There have been several articles about a bust of at least 70 people in India, who are behind some of the IRS scam phone scam. We have been working the the IRS/TIGTA, the FTC, and DHS CSD on this issue - it is good to see that at least one of the fraud rings has been busted. Hopefully this will result in at least a temporary reduction in this scam.
Here are articles from the Wall Street Journal and CNN. You can find several more:
Here are a couple of links to the Department of Homeland Security (DHS) Cyber Security Division (CSD) showcase earlier this year. They did a great job of recording the videos of all the presenters. We were fortunate to be a featured presenter on the first day.
As I have said and I need to post some more info here, we have expanded our research program with DHS CSD to focus on addressing issues such as calling number spoofing and caller authentication, and how this helps to address voice security issues such as Telephony Denial of Service (TDoS), robocalls, scams, bomb threats, etc.
The first link is to the full set of videos. The second is a link to our video. Check them out:
The Federal Trade Commission (FTC) is continuing their fight against those annoying robocalls, by sponsoring their Zapping Rachel challenge at the most recent DEFCON 22 conference. The focus of the challenge was phone honey pots (phonypots), which are used to answer calls from robocallers and try to understand their behavior. The challange awarded over $10,000 in prizes to the winners in categories of creator, attacker, and detective.
You can get more information from the FTC website at:
We all know that these calls are a big issue for consumers on their land lines. The robocallers, whether they are selling a product, harassing their victim, trying a scam, or attempting to get information (vishing), have traditionally targeted landlines because they have lists of numbers and because the targets can be especially vulnerable (elderly consumers).
However, we are all getting some of these calls on our cell phones. This is in violation of the Telephone Consumer Protection Act (TCPA). This document, while old, is a must read. Now it is also illegal to make robocalls to normal land lines, but I predict that robocalls to cell/smart phones will get more attention and make it likely that the victims will complain. As covered in the video, attorneys have started to notice and I predict will work to make their share off of this issue, which is only getting worse and more common. Now attorneys will only be able to go after "legitimate" robocallers. They will have equal challenges as law enforcement going after illicit robocallers or those outside the country, but there are a lot of attorneys, and between them, law enforcement, the FTC/FCC, we may see a growing civil and law enforcement response to the robocalling issue.
This will also be a boon for companies building smart phone applications to block these calls.
While this is going on, the robocallers are also increasing their call volume into businesses and enterprises. Land lines are slowly going away and the target base is getting saturated. It may be too risky to hammer away at consumers precious cell/smart phones (heaven forbid a call comes in in the middle of composing an Instagram or Snapchat message), so the logical next target will be businesses and enterprises.
For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
Here is an interesting report on a variety of fraud issues. One thing that struck me is that voice has become the preferred channel for fraud. Voice SPAM, scams, vishing, social engineering into contact centers, etc. Voice used to be the most trusted communications medium, but now it has become the LEAST trusted. Public voice has a ton of issues - is it any wonder that users are moving to closed systems for voice and messaging???
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is holding a special interest group in their annual conference in San Francisco, February 17-21, to focus on issues unique to voice. This includes Telephony Denial of Service (TDoS), robocalls, voice SPAM, voice phishing, etc. I will attend and be on the solutions panel. Here is a link to an article discussing the special interest group.
The FTC just fined and won a judgement against a group of companies who have been generating robocalls and voice SPAM, as part of a scam to defraud consumers. While a lot of the reason was due to the SCAM, it is also an additional indicator that the FTC is serious about dealing with the robocall issue. I would expect to see more fines and judgements, although there is no way it will stop the robocall issue. It might slow down "legitimate" and reachable companies, but not the hackers.