The aim is to minimize impact of possible Toll Fraud by detecting the suspicious traffic at early stages.
There are notorious destinations like Albania, Afganistan, Cuba, Congo, Sierra Leone, Somalia, Palestine, Bosnia and Herzegovina, Premium UK numbers etc. The idea of protection is based on:
Legitimate traffic to these destinations is pretty low;
It's possible to get the list of such suspicious destinations.
Additional info
At the moment we have Fraud Protection mechanisms based on Geo / Risk Profiles. Geo / Risk profiles protect from identity theft, when some hackers steal login/password and send traffic from a different country. Business customers with IP PBXes are getting hacked in a way, when fraud traffic originates from or passes IP PBX. Thus, Geo / Risk Profiles do not provide a protection. It motivates customers to search other types of protection.
Previous attacks show us that hackers normally try to exploit expensive destinations (that provide higher payout rates - more $$) and send as many calls as they can. It results in bursts of traffic to destinations you have a few calls to - Afganistan, Cuba, Congo, Sierra Leone. If you have zero to 50 minutes to Cuba per hour, burst to 300 minutes is worth attention and investigation.
Definitions, acronyms and abbreviation
Toll Fraud – the hijacking of a phone system to dial out to payout numbers in distant countries. Hacker signs some premium numbers, sends calls to these numbers through compromised accounts and receives money – up to 10% of the costs.