Robocalls to Cell Phones

See the video in the link below. This is another case of robocalls, specifically automated debt collection calls, gaining significant national attention:

We all know that these calls are a big issue for consumers on their land lines. The robocallers, whether they are selling a product, harassing their victim, trying a scam, or attempting to get information (vishing), have traditionally targeted landlines because they have lists of numbers and because the targets can be especially vulnerable (elderly consumers).

However, we are all getting some of these calls on our cell phones. This is in violation of the Telephone Consumer Protection Act (TCPA). This document, while old, is a must read. Now it is also illegal to make robocalls to normal land lines, but I predict that robocalls to cell/smart phones will get more attention and make it likely that the victims will complain. As covered in the video, attorneys have started to notice and I predict will work to make their share off of this issue, which is only getting worse and more common. Now attorneys will only be able to go after "legitimate" robocallers. They will have equal challenges as law enforcement going after illicit robocallers or those outside the country, but there are a lot of attorneys, and between them, law enforcement, the FTC/FCC, we may see a growing civil and law enforcement response to the robocalling issue.

This will also be a boon for companies building smart phone applications to block these calls.

While this is going on, the robocallers are also increasing their call volume into businesses and enterprises. Land lines are slowly going away and the target base is getting saturated. It may be too risky to hammer away at consumers precious cell/smart phones (heaven forbid a call comes in in the middle of composing an Instagram or Snapchat message), so the logical next target will be businesses and enterprises.

Good Video on VoIP Security and Telephony Denial of Service

Here is a link to a good video on VoIP and SIP security.

Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:

  • Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
  • Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
  • Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).

At the end of the presentation, there is a brief TDoS demo.

Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.

DDoS (Could be TDoS) Services for Hire

Here are a couple of articles about various DDoS services set up and ready for hire. There is also a brief discussion about how a service was used to attack a VoIP service. This isn't TDoS per se, but as I have said before, the botnets that the attackers use could easily generate VoIP based calls (rather than lots of packets) and target any enterprise site, contact center, user, consumer, etc.

So a tiny bit of background here. Attackers create botnets by assembling a collection (100's, 1000's, 10,000's) of individual bots on zombied computers. These bots sit dormant, but are ready to go if the attacker wants to generate an attack (or is paid). The bots can do pretty much anything - often it is to generate specific or floods of packets for DDoS attack. The more bots, the more traffic and harder it is to mitigate the attack. Of course the bot can generate one or more VoIP/SIP based phone calls, which could for example all hit a large contact center. If the bots are smart enough to spoof their caller ID, the would be difficult to differentiate from real traffic. If they play similar audio, that could be detected, but if they did something really nasty, like play a random audio file/song from the zombie computer's iTunes directory, the attack would be very difficult to mitigate.