Wired Archives

Robocalls Are (Finally) Being Shaken Up

Hey, have you heard that your car’s extended warranty is about to expire? That’s what the disembodied robot voice on the other end of the phone wants you to think, anyway. Fortunately, these incessant spam calls may soon be getting less frequent.

This week, the US Federal Communications Commission closed a loophole in a policy that requires voice service carriers to adhere to a standard that would help block robocalls. All carriers in the US are now required to utilize a tech known as Stir/Shaken (an acronym for a very long and unwieldy title of federal standards for calls). It’s a way to identify legitimate carriers and allow them to connect calls, while blocking out those who are trying to spam you…

Despite major progress fighting spam and scams, the roots of the problem go far deeper than your phone company’s defenses.

THERE’S A GOOD reason you’re still afraid to answer your phone when an unknown number pops up.

For years, the telecommunications industry has been trying to curb robocalls, the frustrating and potentially dangerous spam calls that try to scam anyone who picks up the phone. But even after significant milestones in defense—including the introduction of two telecom protocols that cryptographically authenticate the source of calls—you’re probably still getting spammy calls that drive you nuts. In spite of the setbacks, though, researchers say they’ve seen real progress on reducing spam calls in the United States, and there’s potential for even more improvement.

At the RSA Conference in San Francisco last week, Josh Bercu of the trade association USTelecom and Gary Warner, director of intelligence at the security firm DarkTower, presented findings on progress squashing robocalls and the illegal call centers they emanate from, which are predominantly located in India. And they dug into the frustrating reality that the issue is far from solved.

“I think it’s not going well at all!” Warner tells WIRED. “And people understandably wonder why the carriers don’t just block spam calls. But if you’re AT&T or Verizon or T-Mobile or whoever, it’s not in your purview to decide which conversations people are allowed to have. I don’t think people want to be in that surveillance state where carriers are in a position of deciding what is an acceptable conversation for Americans to have.”

That doesn’t mean the carriers haven’t stepped up their blocking when they see enough evidence that a call has a suspicious provenance. But USTelecom’s Bercu notes that deciding how bold to be about blocking is a delicate issue that each phone company handles differently…

WHEN LAW ENFORCEMENT arrested three alleged young hackers in the US and the UK last month, the story of the worst-known hack of Twitter’s systems seemed to have drawn to a tidy close. But in fact, the technique that allowed hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk, and dozens of others is still in use against a broad array of victims, in a series of attacks that began well before Twitter’s blowup, and in recent weeks has escalated into a full-blown crime wave.

In mid-July, Twitter revealed that hackers had used a technique against it called “phone spear phishing,” allowing the attackers to target the accounts of 130 people including CEOs, celebrities, and politicians. The hackers successfully took control of 45 of those accounts and used them send tweets promoting a basic bitcoin scam. The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts.

“I’ve never seen anything like this before.”

ZACK ALLEN, ZEROFOX

But Twitter is hardly the only recent target of “phone spear phishing,” also sometimes known as “vishing,” for “voice phishing,” a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies—including banks, cryptocurrency exchanges, and web hosting firms—have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that’s been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company’s services—most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.

“Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries,” says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. “I’ve seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn’t think are soft targets. And it’s happening repeatedly, like the companies can’t keep them out.”

Branching Out

As in the Twitter hack, the perpetrators don’t appear to be state-sponsored hackers or foreign cybercrime organizations, but young, English-speaking hackers organizing on forums like the website OGUsers.com and the chat service Discord, says Zack Allen, the director of threat intelligence at security firm ZeroFox, who has also worked with the industry group tracking the incidents. He says he’s been shocked by the level of research that the hackers have put into their social engineering, scraping LinkedIn and using other data-collection tools to map out company org charts, find new and inexperienced employees—some even starting their very first day on the job—and convincingly impersonating IT staff to trick them.

“I’ve never seen anything like this before, nothing this targeted,” says Allen. He warns that the hackers’ tactics have been so effective, it may be only a matter of time until they’re adopted by foreign ransomware groups or even state-sponsored hackers who simply contract out the phone calls to English-speaking phone phishers. “It’s like what you’d expect from a whole team of intelligence professionals building dossiers and executing attacks, but it all seems to be done by teenagers on Discord.”

A security staffer at one targeted organization who asked that WIRED not use his name or identify his employer described a more wholesale approach: At least three callers appeared to be working their way through the company directory, trying hundreds of employees over just a 24-hour period. The organization wasn’t breached, the staffer said, thanks to a warning that the company had received from another target of the same hacking campaign and passed on to its staff prior to the hacking attempts. “They just keep trying. It’s a numbers game,” he says. “If we hadn’t had a day or two’s notice, it could have been a different story.”

Phone-based phishing is hardly a new practice for hackers. But until recently, investigators like Allen and Nixon say, the attacks have focused on phone carriers, largely in service of so-called “SIM swap” attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession. They’d use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.

The Twitter hack’s use of those same phone-based social engineering methods shows how those phishers have expanded their target lists beyond telcos, says Unit 221b’s Nixon. She posits that while this might be due to phone carriers hardening their defenses against SIM swaps, it’s more likely spurred by companies becoming newly vulnerable during the Covid-19 pandemic. With so many firms hastily shifting to remote work, she says, phone-based social engineering has become far more powerful.

The same hackers who honed their skills against telecoms have found other industries that are less well prepared for their tricks, Nixon says. “All of a sudden you’ve got these people that are highly trained, highly effective, efficient, and organized, suddenly hitting a bunch of soft targets,” she says. “And that’s probably a big reason why there’s such a problem right now.”

Despite the apparent youth of the hackers involved, Nixon says the ongoing attacks seem well coordinated, with multiple collaborators working together and hiring independent hackers offering specialized services from reconnaissance to voice acting. “Need someone that has experience with social engineering over call, great pay,” wrote one OGUser forum member in March named “biggas,” as captured in a collection of OGUser messages leaked on Telegram in April. “Looking for a social engineering god that is from USA and has a clear & normal adult voice. No little kids,” the same user wrote back in November.

Gone Vishing

In their social engineering calls with victims—including in one recorded call reviewed by WIRED—the hackers typically use a VoIP service that allows them to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers. In some cases, they’ll even ask the victim to confirm that they’re a “real” IT person, suggesting they look up their spoofed identity in the company’s directory or its collaboration software. When the victim seems convinced, they ask them to navigate to a fake login page address—usually for a single sign-on portal like Duo or Okta—and enter their credentials.

Another member of the hacking group immediately obtains those details and enters them into the real login page. The real login page then prompts the victim to enter their two-factor authentication code. When the user is fooled into typing that code into the fake site, it’s also relayed to the second hacker, who enters it into the real login page, allowing them to fully take over the account. The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.

YOU’VE HEARD THE advice a million times. Don’t click links in suspicious emails or texts. Don’t download shady apps. But a new Financial Timesreport alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn’t need to pick up to be infected, and the calls often left no trace on the phone’s log. But how would a hack like that even work in the first place?

WhatsApp, which offers encrypted messaging by default to its 1.5 billion users worldwide, discovered the vulnerability in early May and released a patch for it on Monday. The Facebook-owned company told the FT that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears “all the hallmarks of a private company known to work with governments to deliver spyware.” In a statement, NSO Group denied any involvement in selecting or targeting victims but not its role in the creation of the hack itself…

Source:https://bit.ly/2Vs0WOg

Over 5 billion robocalls were made in March 2019 alone. But new tools to minimize it—if not kill it off entirely—are on the way. For real this time.

Years into the robocalling frenzy, your phone probably still rings off the hook with “important information about your account,” updates from the “Chinese embassy,” and every bogus sweepstakes offer imaginable. That’s despite promises from the telecom industry and the US government that solutions would be coming. Much like the firehose of spam that made email almost unusable in the late 1990s, robocalls have made people in the US wary of picking up their cell phones and landlines. In fact, email spam offers a useful analogy: a scourge that probably can’t be eliminated, but can be effectively managed.

Finding the right tools for that job remains a challenge. The Federal Trade Commission has had a strong track record in its 140 robocall-related suits, including a recent victory at the end of March that targeted four massive operations. Bipartisan anti-robocalling legislation is gaining traction in Congress. Apps that flag or block unwanted calls have matured and are solidly effective. And wireless carriers—in part facing pressure from the Federal Communications Commission—have increasingly offered their own anti-robocalling apps and tools for free.

Yet the number of robocalls continues to hit new highs. The anti-robocalling company YouMail estimates that March 2019 saw 5.23 billion robocalls, the highest volume ever. And other firms recorded similar highs. But those numbers don’t take into account calls that were successfully blocked. A more useful measure might be the number of complaints filed per month to the FCC and FTC, which remained mostly static in 2018 and the beginning of 2019.

“Even though we’re at an all-time high, there’s some good news,” says YouMail CEO Alex Quilici. “The numbers may be creeping up a little bit, but the situation seems to be mostly stable at this point. We have not turned the corner, but maybe the corner is in sight.”

In fact, some consensus has emerged about where that corner is. Industry groups led by the Alliance for Telecommunications Industry Solutions have been working since 2016 on a pair of standards, dubbed “STIR” and “SHAKEN,” that will be used across landline, mobile, and VoIP carriers to cryptographically authenticate the source of calls. Basically, this means that the “spoofed” phone numbers robocallers rely on to ramp up their call volume—also the reason so many robocalls appear to come from your area code—will be easily flagged as untrustworthy.

November 20, 2017

YOU PROBABLY GET robocalls all the time. Some pretend to be from the IRS, others come from a phone number very similar to yours. And then there’s the rash of free airline tickets/problem with your credit card/complete this short survey intrusions. If it feels like they’re cropping up more than ever, you’re right. The blocking service YouMail estimates that 2.49 billion robocalls were placed to US consumers last month, marking a 4.1 percent increase over September. This translates to 80.5 million robocalls, every single day…