FTC To Trap Robocallers With Open Source Software

coondoggie writes: The Federal Trade Commission today announced the rules for its second robocall exterminating challenge, known this time as Zapping Rachel Robocall Contest. 'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012. The agency will be hosting a contest at next month's DEF CON security conference to build open-source methods to lure robocallers into honeypots and to predict which calls are robocalls. They'll be awarding cash prizes for the top solutions.

They should also go after...

[rs1n]

the folks who keep calling about my (non-existent) google rankings for the (non-existent) business that I don't own.

Really?

[Scutter]

'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012.

Are you sure about that? Because I still get calls from Rachel and friends several times per week.

Re:Really?

[Libertarian_Geek]

Ditto. That bitch is still around. Maybe the FTC is losing hard-drives too.

Re:Really?

[wonkey_monkey]

'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012

to dinner and a show. And she still didn't put out.

Re:Really?

[roc97007]

At work you can hear them ratchet through the phone numbers allocated to the local prairie dog colony, excuse me, cubicle farm. RingHelloClick... RingHelloClick... RingHelloClick... and eventually me... Ring Hello "Congratulations! You have just won a free..." click.

I've read that some collection agencies will harass phone numbers that had been associated with the debtor in the past. You might be getting collection calls for someone who previously had your phone number. Good luck getting them to stop.

Even when I get what sounds like a legitimate call, I refuse to "verify my identity" by giving out personal information. Instead I'll look up the company phone number online or from my own records and call them back. And a few times, thereby uncovered a scam. Most recently from someone pretending to be from my credit union. (I guess they scammed a lot of people -- it was on the news.)

Re:Really?

[ShanghaiBill]

Ditto. That bitch is still around. Maybe the FTC is losing hard-drives too.

Same here. I always press "1", which transfers to a live operator, and then I play along for a few minutes. Then I ask her what color underwear she is wearing. Most hang up at that point. but a few continue the conversation. If we all waste a little of their time, then these business will no longer be viable.

What would be really nice is a CAPTCHA for phones. So if someone calls me, they get a message that says "press seven if you are a human", and my phone only rings if they pass the test. It would also need to have a whitelist, since I get legitimate robo-calls from my kids' school.

Re:Really?

[theskipper]

If you're the type willing to spend time messing with them, consider adding this to your arsenal:

If you have Callcentric or another VOIP provider, you then have the option to create call treatments for forwarding a good percentage of telemarketing calls to any number you want, including the telemarketers themselves.

For example, one of the ways I get target numbers to forward to, is by responding to the Google SEO guys then pretend to be cut off mid conversation. When they call back since they think they have a good lead, the caller ID (surprisingly) is almost always a valid number to the call center. That's the target number. Even just faking an emergency and asking for their number so you can call them back usually works. Once you have that, Bob's your uncle since there's not much reason for them to change their block of unpublished incoming numbers.

Then it's simply a matter of going into the dashboard, creating a forwarding treatment of all obvious caller ids (i.e. any 800*, anonymous, +1, etc.) to the target number and voila, the call center gets hit with all my forwarded telemarketing calls transparently. And of course forward the target number back to itself, or even better, another target.

The best way is if you can whitelist your incoming calls and simply forward any non-matching numbers, especially since most telemarketing calls these days use a random out-of-area code caller id number. Not realistic if you're running a business but for personal lines you can whitelist the area codes you might expect valid calls to come from.

Obviously this doesn't work all the time. But when it does, it's pretty satisfying to check the online report at the end of the week to see all the forwarded calls that transparently went to Raj and Rachel. My way of paying forward the opportunity to lower their interest rates.

Re:Really?

[rogoshen1]

Rachel? really? I thought she was doing pretty well for herself financially. Joey on the other hand.. After the show ended, his career went no where.. One would think he'd have saved enough to avoid having to do telemarketing.. but alas..

Re:Really?

[aardvarkjoe]

Same here. I always press "1", which transfers to a live operator, and then I play along for a few minutes. Then I ask her what color underwear she is wearing. Most hang up at that point. but a few continue the conversation. If we all waste a little of their time, then these business will no longer be viable.

Or if you don't want to be stuck talking to them, just play along until they ask you for your credit card number, tell them, "oh, I have to find my wallet" -- and then set the phone down and do something else.

I once got one of them to waste fifteen minutes on me by picking up the phone every few minutes and making some new excuse.

Re:Really?

[theskipper]

Heh, you're more devious than me. No, there's no limit but I suspect there will be some blowback if you start doing that. I just wanted a simple way of breaching their defenses, winning a battle vs. the war so to speak. Like the last act of defiance. Most people see the fake caller id, put a post on 800notes, and figure there's nothing they can do.

And it should be noted that this really only works against business services like merchant processing and SEO, getting past Rachel's defenses is probably different. That scam has a simple goal of getting the credit card number at all costs. Once they've got it they've succeeded; I suspect there's little need to field incoming calls.

But a crowdsourced project towards gathering target numbers/info about Rachel would be interesting. Like what anonymous does, with the sole purpose of exposing her inner sanctum.

Re:Really?

[jbmartin6]

In the land line days you could get a dongle that did exactly that, played a recording that said 'Press 5 to proceed', and just stuck it inline with your phone. I wonder how hard it would be to get a smartphone to do the same thing?

Ah, how adorable...

[fuzzyfuzzyfungus]

I'm not quite sure whether it is cute or sad that the FTC is merrily holding a little contest to attempt to detect robocallers based on the (relatively sparse) information available to the system at the far end of the phone line when it's a matter of public knowledge that somewhere between 'a strikingly large percentage' and 'All' calls connected are logged and potentially retained for quite some time.

Surely the network level is where robocallers stand out most dramatically, unless the caller has spoofing good enough to disguise the origin and frequency of their calls from the telco carrying them (which would also likely allow theft of service and thus be the sort of thing that would actually get fixed, unlike the pitiful state of caller ID), and we know that those logs exist.

Is it just considered polite to pretend that the telephone system can't be so scrutinized, or are robocallers customers who are just too reliable to hunt down and exterminate?

Re:Ah, how adorable...

[Razed+By+TV]

I'm going to go with sad.

To this day I still do not understand what makes this such a difficult and complex issue to tackle.

I don't see why it can't be as simple as:
Spam call comes in, I dial a report number, telecom system flags the call and the origin. After 10 reports, 100 reports, that number is blocked. Further outgoing calls from the number are directed to a message to contact a fraud line to get the number reinstated. The longer a number has belonged to a legitimate company, the more immunity it is granted by the system to prevent abuses from angry consumers. The shorter the number has been in service, the more scrunity it is under.

Are the robocallers really able to shield their call origins from the telecoms? That just seems like such a ridiculous concept.

Was anyone sent to prison?

[mi]

'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012

Sure, the "Rachel" didn't kill anyone. Probably. But with the number of calls placed, the overall damage — even if spread among millions of people — certainly exceeded that of a serious bodily injury or even death of one person.

Was any of the scammers sent to prison? I mean, I'd recommend impalement, but prison would've been good enough. Did it happen?

Re:Was anyone sent to prison?

[fuzzyfuzzyfungus]

It seems a waste to imprison or impale them when they are likely still full of usable organs that could be reassigned to somebody who isn't an abhuman sleazeweasel...

Re:Was anyone sent to prison?

How horrifying it would be to wake in the hospital, and find out that you survived a terrible car crash, but they had to patch you up with a new liver, and now you are (scare chord) 10% TELEMARKETER!

Re:The Republicans will never allow this

Then how come all the FCC commissioners are appointed by Barack Hussien Obama? http://www.fcc.gov/leadership
You are a libtard fuckwit.

She called me 6x / hour -- This is what worked:

Or at least she was as of two weeks ago... After a while, I got tired of constantly dropping what I'm doing to run to the phone to see if my kids had gotten hurt (again) only to see it was rachel from cardholder services. So I started having fun.

The name of the game is keep the human on the phone for as long as possible. While it is ever so satisfying to answer their question of "Do you have at least $2000 in debt?" with "No, I don't have any debt.", the real goal is to stall them for as long as you can. So ask them if your mortgage counts... Or a home equity line of credit. How about your car loan? Ask them if Diners club counts. Do they take american express? You get the idea! Play dumb. Have fun with them!

And always, ALWAYS!, be sure to point out that since they're calling dozens of times a day, you felt obligated to talk to them since they must really want to talk to you.

It took a couple of days, and quite a few runs through this game, but now Rachel won't call me anymore.

I feel like I should feel rejected and not nearly this pleased with myself...

Their business model depends on automated harassing of folks. People cost money. If we all did this, poor rachel might go out of business...

Re:She called me 6x / hour -- This is what worked:

[HiThere]

Don't worry, you're just dealing with the part that hasn't yet been automated. Haven't you noticed the increasing automation of the calls? At the current rate I expect them to start trying to get your credit card number before you reach a person within the next two years.

Took out Rachel?

[Trailer+Trash]

LOL! She's still around, now joined by Bridgette and Carmen. I get called twice a day on my cell phone (which is on the "Do-Not-Call list) from them.

They need to get serious about that as people are apparently still willing to give out their credit card numbers.

Re:NSA weakness

[Psykechan]

Don't you get it? The robocallers have been classified as terrorist organizations by the NSA so anyone that they contact can now be classified as "persons of interest" and can now legally have their data snooped, er I mean "collected".

Seriously though, this isn't the movies; tracing a call is instantaneous. The telco can relatively easily follow it back to whoever is paying for the trunk. The problem being that someone is actually paying, which means that someone has a vested interest in keeping a paying customer happy. What makes it even worse is it's hard to justify that type of volume from a robocaller and still claim ignorance under the assisting violators clause of the telemarketer sales rule. Yet somehow they still get away with it.

The FTC needs to focus less on outside efforts like homemade honeypots and instead go directly after the telcos that sell service to these bastards. Under their own regulations, a telco is just as responsible and would have to pony up to 16k a pop per each robocall. If they want to zap Rachel, well they know where she lives and works.

Just Another Layer of TCP

[jbmartin6]

It used to be the "handshake" on phones was: Hello (SYN) Hello (SYN/ACK) What's up? (ACK). Now, thanks to human nature it is: Leave message and call back number = SYN, Call back and leave message (SYN/ACK), return call again and person answers since number is known (ACK). I understand this isn't always possible thanks to business needs and circumstance, but most people I know will simply never answer an unknown number on their phones, instead they let the caller leave a message to determine who the number really is. Any legitimate call will leave a message (and a few non-legits) and all the others can go to hell.

Re:NSA weakness

[fuzzyfuzzyfungus]

Interestingly at least AT&T (and probably other telcos as well) will refuse to provide the ANI logs for calls like this. They act confused when you ask then ask a supervisor and say its against policy to give customers the ANI info for incoming calls. It's almost like they want to protect the robocallers.

Pink contract, anyone?

Re:The machine I let "Microsoft Repair" hack

[billstewart]

It's a virtual machine. Running Linux. Firefox instead of Internet Exploder (Sorry, it's a work machine, the IT department installs Firefox instead of IE.) With NoScript and AdBlockPlus. Amazing how much stuff just "didn't work" when I tried it - I'd go to their web pages, and I'd hit the Download button and nothing would happen, or I'd run the installer and it wouldn't work. (I wanted to see all the different things they were trying - most of them were different Remote Login or Remote Execution programs that would have let him log into my machine and then do his real attacks.)

After about half an hour the guy realized I was faking him out, and we had another entertaining half hour while he tried to convince me that what he was doing really was a legitimate kind of business, and after that his boss came on and spent five or ten minutes yelling at me for wasting his employee's time.