CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
Many of us are familiar with ‘robocalls’ – where computers dial numerous recipients at a single time, to disseminate messages such as pre-recorded reminders of upcoming medical and dental appointments, payment advisories from financial institutions, and announcements from MINDEF to acknowledge the issuance of SAF100 call-up notices. However, cybercriminals and other threat actors have also been abusing robocall technology to conduct various malicious activities. In this issue, we will examine the underlying technology behind robocalls, common abuses of robocall technology, and worldwide efforts to address these abuses.
What are Robocalls?
A robotic call, or robocall in short, is a phone call typically made by a computer or computers installed with off-the-shelf auto-dialling software, and connected to a telephone or network carrier. Fed with a script of phone numbers to be dialled, the robocall platform calls multiple recipients at the same time, through the use of Voice over Internet Protocol (VoIP) that converts analog phone signals into digital signals that can be sent over the Internet. This allows such calls to be made cost-effectively and en-masse, as the platform uses an Internet subscription and does not incur extra telephony charges.
Government agencies and businesses have adopted robocall platforms to disseminate information as they are relatively inexpensive and easy to configure according to various requirements. Many robocalls are legitimate and in compliance with global laws and regulations related to personal data protection, consisting of payment reminders and advisories, broadcasts from essential services, weather alerts, political campaign messages and telemarketing calls.
Understand more about robocall technology at Mind Commerce.
REPORTS – ABUSES OF ROBOCALL TECHNOLOGY AND GROWING CONCERNS
Leveraging Robocalls for Malicious Purposes
The widespread availability and ease of use of auto-dialling software installed on computers make them susceptible to abuse by threat actors; it has been observed that half of all robocalls made today are for malicious purposes. Such actors typically subscribe and connect their computer systems to VoIP service providers that do not conduct robust credential checks, and then make robocalls to millions of random phone numbers at a single time, in the hope of successfully compromising a number of victims.
A favourite technique of these threat actors is to digitally alter their phone number or caller identity to spoof those of legitimate organisations, thereby increasing the chance that victims would answer the call. Such caller identity spoofing is done commonly through VoIP service providers, which allow their users to configure the phone number they display as the caller identity through settings available on their websites or software applications. Consequently, many victims might be duped into thinking that it was the Police, Customs, a delivery firm or their bank that was trying to contact them.
According to the latest Global Robocall Radar Report that was published by technology firm Hiya, about 85 billion malicious robocalls were observed in the global user base of the firm’s caller identity and call blocking application in 2018, a whopping 325% increase from its 2017 observations. 42% of robocall scam victims were between 18 and 24 years old, making this age group more than twice as susceptible to robocall scams as victims at 65 years old and above.
Figure 1: An infographic describing how malicious robocalls from threat actors reach their victims.
Adapted from the US Federal Trade Commission infographics on robocalls
Cyber-attacks through Robocalls?
‘Technical support’ Phishing – Victims receive pre-recorded messages purportedly from a technology company or telecommunications service provider, claiming that their staff need to carry out updates or repairs to the victims’ computers or Internet connection. The attacker then instructs victims to visit a particular website to download and install software applications that provide the attackers with remote access to victims’ computers. After gaining access, attackers can proceed to methodically compromise the system, including stealing user credentials, installing malware for malicious purposes, mining cryptocurrency, or launching distributed denial-of-service (DDoS) attacks as part of a botnet. Find out more about these scams at Security Boulevard.
Telephony Denial-of-Service (TDoS) Attacks – A variation of Denial of Service (DoS) attacks, Robocall technology can also be leveraged to conduct Telephony Denial-of-Service (TDoS) attacks against various targets. While scammers autodial many different potential victims at a single time, threat actors may program their computers to flood single targets with fake phone calls continuously, preventing their targets from making or receiving calls. The Department of Homeland Security (DHS) of the US recently noted that TDoS attacks are also increasingly targeting emergency call centres and posing significant risks to other critical service providers. TDoS attacks render emergency systems unavailable by flooding them with spam calls, effectively knocking them offline. In 2016, an American teenager orchestrated a TDoS attack that took down the 911 service in 12 states across the US.
Separately, on polling day of the Malaysian General Election in May 2018, mobile phones belonging to candidates from various political parties allegedly came under continuous waves of TDoS attacks. The candidates complained that they received unknown robocalls from overseas nearly every minute, supposedly to disrupt their communications with party organisers during the election.
Greater coverage of these TDoS attacks can be found at DHS’s blog and SCMP.
Other Kinds of Robocalls
Scams involving institutions of authority – Scammers masquerade as police, tax or legal officers and unnerve victims by alleging them of crimes committed through mobile numbers registered under their names. Victims are then informed of bogus pending criminal cases against them, and pressured to provide their personal particulars and bank account details, including Internet banking credentials and one-time passwords, for “investigation purposes”. Finally, the victims are put through the line with the scammers who threaten them with imprisonment if they do not cooperate. Money is then subsequently transferred out of the victims’ bank accounts to unknown bank accounts.
‘Lucky draw’ scams – In these scams, automated messages first inform victims about how they had won money through some incidental means. Scammers, impersonating as staff from a reputable company or telecommunications service provider, then ask the victims in person to provide personal information, credit/debit card or bank account details to receive their winnings. Unauthorised transactions are made from the victims’ bank accounts or credit/debit cards subsequently, based on their Internet banking credentials and one-time passwords. In some cases, victims are requested to purchase gift cards from Apple or Google and send the redemption codes to the scammers, before they can collect their prizes.
Read more about the robocall menace and robocall scams at Wired and CNBC.
GLOBAL MEASURES TO ADDRESS ABUSES OF ROBOCALL TECHNOLOGY
Concerted efforts have been made globally in both the public and private sectors to mitigate abuses of robocall technology. There is an increasing number of third-party software applications and services, including Youmail and Nomorobo, which help smartphone users verify whether their incoming phone calls are scam robocalls, and make informed decisions on whether to pick up these calls or block them permanently. Web services such as SpamCalls.net allow phone users worldwide to identify and report unknown callers, as well as track spam calls in the form of ping calls, phone scams, and unwanted robocalls. Separately, several technology firms such as SecureLogix are working on solutions that identify legitimate emergency calls from TDoS attacks, to prevent emergency call centres from being overwhelmed by such spoofing attacks.
CNBC, Dark Reading, Hiya, Mind Commerce, Security Boulevard, TechCrunch, Tom’s Guide, US Department of Homeland Security, US Federal Trade Commission and Wired