Traffic Pumping and the Case of the Phantom Caller

How's this for a trouble ticket?

"A woman in New Jersey is getting strange phone calls to her office from unknown numbers. Every time she picks up, she finds herself eavesdropping on the life of a different stranger."

A friend (thank you Matt) recommended I listen to an episode of the Reply All podcast that investigates this issue. Of course with years of experience as a VoIP engineer I was curious, but also a little skeptical that there was really anything interesting to discover.

I was wrong.

(This article first appeared on AwardConsulting.net)

If you have time, I recommend you listen to the podcast, but if you're busy, here's the short version of what they figured out.

• This lady is a receptionist at a business and the business line often receives these odd calls - sometimes live calls she picks up and sometimes voicemails where she can hear something, but it's not clear what it is, and no-one ever responds when she talks.
• They're able to get recordings of many of these when they go to voicemail.
• My first thought was that somehow some RTP streams were getting cross-connected somewhere, but apparently not - everything looks totally legitimate in terms of all the call set up. The service provider is able to validate that these calls are real calls originating off-net, from a variety of numbers.
• However, when they call the originating numbers they discover that the callers can't have placed the offending calls. i.e. the caller ID is being spoofed for some reason.
• They then realize that sometimes the audio is identical in different calls - which leads to the discovery that the audio is a recording that is intentionally being played as an RTP stream.
• Eventually the problem is identified as toll-free traffic pumping: these receiving number is a toll-free number, and these calls are being placed with the intention of racking up toll-free minutes to the benefit of the originating service provider. The spammer is using these weird audio files because they increase the duration of the call versus just playing silence or an announcement.

Toll-Free Traffic Pumping

Now I've heard of traffic pumping. In particular, I'm familiar with the idea that all these free conference call services are earning money from the host carriers who get paid termination fees by the originating and LD carriers for receiving the traffic. In fact there have been several recent law suits (e.g. Qwest vs Farmers & Merchants Mutual Telephone) where it's been found that the terminating carriers shouldn't get compensated for pumping traffic to their networks in this way.

However, I hadn't heard of toll-free traffic pumping, but apparently it's a thing. The idea is that the spammers generate a large number of calls to a variety of toll free numbers - while trying carefully to not act too suspiciously - and this generates revenue for the originating service provider who shares that revenue with the spammer. In the podcast they use odd recordings to increase the duration of the spam calls, but I've also read about cases where spammers intentionally try to reach auto-attendants after hours, and then find a way to keep the IVR menu active for hours on end (presumably with occasional key presses designed to make sure they never exit the menu but are still viewed as active by the auto-attendant software).

How can we spot this?

This is all fascinating, but as a service provider how can you know if toll-free traffic pumping is happening in your network?

Unfortunately there's no easy way to spot it. These just look like normal calls. At the moment, the best ways to notice the problem are through trouble tickets complaining about odd calls to toll-free numbers, and through a general analysis of network traffic to toll-free numbers. If you see an increase of (say) 20% or more in traffic to a particular number, and in particular if you see any long duration calls after hours then it might be worth further investigation. Of course, you're unlikely to even search for the problem unless someone opens a trouble ticket - which is part of the genius of the whole thing.

What can we do about it?

While this whole issue is pretty difficult to address, there are a few avenues that we can use to address the problem.

• If you find a case of traffic pumping it should be possible for law enforcement to follow the money to find out who is responsible. You can make a complaint to the FCC or to the FBI and ask them to investigate.
• There are a variety of fraud detection applications that can help deal with fraud and robocalls in your network in general (contact us if you want more information on these), although if the spammers are spoofing all the phone numbers these may only be partially successful.
• You could consider setting up specialized translations to limit the duration of calls to toll-free numbers after business hours - which would at least partially reduce the impact of this problem. We can help set this up for you in your Metaswitch translations if you're interested in going down that path.

Long-term, the FCC is encouraging everyone to deploy the STIR and SHAKEN frameworks which will allow service providers to authenticate caller ID on VoIP calls - but unfortunately it will take a very long time for this to become useful as (a) it requires a significant number of service providers to use the technology and (b) it doesn't work on TDM networks.

Nevertheless, at least we can be confident that eventually there'll be a solution to the issue of spoofed caller ID. One day. By the way, I'll be speaking on a panel for the Oregon Telephone Association in a few weeks time about STIR/SHAKEN as it relates to toll-fraud and robocalling, so let me know if you'll be there.

*****

Award Consulting Services is focused on helping ILECs and CLECs who use Metaswitch products to thrive as they improve their networks through migrations, strategic projects and improved service offerings.

Our goal is to create highly specific, highly valuable content targeted specifically at US regional service providers, and especially those who are running Metaswitch equipment. Join our email list to be notified of new content.