As a real estate agent, Kim France’s business depends upon answering calls from unfamiliar numbers. But during a five-day stretch in June, her cell phone was flooded with so many junk calls that it was almost impossible to answer legitimate ones.
“I am in the middle of a cell phone nightmare,” France, who lives in Hilton Head Island, South Carolina, told Ars in an e-mail after three days worth of the calls. “My phone started ringing three days ago and has continued to ring every few minutes since then. Each time it is from a different number… I can’t conduct a client call, can’t text because calls coming in interrupt the process, can’t even take photos for the same reason.”
On the first night, France went to bed, slept for 7.5 hours, and woke up to 225 missed calls, she said. The calls continued at roughly the same pace for the rest of the five-day stretch, putting the number of calls at somewhere around 700 a day.
France installed robocall blocking tools on her phone, but they didn’t stop the flood. Unfortunately, anti-robocall services that rely primarily on blacklists of known scam numbers generally don’t block calls when the Caller ID has been spoofed to hide the caller’s true number.
US consumers receive 2.4 billion robocalls a month, and the ones from spoofed numbers are among the hardest to stop, according to the Federal Communications Commission. Recognizing that today’s robocall blocking systems are often useless against spoofed robocalls, the FCC recently called upon carriers to increase their efforts to block them.
France’s case posed even greater challenges than usual because she may have been victimized by a targeted attack rather than a run-of-the-mill robocaller. There’s also a question about whether the calls received by France were technically “robocalls.” But what we know for certain is that the problem of unwanted phone calls remains unsolved, and France’s ordeal shows what can happen in an extreme case.
France’s efforts fall short
Trying to stop the flood, France put her iPhone in Do Not Disturb mode in order to block initial calls while allowing repeated calls from the same number to come through. But then calls began coming in twice from the same number in order to ring through to her phone, so France had to turn off the setting that allows repeated calls.
Oddly, there were no people or recorded voices on the other end of the line when France answered the calls. Instead of scam attempts, France said the calls consisted of sounds similar to, but not quite like, a fax machine. The robocalls were leaving long voicemails, filling up her voicemail storage and preventing clients from leaving legitimate messages.
“My initial thought was this is definitely just a computer glitch somewhere,” France said. Later, she began suspecting that someone might be targeting her in a calculated attempt to disrupt her business. And then, just as suddenly as they started, the calls stopped “out of the blue.” Everything went back to normal.
During the five-day deluge, France was worried enough that she contacted the police, a consumer rights attorney, and Verizon Wireless, but the calls continued. Despite her suspicions, the possibility that France was being targeted by a malicious person seemed remote to her—until weeks later, when Ars discussed France’s case with the maker of RoboKiller, a new robocall blocking service.
Evidence points to targeted attack
We described France’s nightmare to RoboKiller co-creator Ethan Garr and provided him with screenshots from France’s phone showing the Caller ID of a few dozen numbers that called her. RoboKiller’s tech team then checked its system to find out if it ever blocked any of those numbers.
Instead of merely relying on a blocklist, RoboKiller’s technology analyzes the audio fingerprints of calls and can thus block many robocalls from spoofed numbers. Robokiller took first place in a contest the Federal Trade Commission held in 2015 to find the most promising new anti-robocall technologies, and the company has been busy improving its technology ever since. Despite that, RoboKiller had never flagged any of those 36 numbers as suspicious, so it wouldn’t have helped France during her five-day robocall deluge.
The Caller IDs were spoofed. In some cases, the Caller IDs mimicked real numbers that may be owned by real people. In most cases, the numbers calling France were totally fake, coming from area codes (like 411) or exchanges that don’t exist. In other words, the spoofing attack used many random phone numbers instead of ones that might appear to be legitimate.
Scammers seeking money often spoof local phone numbers so that the victims think it’s a valid call. The one targeting Kim France didn’t bother—the only apparent goal was disruption.
There’s still a possibility that it wasn’t a targeted attack and that France’s problem was caused by a bug in auto-dialing software used by telemarketers or scammers. It’s also possible it was a “fax scam that went awry,” Garr said.
But based on the evidence, it was most likely a targeted attack, the RoboKiller team concluded. There’s no financial value from calling someone hundreds of times with fax-like noises—most scams try to extract money from the victim. The noises themselves were likely used to confuse France as to whether the calls were legitimate or not.
“Our theory, and I feel pretty confident, is that this… was someone trying to attack Kim France,” Garr said.
No challenge for determined attacker
We don’t know if someone had a vendetta against France, or if a dedicated prankster just happened to target a widely available phone number. But in either case, Garr says pulling off such an attack wouldn’t have been too difficult.
“My developer said, just to give you an idea, if he wanted to do this to you right now he could set this up in 30 minutes,” Garr said.
Searching the Web for “fake fax sounds” quickly turns up websites that provide fax noise files. Using those sound files, a little programming knowledge, and easily available tools, a malicious person could have launched a similar attack.
“I’ve never heard of this”
There are some online services that let you make calls from spoofed phone numbers. While there are legitimate reasons to make such calls, auto-dialing and spoofing can also be used for malicious purposes.
“I know a developer who got so angry at someone one time that he simply wrote some code to call a number a gazillion times and just drive that person crazy,” Garr said. (Garr added that he does not condone such behavior.)
RoboKiller owner TelTech runs a spoof calling service, called SpoofCard, but it doesn’t allow automated calls and thus almost certainly could not have been used by France’s attacker, Garr said. Businesses have long used spoofed Caller IDs so that employees can call customers from a single number, Garr noted. Garr’s stepfather, a veterinarian, uses SpoofCard to call patients’ owners from home at night without revealing his home phone number. The point is, Caller ID spoofing technology is widespread and easy to use for both legitimate and malicious purposes.
But as easy as it is, the specifics of the France case were new to Garr. That helps explain why RoboKiller doesn’t block the kinds of calls that disrupted France’s real estate business.
“I’ve never heard of this being an issue,” Garr told Ars. “As soon as you sent this, I wondered if we need to block fax noises.”
More Info: arstechnica.com