Back to Blog
TelcoApril 20257 min read

SS7 Protocol Fraud Detection for Telecom SOC Teams

How DKTrace's telco-monitor detects SIM swap fraud, location tracking, and call interception by analysing MAP messages for anomalous operation sequences — with no lawful intercept required.

T1557
DK

DKTrace Research Team

Security Engineering · Threat Research

What Is SS7?

SS7 (Signalling System 7) is the protocol stack that enables phone calls and SMS between carriers worldwide. Despite being 40+ years old, it remains the backbone of global telephony — designed before cybersecurity existed as a discipline.

DKTrace's telco-monitor (port 8117) parses live SS7 MAP messages via SIGTRAN M3UA/SCTP. No lawful intercept required — only the SS7 signalling plane is monitored.

Attack Pattern 1: SIM Swap (UpdateLocation)

An attacker with SS7 access sends an UpdateLocation message to the target's HLR, claiming the subscriber's IMSI is now registered on their rogue MSC. Incoming calls and SMS (including 2FA codes) are redirected.

DKTrace Detection:

UpdateLocation requests from unexpected SCCP point codes (not in carrier whitelist)
Subscriber location changing from home country to foreign MSC within < 5 minutes
Correlation: if a banking 2FA event fired for this subscriber in the same 60-second window → CRITICAL alert

Attack Pattern 2: Location Tracking (SendRoutingInfo)

Attackers query HLR/VLR for subscriber location without the subscriber's knowledge. Used for physical surveillance, journalism targeting, and corporate espionage.

DKTrace Detection:

Excessive SRI or PSI queries for the same IMSI from non-whitelisted originating point codes
Rate: > 5 SRI queries/hour for a single IMSI from a single OPC → anomalous
Non-home-network PSI queries → immediate alert

Attack Pattern 3: Call Interception (RegisterSS)

Unconditional Call Forwarding set via SS7 without the subscriber initiating it. All calls silently forwarded to attacker-controlled number.

DKTrace Detection:

RegisterSS operations where the forwarding-to number is not in the subscriber's expected contact patterns (UEBA)
SS7 supplementary service operations from unexpected SCCP addresses
Forwarding-to number matches known fraud number database (TI feed)

Deployment for Telco SOC Teams

DKTrace telco-monitor connects to your STP (Signal Transfer Point) or HLR probe via:

SIGTRAN M3UA over SCTP (recommended)
SS7-over-IP gateway
SS7 probe TAP (passive, read-only)

No changes to your signalling network required. Passive monitoring only.

See It Live

Watch DKTrace detect this threat in your environment

Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.

Request a Live Demo

Previous

UEBA Baseline Building — The 30-Day Model Explained

Next

Threat Intelligence Lifecycle in DKTrace — From IOC Ingest to Alert