Zero-Rating Fraud – A More Complete Picture
Zero-rated access is especially valuable for essential services such as healthcare, education, and government platforms—commonly referred to as Type 1 services by the UK regulator Ofcom. Whether used as a promotional strategy or to ensure access to critical services, zero-rating is expanding in scope and implementation. While end users are not charged for this data usage, it may still appear on bills to demonstrate the value of the telecom service provided.
Examples of Zero-Rated Access Include:
- Promotional social media access – e.g., zero-rated WhatsApp™ and Facebook in Brazil.
- Educational and public services – e.g., free access to public benefit organizations (PBOs) in South Africa.
- Commercial promotions – e.g., free Uber data provided by Safaricom.
There is also a class of technical traffic essential to internet access—such as Domain Name System (DNS) queries—which is typically zero-rated. DNS functions as a control/signalling protocol and operates over well-known ports assigned by the Internet Assigned Numbers Authority (IANA), such as port 53. Many mobile operators zero-rate this traffic. However, DNS can be exploited to transfer data via extended records, effectively turning it into a covert channel for data exchange.
Zero-Rating Fraud: A Growing Concern
In our research, we explore how users are exploiting zero-rated services to access data beyond what is intended—essentially obtaining ‘free’ internet access. We have observed that up to 2% of TCP and UDP (core internet transports) traffic in certain sessions may be associated with such fraudulent activity.
A single DNS attack accessed 7MB of data per minute
For example, a single DNS-based attack using randomly generated domain names was able to exfiltrate up to 7MB of data per minute—completely unbilled and unmonitored. Over just five minutes, this amounts to 35MB—the average size of a mobile app. Given that DNS traffic flows both ways, this method could be used for data exfiltration or unauthorized downloads, creating both revenue loss and a significant security risk.
Taking a new look at the problem
In our updated paper, we delve into the anatomy of such attacks and outline what network operators and MVNOs should consider before launching a zero-rated offer. Critical internet protocols like DNS, though not intended for content delivery, are often indirectly zero-rated and must be monitored closely for both security and revenue protection.
Fraudulent users are becoming increasingly sophisticated, often sharing tactics in online communities. For instance, one group discussing Server Name Indication (SNI) fraud has over 20,000 followers.
Looking Ahead
In our next excerpt, we will discuss actionable steps that operators can take to safeguard their networks and revenue streams—ensuring that zero-rated offerings are secure, properly enforced, and used as intended.
But if you can’t wait download our updated paper on bypass fraud:
Review our Enea capabilities for managing data traffic:
