What if annoying spam calls weren’t just about telemarketers asking you to buy their products? What if is wasn’t just them pestering you with questions to see if the product is right for you? What if the telemarketers initiative was about identity fraud, selling you faulty products and abusing businesses?
Telemarketing has taken a turn for the worse, and has morphed to robotic phone spam (robospam), a new initiative attackers and telemarketers have begun abusing for financial gain, fraud and a swath of other criminal activities.
What is RoboSpam?
RoboSpam is short for robotic spam, and is a new initiative attackers have begun. RoboSpam is an automated phone call or telemarketing scheme an attacker will send to your phone in hopes of getting someone to answer. When the number is dialed, the robot will wait for an answer or the dial tone to stop, once this occurs, the message will begin playing. The played message usually offers a “free credit report”, a “free cruise”, or something tempting in the eyes of the consumer. From there, the message will note to click one to talk to a live person, or two to be removed from the list. If the consumer chooses one of the two, they are automatically added to an actors list for heavy abuse. Say the consumer clicks two to stop receiving calls, this lets the attacker know the line is active with a human they can actively sell to on the other end. Once that is clicked, you will be added to the list and abused via the telephone beyond belief; in most cases.
Say you take these criminals up on their nice offering. A live person will answer the line and ask some general questions to make it appear as a legitimate business. From there the live person will then want some details which may pertain to payment card numbers, social security numbers, pin numbers, banking information or something of value. Once the call ends, fraud can ensue from there forward. Attackers can create faulty credit cards, commit identity fraud, make fraudulent purchases, or just abuse the information such as any high-class criminal would.
One thing to note is that once some of these robotic spam lines that gather your data, it may not be used to wreak havoc on your life. Some of these calls are real, but they are selling faulty products that don’t work. A member at the FTC told Freedom Hacker that they found a company selling diet pills and shipping them to peoples homes, the product was real, but did not work. Instead, the firm selling these products were selling fraudulent pills. The company was later sued, but not all scams are obvious. They could appear totally legitimate at their front.
Who is behind RoboSpam?
Who is behind the billion dollar fraudulent operations may remain unknown. Patricia Hsue, Staff Attorney in the Division of Marketing Practices, Bureau of Consumer Protection at the FTC told us “it really varies… it could be one company trying to sell their faulty product, another marketing firm selling a product on behalf of another company, or even a team in their basement if they have the proper robospam equipment.” RoboSpam is not just a bunch of cybercriminals doing dirty work for a few hours, cleaning up their traces, and jumping ship. These operations are carefully crafted, and can range upwards in the millions of dollars.
Is this an overreaction to robotic phone spam? Absolutely not, robospam is costing the FTC and consumers billions each year to clean up the mess and stop these criminal organizations.
Is RoboSpam Really an Issue?
Robospam is in fact a very big issue. As stated previously, not only is it costing the government and the people billions, it is an invasion on our life. Hsue told us “it is a huge problem for consumers – they are a nuisance invading our privacy, interrupting our time, and can cause major financial fraud on a variety of levels.” She proceeded telling us “the FTC receives an average of 150,000 complaints each month, and that is just from consumers submitting complaints.” Many do not know the FTC has an area to submit telemarketers numbers aligned with robospam fraud, she told us “for every one complaint we receive, there are likely over one hundred calls being made.”
If this is such a big issue, how much is it really costing us? Is it causing fraud, phone minute time, personal time, etc?
“It’s all of the above – minute time or increase costs on your phone bill, your personal data, your time, and your money. These calls are more than just a nuisance – think about the elderly or others who have a hard time moving around that are waiting for legitimate calls. Answering these calls cost them their time and energy, and increases their risk for injury,” Hsue said. Though there are no hard numbers, a quick glance through the FTC’s law enforcement and lawsuit press release area makes it clear this is no walk in the park and is obviously costing the government a substantial amount of time and money.
How are criminals obtaining our numbers?
The real question is how these actors are getting a hold of phone numbers to call. Hsue told us the FTC is not sure. “It’s possible that some attackers purchase leads, while others could literally be going down a sequential list of phone numbers. There’s not a lot of research in this area that can shed light on this question.”
If this is costing us so much, what are the turnouts for the criminals behind RoboSpam?
Even though the FTC has taken such harsh action against these spammers, they do not seem to stop at any rate. Hsue told us these robospammers turnouts may vary based on how large the operation was and how large their impact on the market was. “The reason they continue even if the turnout is small, is because the cost of making these calls is close to nothing,” Hsue said. “The main piece of advice I can give consumers is to just hang up, and never interact with them.”
The FTC’s action against RoboSpam
As the FTC has spent years and countless hours battling robospam, there had to be a better solution. This year at Def Con 22, the annual hacker conference held in Las Vegas, the FTC made their appearance asking for hackers help to battle these criminals.
A government agency entering a hacker conference? This may sound a bit odd as the hacker culture is based around privacy and security, which certain sectors of the government are not. The FTC did admit they were worried what the outcome would be, but since the FTC works towards consumer protection, Hsue told us the outcome was great. Hsue told us Def Con was very welcoming along with the attendees being very responsive and interested in the FTC’s initiative to battle this long lasting abuse on the people.
The FTC set up a booth at Def Con 22 and held a contest dubbed, Zapping Rachel, which was a contest geared towards hackers creating the best invention to beat the robotic phone spam. The contest had three phases, and Hsue told us they maxed out on participants for phases 2 and 3. The objective was to create mechanism to collect information on these robospammers, and possibly even reverse engineer these spammers and find who it’s coming from. The phases went as followed:
- Phase 1 (Creator) challenged participants to build a robocall honeypot. Turnout: 21 Signups, and One Submission
- Phase 2 (Attacker) challenged participants to find honeypot vulnerabilities. Turnout: 25 Signups and One Submission
- Phase 3 (Detective) challenged participants to analyze honeypot data. Turnout: 50 signups and 11 Submissions
- The FTC has announced the winners for each phase along with their creations to combat robospam on the Zap Rachel page – www.ftc.gov/news-events/press-releases/2014/08/ftc-announces-winners-zapping-rachel-robocall-contest
Hsue told us “phase one and two were especially hard to address in the time frame we had,” which is true considering Def Con is a 4 day event. Not to mention it’s away from people’s average workplace so they do not have all their necessary tools to work with.
While the turnout was not massive, Hsue did tell us that many hackers were interested and as annoyed by the robospam as the FTC was, while sharing a number of interesting ideas to stop the spam.
Hsue told us there was no one idea that will solve all robospam, but the ideas submitted were a great initiative towards stopping robospam.
Can I participative now that the contest is over and if so how?
The FTC is always looking for help regarding robospam. Hsue told us people can help by creating and testing their ideas, that can evolve into a technological solution. She told us “the FTC is always happy to work with companies and third parties that are also dedicated to combating robospam.” Others can also help the FTC by submitting robocall numbers they receive into the Do Not Call registry the FTC operates. This helps the FTC immensely as they can track patterns and rigorously combat the spam with hard data in their hands.
Many hackers did in fact help the FTC by building smart honeypots and tarpits to trap the robospam, but ideas are still emerging to combat the criminals.
Hsue even related robospam to spam emails, “remember the spam email outbreak in 2003, it was out of control and no solution seemed realistic, now we have amazing email spam filters, we believe something similar can be built to combat robospam.”
RoboSpam TDoS Attacks on Businesses (Telecommunication Denial of Service Attack)
“Businesses are under tdos attacks,” Hsue explained to Freedom Hacker. These robospam marketers are not only targeting consumers, but are going after businesses as well, but not to sell anything. Denial of Service attacks are when an attacker sends an absurdly large amount of requests to an online webserver in hopes of overwhelming the server til it turns offline, making the service inaccessible. Telemarketing spam has adopted similar tactics, but over the phone lines. “Business are succumbing to telemarketers TDoS attacks, initially overloading their phone line with faulty requests or shutting the line down,” Hsue says. “The attacks we’ve seen are really just a means of extortion. ‘Pay us and we’ll stop’ is what the FTC commonly hears from businesses begin attacked”.
Tips to Combat RoboSpam
While robospam is still in its starter phase, only becoming an issue in 2009, steps to combat it are limited. Hsue told us that while there are some options available to consumers, most are temporary because they rely on caller IDs – which are easily spoofed. To help combat these calls, consumers can take action with the following steps.
- Report robotic phone spam to the FTC on their ‘File a Complaint to the Do Not Call Registry‘ Page. All it requires is the phone number, and the date of the call, other information is optional. Hsue told this information is invaluable to the FTC. It helps track trends, try and find the host, and overall beat the robospammers. With the current 150,000 complaints each month, the FTC has been able to bring down billions of dollars of cybercriminals fraud operations.
- Input your phone number to the DoNotCall Registry. The FTC owns and operates the Do Not Call (DNC) Registry. The DNC is a list of phone numbers that telemarketers are not allowed to legally call. Telemarketing firms that want to abide by the law have to contact the FTC, pay a fee, and will get a portion of the Do Not Call registry list. They are then required by law to scrub the numbers from their list.
One team got so fed up with RoboSpam, they actually started a full business to combat the scammers. NoMoRobo is a solution that you can implement on your phones service provider to stop robospam from ever reaching your line. The man behind the operation, Aaron Foss, the winner of the first ever robocall challenge the FTC setup in 2012. While NoMoRobo is not the end-all solution, it is defiantly a great idea. NoMoRobo is in no way affiliated with the FTC, but Hsue told us that Aaron is a “continuous partner with the FTC and their initiative to defeat fictitious calling.”
As robospam is still evolving, there are limited steps that consumers can take to avoid these calls. This is why the FTC is calling out to hackers or just anyone tired of the relentless fictitious calls they receive. Hsue told us she finds it sad that people can not trust their phone anymore. “Calling used to be a personal line and a way to get a hold of you, I found it sad when people at Def Con came up to us and told us they can no longer trust their phone lines. Everything is becoming harder to trust, and we need to be able to disperse these malicious actors.” We fully agree with Hsue and the FTC’s initiative to beat the spam.
Robospam will continue to be an issue till some form of a solution is worked out or put in place. Hsue told us consumers are “irate” over the issue, which we also believe is the case. Robospam needs to be harshly addressed or it will only become a larger issue consistently attacking consumers.