The global telecommunications sector continues to face unprecedented pressure from organized cybercrime. According to the CFCA Global Fraud Loss Survey, global losses from telecom fraud in 2025 are estimated at approximately $41.82 billion, showing a sharp increase compared to $38.95 billion in 2023. The primary driver of this trend remains the exploitation of fundamental vulnerabilities in legacy signaling protocols used for global roaming and call routing.
For modern telecom operators, building a robust security perimeter is a critical requirement for protecting revenue and maintaining corporate client trust. Transitioning to new communication standards and open architectures does not automatically solve the problem, as the need for backward compatibility forces operators to maintain legacy protocols for years, creating vectors for sophisticated attacks at the intersection of technological generations.
Anatomy of signaling threats: why SS7 and Diameter remain open doors for attackers
The SS7 (Signaling System No. 7) network was designed in an era when only a few trusted state monopolies had access to it. Its architecture lacked mechanisms for authenticating the sender of signaling packets. Today, any attacker who illegally obtains a Point Code through compromised providers can send service messages to any point in the world.
The Diameter protocol, which replaced SS7 in 4G (LTE) networks, was intended to solve security issues through the use of IPsec or TLS at the transport layer. However, in practice, Diameter inherited the same trust model at the application layer. If an attacker gains access to the border signaling controller of even one operator in a roaming consortium, they gain the ability to attack subscribers globally.
The European Union Agency for Cybersecurity (ENISA), in its ENISA Threat Landscape report, analyzed 4,875 incidents between July 1, 2024, and June 30, 2025, confirming that the exploitation of legacy signaling protocols remains a permanent security risk for mobile networks. The most common attack vectors include:
- SMS traffic interception: By sending a spoofed Update Location message, an attacker forces the network to believe the subscriber is on their virtual switch. All incoming SMS, including one-time passwords (2FA), are redirected to the attacker's equipment.
- Geolocation tracking: Requests allow for the identification of a Cell ID without the subscriber's knowledge, revealing the device's precise location.
- Denial of Service (DoS): Sending malformed signaling packets can lead to disconnecting a subscriber from the network or overloading signaling nodes (STP/DRA).
Analysis of IRSF and Wangiri schemes: how technical vulnerability converts into financial losses
Signaling vulnerabilities act as a catalyst for complex fraud schemes that cause direct financial losses to operators. The most destructive among these are IRSF and Wangiri schemes.
International Revenue Share Fraud (IRSF)
According to the CFCA report (2023 data), losses from IRSF amounted to approximately $6.23 billion. The essence of the scheme lies in generating unauthorized high-tariff traffic to Premium Rate Numbers in countries with high interconnect rates.
To implement IRSF, fraudsters often exploit vulnerabilities in corporate SIP trunks or purchase SIM cards using stolen personal data. The latter method is linked to subscription fraud, which generates about $5.31 billion in annual losses. Once access to resources is obtained, attackers launch mass auto-dialing to premium numbers they have rented themselves. By the time the operator detects anomalous activity, the bill for international interconnect can reach hundreds of thousands of dollars.
Wangiri (callback fraud)
This scheme is designed to provoke a callback. A call generator mass-dials a database of operator numbers, dropping the call after the first ring (often accompanied by A-number spoofing). The subscriber calls back a high-tariff international number. Fraudsters use interactive voice response (IVR) systems to keep the subscriber on the line for as long as possible.
Hybrid architecture: protecting the signaling interface during the transition from legacy to cloud-native
The evolution of telecom networks is aimed at implementing TM Forum Open Digital Architecture (ODA) concepts, which replace monolithic BSS/OSS with a componentized, API-first architecture. Simultaneously, 3GPP consortium releases define 5G Standalone functionality and the further development of networks based on a service-oriented architecture, where signaling is performed via the HTTP/2 protocol.
However, the transition to 5G Standalone does not automatically eliminate signaling threats. Operators maintain a hybrid environment where the 5G core interacts with 4G (Diameter) and 2G/3G (SS7) to ensure roaming. This creates new attack vectors: an attacker can send a malicious request from an SS7 network, which is then translated by an Interworking Function (IWF) into a Diameter or HTTP/2 message within the 5G core. Protecting such a hybrid interface requires end-to-end monitoring of signaling events across different technological generations.
Technological barriers: the role of signaling firewalls and SIP identity mechanisms
To protect networks, operators implement a complex of specialized technical tools:
- Signaling Firewalls (SS7/Diameter): These firewalls analyze incoming signaling traffic. They filter packets that should never arrive from roaming (Category 1 and 2 per GSMA specifications) and perform stateful inspection (Category 3). For example, the speed of subscriber movement is checked: if an Update Location request arrives from another continent 5 minutes after previous activity, it is blocked.
- SIP Identity mechanisms (RFC 8224): To protect voice traffic at the SIP level, the IETF RFC 8224 standard is used, which describes identity authentication. The STIR technology allows the initiator to sign the Caller ID with a cryptographic certificate. This reduces the risk of number spoofing at the transit level. However, this mechanism is not a panacea for IRSF, as it does not prevent the generation of traffic to premium numbers from compromised accounts.
Building an integrated anti-fraud perimeter: from monitoring to secure billing
Effective fraud prevention requires the integration of signaling security tools with real-time commercial billing systems. Operators must be able to automatically block anomalous directions at the voice core level before financial losses occur.
For telecom operators and enterprise clients, the Intecracy Group alliance offers the modernization of telecom architecture using the carrier-grade VoIP platform DooxSwitch. It combines switching, routing optimization (LCR), and real-time billing functions. Through integrated CDR analysis, the platform allows for the instant detection of traffic spikes characteristic of IRSF and the blocking of compromised SIP trunks.
For the development of self-service portals, incident management systems, integration layers with state registries, and MNP, the low-code platform UnityBase is used, which is a joint development of Intecracy Group companies (where InBase is a key, but not the only, developer). By utilizing UnityBase platform mechanisms—a unified domain model (Domain metadata), role-based (RBAC) and row-level (RLS) access control, as well as built-in audit trail mechanisms—enterprise solutions are created that meet high information security requirements, including ISO/IEC 27001 standards and NIS2 directive requirements.
Matrix of signaling threats and technical countermeasures
| Threat | Attack Vector | Defense Method |
|---|---|---|
| Traffic interception via SS7/Diameter | Spoofing Update Location messages | Signaling Firewall with source legitimacy analysis (Category 3 STP/DRA rules) |
| IRSF (International Revenue Share Fraud) | Unauthorized traffic generation to premium numbers via vulnerable SIP trunks | Real-time CDR monitoring, blocking anomalous traffic spikes, destination limits |
| Wangiri (callback fraud) | Mass short-call generator (A-number spoofing) | Automatic detection of mass-dialing patterns, integration with blacklisted number range databases |
FAQ
How does a Signaling Firewall distinguish a legitimate roaming SS7 request from an attacker's request?
A Signaling Firewall uses stateful inspection and GSMA filtering rules. It checks the context: if a subscriber location update request arrives from a node in one country, but previous signaling messages indicate the subscriber is in another and could not have physically traveled that distance (velocity check), the request is blocked as an anomaly.
Does the transition to 5G Standalone and HTTP/2 solve signaling security problems completely?
No. Although 5G Standalone introduces a modern service-oriented architecture with encryption on interfaces (SEPP), operators must maintain roaming with 3G/4G networks. Vulnerabilities persist at the interfaces where Interworking Functions (IWF) translate signaling from legacy SS7/Diameter protocols into the 5G core.
What are the technical limitations of implementing STIR/SHAKEN for Caller ID spoofing protection in transit networks?
STIR/SHAKEN protocols require end-to-end SIP signaling support along the entire route. If traffic passes through legacy segments (e.g., TDM or SS7 switching), cryptographic signatures are lost. Furthermore, the standard only authenticates the sender's identity but does not stop traffic generation from real, yet compromised, accounts, as occurs in IRSF.