What to do with those mysterious links in text messages. There is some hope. A new protocol may be the first step in ending scam calls and messages: STIR/SHAKEN.
First posted January 23, 2022
Updated February 12, 2022
Updated February 21, 2022
The Problem
Nothing can be peskier than unsolicited text messages. Most are deliberate acts of fraud. Some are phishing, using techniques to lure you to a website to betray private information. Some are porn sites. For some people, the level of spam is such that it renders the cell phone useless. I am not alone. Robocalls occurred 46 billion times in 2020. What can be done about it? Will this ever end?
A step in the right direction started last June 30, 2020 when a new protocol started to take effect. Called STIR/SHAKEN, it is designed to add digital signatures to text messages and voice calls so that the sender can be verified. This will eliminate the spoofed phone numbers that appear in your caller ID. And it will make text messages traceable.
The problem is only half solved, however. The protocol described above is the STIR part, short for Secure Telephony Information Revisited. The protocol works as long as all the providers have the capability to add signatures. Unfortunately, they not all can. Text messages, in particular, are often generated by computer systems, not by cell phones. And more and more of the spam traffic is coming from overseas from countries that are not yet utilizing the STIR/SHAKEN protocol. Thus, the second part of the protocol takes effect. When the source is not using the STIR protocol, providers can add tokens to at least make the call traceable as much as possible. That is the SHAKEN part, short for Signature-based Handling of Asserted Information. Because of the volume of non-compliant phone traffic is still considerable, major providers have had difficulty delivering on STIR/SHAKEN. Major phone services such as AT&T and T-Mobile act as collectors as much as they do as originators. Calls that originate outside their control have to be SHAKENed. That is easier said than done at this time. To reduce the volume of unsigned messages and calls the FCC has shortened the deadline to smaller providers, moving the deadline up by a year to June 30, 2022.
Hopefully, after June 30th of 2022, any robocall or text message you receive will be from outside the US. It should make it easy for any of us to identify such calls as scams. Theoretically, of course. There are the details to consider. First of all, older phones will most likely not have the capability to handle the added features of STIR/SHAKEN. As phones become capable, expect to see indicators in text messages and calls that assess the verification status of the call. The digital overhead should be minimal for voice traffic. For text messages, however, it may double the storage load. Most text messages are short. The headers containing the signatures will be bigger than the messages.
The second kink in the transition will be the complexity of compliance. It took years for e-mail to get to this level, and spamming is still a major headache. Expect the same for text messages. It will take time.
What About My Hometown?
The FCC maintains a database that lists the implementation status of STIR/SHAKEN with local providers. Since I live in Juneau, Alaska, I focused on the key providers for that community.
- ACS– Not yet implemented but will provide traceback services upon request.
- GCI – Partial implementation
- AT&T – Partial implementation
Since I utilize AT&T, I wondered what “partial” meant. Because of Juneau’s small market, “partial” usually means “last implemented,” but that is not always the case because Juneau serves as a critical fiber optic hub. What “partial” means is as follows:
The filer certifies that it commits to respond to all traceback requests from the Commission, law enforcement, and the industry traceback consortium, and to cooperate with such entities in investigating and stopping any illegal robocallers that use its service to originate calls, and that some of the voice traffic that originates on its network is authenticated with STIR/SHAKEN, and the remainder of the voice traffic that originates on its network is subject to a robocall mitigation program. The filer also certifies that the attached searchable PDF details the specific reasonable steps it has taken to avoid originating illegal robocall traffic as part of its robocall mitigation program, and, if applicable, the type of extension or extensions it received under 47 CFR § 64.6304.
You will notice that the missing element is “the customer.” The primary objective of this protocol is to prosecute fraud. The secondary benefit will be to improve the security of your voice and text traffic. Not clearly defined is the “mitigation program.”
In the Meantime, What is to be Done
First and foremost, it isn’t worth your time to call in complaints or attempt to find justice in this matter. I started on this project in August 2020 and sent e-mails to several providers and government agencies. I had absolutely no luck in getting a response from anyone, least of all an acknowledgment. It was interesting to come across an article in MobileSyrup where the writer voiced a similar frustration in getting assistance. Customer service generally had no clue what STIR/SHAKEN was, so it is obvious that providers have not yet trained their personnel in the new protocol because it has not matured as a service and the tools that technicians can use have not yet been perfected.
It probably would not hurt to send a nice letter to your state and federal government representatives. Let them know you are aware of the issue and would appreciate any help their offices can provide. I think it is important for them to know that the average citizen has little or no assistance in protecting themselves from fraud. The sooner that STIR/SHAKEN is implemented, the better.
With all the partisan vitriol in Washington, DC, it is comforting to know that there is a bi-partisan effort to protect consumers from robocalls. Senators Thune (R-South Dakota) and Markey (D-Massachusetts) have introduced the Robocall Trace Back Enhancement Act, seeking to increase penalties to fraud operators. Fifty-one state attorneys have signed up to battle robocalls and fraud.
In the Meantime, What to Do About the Links
Unfortunately, the disadvantage of text message apps is that it is very difficult, if not impossible, for the average user to verify whether the link they receive is actually the real thing. If the same link is delivered in an e-mail message, hovering the mouse pointer over the link in the message reveals at the bottom of the screen the actual link contained in the code. In the example below, pointing the mouse over “Redeem Points” will reveal the link information in the lower left corner of the browser. This sort of important information is not readily available with text messages on your phone.
The example I presented at the beginning of the article is quite typical of a spammed text message I recently received on my phone. All I got was a message from abe…07@gmail.com that simply had a link.
U8b5R8.Ab8nCZF0k.bond
Searching for a DNS domain by the name of Ab8nCZF0k.bond proved fruitless. You can do this by going to the WHOIS web site. A second thing I did was double-check the “bond” top-level domain to verify that it is a legitimate top-level domain. It is. This can be achieved by going to the IANA web site (international agency that sets the rules of Internet communication). At this point, an unregistered domain is rather suspicious. It is my first hint that the link posted in the text message is not what it appears to be.
I next conducted a search in Duck-Duck-Go and nothing concrete came up, although the random use of letters and digits produced several Russian sites. That may be due to another trick that is used by scammers – substituting foreign letters for identically appearing English letters. While they may look the same, the universal code that is used to identify linguistics and symbols is different. It is the universal code value that Internet routers read. Again, this is another technique used by scammers and it may explain why my first attempt to locate the domain failed in the example above. It is quite possible that the letter “C” is actually the letter “C” in Russian, which we substitute with the letter “S”.
Now the fun begins. I use Linux as my preferred desktop operating system. So my next step was to get more basic. This is done by opening the command shell and using two Linux commands to compile some relevant data: traceroute and nslookup.
Mycomputer:~$ nslookup Ab8nCZF0k.bond
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: Ab8nCZF0k.bond
Address: 162.255.119.179
Mycomputer:~$ traceroute Ab8nCZF0k.bond
traceroute to Ab8nCZF0k.bond (162.255.119.179), 64 hops max
1 192.168.1.1 4.708ms 2.597ms 2.854ms
2 209.193.63.235 35.581ms 28.393ms 30.576ms
3 63.140.116.226 30.037ms 43.584ms 32.375ms
4 63.140.116.130 58.911ms 59.068ms 59.865ms
5 206.81.81.178 59.652ms 58.847ms 59.925ms
6 10.255.20.17 91.514ms 86.260ms 84.594ms
7 172.20.0.198 1127.234ms 701.891ms 183.532ms
8 100.65.240.35 1129.485ms 734.458ms 164.591ms
9 162.255.119.179 1086.215ms 796.944ms 1269.118ms
Beginning with nslookup, it is clear that there is some sort of data out there regarding the mysterious web site. DNS servers will typically collect and cache any discovered domains, whether they are formally registered or not. traceroute confirms that the website resides at the last address.
Next step is to checkout the 162.255 address. Using the WHOIS web site, we can investigate further the owner and provider of the site.
NetRange: 162.255.116.0 - 162.255.119.255 CIDR: 162.255.116.0/22 NetName: NCNET-5 NetHandle: NET-162-255-116-0-1 Parent: NET162 (NET-162-0-0-0-0) NetType: Direct Allocation OriginAS: AS16626, AS174, AS3356, AS4323, AS22612, AS32421 Organization: Namecheap, Inc. (NAMEC-4) RegDate: 2014-05-14 Updated: 2015-03-24 Comment: http://namecheap.com Comment: for any abuse please use: @namecheap.com Ref: https://rdap.arin.net/registry/ip/162.255.116.0 OrgName: Namecheap, Inc. OrgId: NAMEC-4 Address: 11400 W. Olympic Blvd. Suite 200 City: Los Angeles StateProv: CA PostalCode: 90064 Country: US RegDate: 2011-01-28 Updated: 2017-01-28 Ref: https://rdap.arin.net/registry/entity/NAMEC-4 ReferralServer: rwhois://whois.namecheaphosting.com:4321 OrgTechHandle: TECHT4-ARIN OrgTechName: Tech team OrgTechPhone: +1-323-375-2822 OrgTechEmail: @namecheaphosting.com OrgTechRef: https://rdap.arin.net/registry/entity/TECHT4-ARIN OrgAbuseHandle: ABUSE2885-ARIN OrgAbuseName: Abuse team OrgAbusePhone: +1-323-375-2822 OrgAbuseEmail: @namecheaphosting.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2885-ARIN OrgTechHandle: EFIME-ARIN OrgTechName: Efimenko, Igor OrgTechPhone: +1-323-375-2822 OrgTechEmail: @namecheap.com OrgTechRef: https://rdap.arin.net/registry/entity/EFIME-ARIN
First of all, we have our old friends at Namecheap.com (see my previous article on another scam). This is the registration site. What it is registering is still a mystery because the Ab8nCZF0k.bond website is till not coming up in WHOIS. To be sure I retested the URL and this time the WHOIS response was that this was an invalid or unsupported domain name.
What is important here is that throughout the entire listing there is no other information regarding an owner of this IP address range other than Namecheap. So, as before, I sent a note reporting an abusive text to Namcheap. Before doing so, I reviewed their previous response. As noted, I had to give them credit for at least responding. I can’t count how many times the “abuse@” address on a DNS registration comes up empty. But nothing else was forthcoming from my previous report.
Before heading off to the telephone company, we can investigate further the sender’s e-mail address. As with the IP address, we cannot assume that the person listed is actually guilty of spamming and scamming. Addresses can be spoofed. It can be nothing more than a rabbit hole. The address in question is ab…07@gmail.com. Doing a search, the e-mail address comes up with no direct hits, but it is a bit peculiar that once again we get several Russian sites.
Yet it remains – why is it that our cell phones are receiving unsolicited messages, especially ones with nothing but an unknown web-link. In my case, the message was sent to a large group of phone numbers. Reviewing the range of numbers, it appears that this is a range scan, something similar to the bad old days of modems when hackers conducted “war dialing.” You would figure that it would be of interest to AT&T to know that it’s customers are being slammed. But a visit to their website produced absolutely nothing about how to report abusive calls or texts.
As noted above, about the least you can do in these circumstances is send a note to the DNS or cloud center provider. In this case, Namecheap. But I have not found that productive. So the best thing to do is ignore it. I personally find responding to links in text messages is not a good idea unless it is from a sender you expect. If you are to share links with friends, I would recommend using e-mail because links and sources can be traced.
Updates
February 12, 2022
Tracking the topic over the web has produced some interesting results. First, I am seeing more instructional videos regarding STIR/SHAKEN. This not only indicates that professionals are getting trained on the topic, but the protocol itself is engaging a larger audience from network technicians to IT managers. The second discovery is that there is at least one web site that is presenting metrics on whether the new protocol is reducing the number of robocalls.
TransNexus presents data that indicates that robocall traffic has dropped 12% since July. For non-technical folks, they will find much of the data and the heavy use of acronymns a bit obtuse, but one lesson you can draw from this is the multiple levels that the protocol engages, reflecting the degree to which calls and texts are authenticated. As noted above in the article, the SHAKEN part of the protocol is designed to at least provide partial information if the originator of the call is using a provider or Internet service that is not yet STIR/SHAKEN compliant. For folks who are IT savy or involved with IT Security, you may find the data interesting.
February 21, 2022
The FCC has completed its first review of compliance. They sited two providers who had yet to comply: Bandwidth and Vonage. The listing of Bandwidth was a bit of a surprise because they have put together a good presentation on what STIR/SHAKEN is all about. Recommend you view it.
FCC announces a $45 million fine being proposed against Interstate Brokers of America over fraudulent marketing of health care plans.
Resources
“Telecom companies appear to miss deadline to ID spam callers”, MobileSyrup, by Nida Safar, Dec. 7, 2021
“U.S. SENATORS THUNE AND MARKEY INTRODUCE THE ROBOCALL TRACE BACK ENHANCEMENT ACT”, TCPA World, by Paul C. Besozzi, Dec. 9, 2021
“FCC Says Two Carriers Failed to Fully Implement STIR/SHAKEN“, Inside Towers, February 21, 2022
“FCC Proposes Largest Illegal Robocall Fine to Date“, Telecompetitor, by Phil Britt, February 21, 2022
© Copyright 2022 to Eric Niewoehner