subscribers that are
not clients of the open SMS-C operator. The SMS-C delivers the submitted SMS to the
destination subscriber for free.
The subscriber has to change the SMS-C address in his UE to that of the open SMS-C.
The figure below shows the parties involved in the open SMS-C case.
V4.0 Page 11 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
PMN D
PMN C
SMS-IW Charge
HLR
Open SMS-C C
Destination Subscriber D
(2) SRI-for-SM
(1) SMS-SUBMIT
HPMN B
Origin Subscriber B
When roaming, the HPMN B will not be able to charge subscriber B for the SMS as it does
not provide the service. But VPMN A will charge HPMN B for the roaming cost. HPMN B
bears the cost without being able to receive revenues. PMN C may incur charges to deliver
the SMS to the destination subscriber D if:
- Scenario 2: the open SMS-C is located in the VPMN A country. The PMN C
and VPMN A can be connected using a direct connection, a national SS7
network or the international one.
V4.0 Page 12 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
PMN D
PMN C
HLR
Open SMS-C C
(2) SRI-for-SM Destination Subscriber D
Nat or Int
Int SS7 network
SS7
network
(1) SMS-SUBMIT
Origin Subscriber B
MSC A
Home SMS-C
VPMN A HPMN B
Same country
V4.0 Page 13 of 14
GSM Association Non-confidential
Official Document IR.70 - SMS SS7 Fraud
Document Management
Document History
Version Date Brief Description of Change Approval Editor / Company
Authority
Produced by Matthieu IREG/EMC
December 15th, FOUQUET Bouygues Matthieu Fouquet /
1.0.0
2003 Telecom (France) and T- Bouygues Telecom
Mobile Group
IREG/EMC Matthieu Fouquet /
1.1.0 Mach 29th, 2004 First remarks added.
Bouygues Telecom
Rename as IR.71 IREG/EMC Matthieu Fouquet /
2.0.0 July, 19th 2004
document Bouygues Telecom
IREG/EMC Matthieu Fouquet /
2.1.0 July, 20th 2004 Title modification
Bouygues Telecom
IREG/EMC Matthieu Fouquet /
2.2.0 July, 20th 2004 Final version for approval
Bouygues Telecom
3.0.0 August, 4th 2004 Version approved IREG/EMC Matthieu Fouquet /
Bouygues Telecom
3.1 February, 16th GT Scanning case added IREG/EMC Matthieu Fouquet /
2005 Bouygues Telecom
3.1 11 July 2005 This document has been IREG/EMC
declassified from
RESTRICTED to Matthieu Fouquet /
UNRESTRICTED. This Bouygues Telecom
was approved by
GSMA/CTO.
includes CR1001 that IREG/PSMC
creates a new section 7 to Laurent Dequidt,
4.0 May 2013
describe the open SMSC Bouygues Telecom
issue.
Other Information
Type Description
Document Owner IREG
Editor / Company Laurent Dequidt, Bouygues Telecom
It is our intention to provide a quality product for your use. If you find any errors or omissions,
please contact us with your comments. You may notify us at prd@gsm.org
V4.0 Page 14 of 14