A simple telephony honeypot received 1.5 million robocalls across 11 months

Researchers say that most campaigns take place in short-burst storms and that answering a robocall doesn't mean you'll be targeted more often in the future.
Written by Catalin Cimpanu, Contributor

In an award-winning paper presented at the USENIX security conference this week, a team of academics from North Carolina State University presented a list of findings from operating a massive telephony honeypot for 11 months for the sole purpose of tracking, identifying, and analyzing the robocalling phenomenon in the US.

NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls -- even if they never made their phone numbers public via any source.

The research team said they usually received an unsolicited call every 8.42 days, but most of the robocall traffic came in sudden surges they called "storms" that happened at regular intervals, suggesting that robocallers operated using a tactic of short-burst and well-organized campaigns.

In total, the NCSU team said it tracked 650 storms over 11 months, with most storms being of the same size.

Image: Prasad et al.

But the research team also said that not all calls during a storm were from the robocallers themselves and that a large chunk of calls also came from real persons.

Researchers believe this happened because, at the time of the storm, the robocalling operation had been using a technique known as "caller ID spoofing" to hide their real phone numbers and pass as real persons.

If victims of the robocalling campaign missed the call and called back the spoofed number, they'd eventually end up calling the research team's honeypot telephone numbers.

Ironically, researchers also caught a storm outside of their honeypot network.

"Interestingly, a colleague in our lab was a victim of a storm event. He was overwhelmed with calls from hundreds of strangers complaining that they had received a call from him! Needless to say, he was unable to use his phone for a few days until the calls died down."

But the NCSU team also recorded a 10% sample (~150,000) of the robocalls they received, which they later analyzed using audio processing tools to determine the source and content of the robocall itself.

Academics said they detected 2,687 unique robocalling campaigns, with the largest ones promoting student loans, health insurance, Google search promotion services, and Social Security scams.

Image: Prasad et al.

However, the research team's biggest finding was that after answering 1.5 million robocalls across 66,000 phone numbers, researchers said they didn't see a spike in subsequent robocalls.

"News reports and regulatory agencies recommend phone users to avoid answering calls from unknown numbers to reduce the number of robocalls," researchers said.

"Surprisingly, we found that answering phone calls does not necessarily increase the number of robocalls you would receive. Phone users should be cautious when you get a call from an unknown number. However, occasionally answering an unsolicited phone call does not mean you will receive more robocalls." (Emphasis ours.)

Additional details about the NCSU robocalling research project are available in the "Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis" academic paper [PDF]. The research team paper also received the conferences Distinguished Paper Award.

A recorded video of the research team's USENIX talk is available here.

Editorial standards