Site icon Sophos News

The mystery caller dials you for the 700th time today. What do you do?

What’s the more horrifying part of robocall Hell: getting some 700 nuisance calls a day over the course of five days, or being told that there’s nothing anybody can do to stop it?

For Kim France, it’s the latter.

She’s a real estate agent who lives in Hilton Head Island, in the US state of South Carolina. In her line of business, she gets plenty of calls from numbers she doesn’t recognize.

But hundreds a day? No wonder the sound of her ringing phone still makes her cringe. Ars Technica quotes her:

Every time a number flashes up on my display that I do not recognize, the hair on the back of my neck stands up.

She talked to Ars’ Jon Brodkin three days into what she described as the “cell phone nightmare” that mysteriously enveloped her in June, making it near impossible to answer legitimate calls from friends, family or clients.

On the first night, she went to bed, slept for seven and a half hours, and found 225 missed calls when she awoke. It kept up at that pace for five days, for a total of roughly 700 calls a day.

She tried robocall blocking services. They didn’t work. That’s not surprising: such tools, which rely on blacklists of known scam numbers, don’t generally work when the numbers’ caller IDs have been spoofed.

Adam Doupé, a security researcher and professor at Arizona State University, told Ars that the core problem is that Caller ID is extremely easy to spoof. There’s no way to verify who’s calling, unlike with email, which relies on making a TCP connection to an email server with a specific IP address:

Because it’s an old, circuit-switched network, none of the switches along the way need to know who actually is placing the call. I was shocked to find out that the Caller ID is just an optional part of the original address message that gets sent along. You don’t need it, and nobody is checking it along the way for authenticity, and, really this means you can put that to be whatever you want. To top it off, there are a lot of online services that allow you to send out phone calls and specify exactly what Caller ID you want them to come from.

This is a problem that the Federal Communications Commission (FCC) is painfully aware of. In March, FCC Chairman Ajit Pai said in a blog post that the commission has proposed greater leeway for providers to block spoofed robocalls:

Specifically, they could block calls that purport to be from unassigned or invalid phone numbers (there’s a database that keeps track of all phone numbers, and many of them aren’t assigned to a voice service provider or aren’t otherwise in use). There is no reason why any legitimate caller should be spoofing an unassigned or invalid phone number. It’s just a way for scammers to evade the law.

Was it a scammer who plagued Kim France? No. She heard from neither robot nor human scam artist when she answered. Rather, she heard the sound of a fax. Most of the calls came from fake numbers: from area codes or exchanges that don’t exist. Scammers go to more effort than that, spoofing their Caller IDs to make people think they’re getting a local call.

Nobody’s even sure it was actually robocalls she was receiving. The Federal Trade Commission defines a robocall as one in which the recipient hears “a recorded message instead of a live person” …but “robocall” is as good a word as any to describe these nuisance calls, which basically amounted to the phone equivalent of a distributed denial-of-service (DDoS) attack.

Ars quotes RoboKiller co-creator Ethan Garr:

It is possible that whoever did this to Kim France did play a recorded file of the fax-like sound, but I think it’s also possible that they just generated the sound programmatically with each call.

It’s more of a DDoS attack over the telephone lines rather than a spam or scam call.

France tried to get her carrier, Verizon, to help. No luck. After six calls, all the company could come up with was a suggestion that she change her phone number: a no-starter, given that her business’s number is spread across a real estate landscape of third-party websites. Changing it would have been hugely disruptive to her business.

The response when she contacted a consumer rights attorney who specializes in phone call harassment: there’s nothing you can do to figure out where these calls are coming from.

The response from police: sorry, we can’t stop the calls.

The response from the FCC: a form letter explaining what spoofed Caller ID is… as if she didn’t know by that point.

There are intriguing tools in the works that could help to cut spoofed nuisance calls.

For example, Doupé and a PhD student are working on a caller verification system, to integrate into the core backbone of the SS7 signaling protocol, that adds an authentication token to messages so the call recipient can verify that the caller owns the phone number. It’s described in this paper (PDF). Brodkin says it’s similar to the green security lock displayed in browsers with HTTPS-enabled websites.

It relies on SMS, so the prototype is only working with mobile phones at this point.

When the possibility of this being a targeted attack was suggested, France couldn’t fathom who might want to target her. Then again, maybe it wasn’t a phone DDoS; maybe it was a glitch in auto-dialing software? Or then again, maybe it was, as RoboKiller’s Garr suggested, a “fax scam gone awry”.

Garr’s advice for handling an attack like this: “Weather the storm.” Stop answering, and tell friends and family to contact you some other way.

It is unlikely that anybody is going to make harassing calls to your number indefinitely. Scammers and spammers change their numbers very often – most numbers are active for just two hours. Kim’s attack lasted a long time, but even someone trying to do such an attack is likely fearful that if they do it forever they will get caught, and it is probably costing them a little bit to do this consistently.

He suggested using your phone’s Do Not Disturb mode and not allowing repeated calls from the same number.

As for France, so far, the robocall bombardment hasn’t recurred, thankfully. Now, all she’s left with is astonishment that there’s nothing anybody can do to stop this type of attack:

I just feel like there has got to be something that could be done to protect consumers from this type of crime. Being told that no one can do anything for me was the most shocking part to my story.


Exit mobile version