An 11-month study that used 66,606 US phone lines to receive 1.48mn calls confirmed pretty much everything you already knew about nuisance robocalls. Put simply, the main conclusions were:
- Robocalled numbers are selected indiscriminately, with the modus operandi being to call the greatest number of people rather than using any intelligence to target victims.
- Caller ID spoofing is common but also shows little intelligence, with the A-party numbers varied after each use to prevent them from being blocked.
- Only a small percentage of spoofed caller IDs were from the some area as the victim, i.e. used the ‘neighbor spoofing’ trick. When they did, the implementation was so simple that it sometimes spoofed the CLI of the recipient.
- Because there is no intelligence behind the spam, the probability of receiving spam calls was unaffected by whether the phone lines were set to answer the calls or not.
Entitled Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis, the study was authored by Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves of North Carolina State University. The scale of the study makes it prize-worthy, but I question the authors’ claim to offer “powerful new tools and perspectives for researchers, investigators, and a beleaguered public”. It is good to confirm that spammers mostly work at random, but I fail to see the ‘power’ that flows from that conclusion. On the contrary, the researcher’s data showed just how monotonously and stupidly automated the process of robocalling is, with honeypot lines being hit by similar volumes of calls every week. One quarter of the completely new phone numbers received no spam calls during the period of the study, but once a new number had been spammed there was no great difference in the number of calls they received compared to numbers which had been returned by customers who complained of spam.
The authors were keen to emphasize that they received many robocalls during their study, which each line receiving slightly under four robocalls per month on average. However, this is significantly less than the number of robocalls reported by commercial call blocking firms. For example, YouMail’s Robocall Index currently says that Americans receive an average of 11.6 robocalls per month, and their figures were higher during the period the honeypot was active. Some of the deviation may be caused by calculating robocalls per receiving phone number versus robocalls per human recipient, but it is a shame that the researchers did not explore this question or compare their findings with other commonly-quoted statistics.
The research did sometimes contradict conventional wisdom on telecoms fraud, most notably when using the honeypot lines to measure wangiri. The study found ‘no evidence’ of wangiri across a 35-day period for 2,949 highly-called lines. I find this odd, because I can find evidence of wangiri by simply looking at my own phone, and ample evidence has been provided by surges of consumer complaints and swathes of regular warnings. The likeliest explanation for the failure to detect a single wangiri call is that there was a fundamental defect in the methods used for the study. This may be related to only using one provider, Bandwidth Inc., for all the honeypot lines, or because all the numbers were associated with just one US state.
Spammers were more active during office hours in the working week; volumes of calls were lowest on the weekend. The researchers did not reflect on whether this may have been influenced by using a provider that focuses on serving enterprise customers.
The researchers identified several distinct spamming ‘campaigns’ when they used automation to look for common patterns in the audio recordings of calls received.
Our honeypot discovered two separate large scale fraudulent campaigns which clearly violates multiple federal and state laws. Both these campaigns used different audio recordings. The first SSA Campaign (SSA Campaign #1) was the 10th largest campaign in our honeypot with a campaign size of 396. This campaign extensively used 224 unique toll-free numbers as the caller ID to generate unsolicited calls. We observed that this first SSA Campaign operated throughout the duration of our study – April 2019 to February 2020. The second SSA Campaign (SSA Campaign #2) had a campaign size of 75 and operated from August 2019 to November 2019.
The language-neutral techniques deployed by the researchers also confirmed that spammers will phone US numbers in the hope of finding targets who speak other languages than English.
Our campaign identification mechanism uncovered two unique robocalling campaigns that operated in Mandarin and in turn was targeted towards Chinese population in the United States. Each campaign had a campaign size of 62 and 51. Both the campaigns impersonated the Chinese Consulate. The first campaign threatened the callers that there was an important document which had expired, and it needed immediate attention of the caller to press a specific digit. The second campaign mentioned that the caller had an urgent message which was time sensitive.
The study, which ended in early 2020, provided no data about the impact of STIR/SHAKEN on spoofing. This was reportedly because no STIR/SHAKEN attestations were passed by other telcos to Bandwidth during the period of the research.
You can find the Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis paper here, or look below for a video presentation from one of the authors.