June 25, 2017

Several times a week my cell phone receives the telephonic equivalent of spam: A robocall. On each occasion the call seems to come from a local number, but when I answer there is that telltale pause followed by an automated voice pitching some product or service. So when I heard from a reader who chose to hang on the line and see where one of these robocalls led him, I decided to dig deeper. This is the story of that investigation. Hopefully, it will inspire readers to do their own digging and help bury this annoying and intrusive practice.

robocallThe reader — Cedric (he asked to keep his last name out of this story) had grown increasingly aggravated with the calls as well, until one day he opted to play along by telling a white lie to the automated voice response system that called him: Yes, he said, yes he definitely was interested in credit repair services.

“I lied about my name and played like I needed credit repair to buy a home,” Cedric said. “I eventually wound up speaking with a representative at creditfix.com.”

The number that called Cedric — 314-754-0123 — was not in service when Cedric tried it back, suggesting it had been spoofed to make it look like it was coming from his local area. However, pivoting off of creditfix.com opened up some useful avenues of investigation.

Creditfix is hosted on a server at the Internet address 208.95.62.8. According to records maintained by Farsight Security — a company that tracks which Internet addresses correspond to which domain names — that server hosts or recently hosted dozens of other Web sites (the full list is here).

Most of these domains appear tied to various credit repair services owned or run by a guy named Michael LaSala and registered to a mail drop in Las Vegas. Looking closer at who owns the 208.95.62.8 address, we find it is registered to System Admin, LLC, a Florida company that lists LaSala as a manager, according to a lookup at the Florida Secretary of State’s office.

An Internet search for the company’s address turns up a filing by System Admin LLC with the U.S. Federal Communications Commission (FCC). That filing shows that the CEO of System Admin is Martin Toha, an entrepreneur probably best known for founding voip.com, a voice-over-IP (VOIP) service that allows customers to make telephone calls over the Internet.

Emails to the contact address at Creditfix.com elicited a response from a Sean in Creditfix’s compliance department. Sean told KrebsOnSecurity that mine was the second complaint his company had received about robocalls. Sean said he was convinced that his employer was scammed by a lead generation company that is using robocalls to quickly and illegally gin up referrals, which generate commissions for the lead generation firm.

Creditfix said the robocall leads it received appear to have been referred by Little Brook Media, a marketing firm in New York City. Little Brook Media did not respond to multiple requests for comment.

Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal. According to the Federal Trade Commission (FTC), companies are using auto-dialers to send out thousands of phone calls every minute for an incredibly low cost.

“The companies that use this technology don’t bother to screen for numbers on the national Do Not Call Registry,” the FTC notes in an advisory on its site. “If a company doesn’t care about obeying the law, you can be sure they’re trying to scam you.”

Mr. Toha confirmed that Creditfix was one of his clients, but said none of his clients want leads from robocalls for that very reason. Toha said the problem is that many companies buy marketing leads but don’t always know where those leads come from or how they are procured.

“A lot of times clients don’t know the companies that the ad agency or marketing agency works with,” Toha said. “You submit yourself as a publisher to a network of publishers, and what they do is provide calls to marketers.”

Robby Birnbaum is a debt relief attorney in Florida and president of the National Association of Credit Services Organizations. Birnbaum said no company wants to buy leads from robocalls, and that marketers who fabricate leads this way are not in business for long.

But he said those that end up buying leads from robocall marketers are often smaller mom-and-pop debt relief shops, and that these companies soon find themselves being sued by what Birnbaum called “frequent filers,” lawyers who make a living suing companies for violating laws against robocalls.

“It’s been a problem in this industry for a while, but robocalls affect every single business that wants to reach consumers,” Birnbaum said. He noted that the best practice is for companies to require lead generators to append to each customer file information about how and from where the lead was generated.

“A lot of these lead companies will not provide that, and when my clients insist on it, those companies have plenty of other customers who will buy those leads,” Birnbaum said. “The phone companies can block many of these robocalls, but they don’t.”

That may be about to change. The FCC recently approved new rules that would let phone companies block robocallers from using numbers they aren’t supposed to be using.

“If a robocaller decides to spoof another phone number — making it appear that they’re calling from a different line to hide their identity — phone providers would be able to block them if they use a number that clearly can’t exist because it hasn’t been assigned or that an existing subscriber has asked not to have spoofed,” reads a story at The Verge.

The FCC estimates that there are more than 2.4 billion robocalls made every month, or roughly seven calls per person per month. The FTC received nearly 3.5 million robocall complaints in fiscal year 2016, an increase of 60 percent from the year prior.

The newest trend in robocalls is the “ringless voicemail,” in which the marketing pitch lands directly in your voicemail inbox without ringing the phone. The FCC also is considering new rules to prohibit ringless voicemails.

Readers may be able to avoid some marketing calls by registering their mobile number with the Do Not Call registry, but the list appears to do little to deter robocallers. If and when you do receive robocalls, consider reporting them to the FTC.

Some wireless providers now offer additional services and features to help block automated calls. For example, AT&T offers wireless customers its free Call Protect app, which screens incoming calls and flags those that are likely spam calls. See the FCC’s robocall resource page for links to resources at your mobile provider.

In addition, there are a number of third-party mobile apps designed to block spammy calls, such as Nomorobo and TrueCaller.

Update, June 27, 2017, 3:04 p.m. ET: Corrected spelling of Michael LaSala.


201 thoughts on “Got Robocalled? Don’t Get Mad; Get Busy.

  1. QuarterBack

    Here is a good tip for quieting unwanted calls that I have used.

    The problem with turning off your ringer or setting “do not disturb ” is that it also blocks the calls you want to receive. What I did was set my default ring to a ringtone file of dead silence, then set a personalized ring tone for everyone else. This way, my desired calls ring through, but the unknown calls still “ring” but with no sound. The downside is calls from numbers you don’t have in your address book will end up first going to voice mail, but that is relatively minor.

    If you search for “silent running ringtone ” you can find a soundless ringtone, or you can easily make yourself.

    1. Bill

      On android, set to do not disturb (DND) and make contacts an exception. Easy and works really well. When expecting a call from someone not in my contacts, I turn of DND for a bit. Clean and easy.

      1. Diogenes

        iOS also allows exceptions to Do Not Disturb. You can allow calls from everyone (but texts and other alerts still are silenced), nobody, or contacts designated as your “Favorites”.

    2. Moike

      I don’t consider this overkill. Either by bad luck, or the RoboPeople being spurred on by this article, I have received 28 calls between my land and cell line since noon yesterday.

      Not long ago, you could determine that a number was bad by checking it in 800notes.com and block future calls. Now, the RoboPeople also check that they are spoofing from a ‘clean’ number before placing scam calls so blocking has become useless.

      I’m waiting for the RoboScammers to buy all the contact lists that have been collected for years from questionable Smartphone apps. Then they’ll be able to spoof actual contacts before placing each call.

    1. Chip Douglas

      Obviously there is a problem with this idea, but I’m quite sure the Democrat hypocrites would jump in with both feet if this became legal. After all, they are the party that gave us, “We have to pass the bill before we can see what’s in it.”

      1. Eric

        Alas, if only we could block irrational trolls who talk in doublespeak…

    2. concerned citizen

      Seriously dude? Get over it.

  2. Harris

    Not sure about other providers, but AT&T offers Call Protect. Pretty sweet system that catches (an estimate) 7-8/10 scam/robo-calls. They don’t even ring.

    Unrelated: this guy is my hero (warning — don’t try this at home, kids):

    https://www.youtube.com/watch?v=EzedMdx6QG4

    Title of video: “Revenge on a IRS Phone Scamming Company – Call Flooder”

    1. MG

      I wish I could think on my feet like this. Telemarketing related – not quite robocall but … Tom Mabe.
      https://www.youtube.com/watch?v=mkdoogjic4I
      https://www.youtube.com/watch?v=mlnaLkkuThA

      I think the robocalls have increased 300% over the last 4 months. It gets frustrating. Spoofing a phone number is not the same as unsolicited calls trying to sell you stuff you don’t need (car warranty, insurance, etc.) I’ve had them all. I think that I’ll take the next step to work through and hit these guys with fines.

    2. George G

      Careful before attempting to flood with calls or call back at all.
      One of the two “IRS” calls I have received listed an “area code” that turned out to be a country code in Africa.

  3. Billy Masters

    After just hearing Tom Woods interview Roger from Jolly Roger Telephone Company (tomwoods.com/937), I thought this was going to be about how he has taken the war to the TeleScammers! I’m almost glad it wasn’t so that I can be the one to turn you on to it Brian! You should totally do a story on this guy! You’re gonna love it! His site is JollyRogerTelCo.com

    1. zackis

      I use Jollyroger Telco and have for the last 7 months, easy to use, it helps to generate a call log that you can use to fill out the complaints ( via the FTC page) and it does hit them in the pocketbook.

    2. Drone

      Be careful with that JollyRogerTelCo.com site, it’s hosted on Wix\Pastorage which has a reputation for serving up some pretty seedy sites.

      1. spagafus

        Jolly Roger is legit and the real person, Roger Anderson, speaks publicly and even did a regional TED Talk about his service. Nothing seedy about what he’s doing except to the scammers he’s fighting. Lately he’s gone on the attack he calls “Broadsides” by flooding call centers until their DIDs are taken down.

  4. todd

    There are plenty of tools on android/iphone that will block unwanted calls. Some use databases to search for suspected spam numbers. I am convinced that some of those tools actually end up adding you to call lists though. Careful what you download. I still consider the app stores a wild west with little oversight.

    1. Bruce Hobbs

      Because of spoofing, blocking calls on caller ID will work for the telemarketers that aren’t spoofing!

  5. Jim

    I’m still surprised, that phone spoofing is legal. The phone is also a personal “safety device”. Your automatic 911 device. So, if it’s spoofed? Are you safe? Or is the scammer safe?

    1. Bruce Hobbs

      There are legitimate business and other reasons to allow spoofing. For example, if I have a company with employees all over the United States, I might want all outgoing calls to use the same corporate number, instead of a bunch of cell phone and home land line numbers. So the company spoofs its corporate number in place of the employee’s personal phone number. However, these could be handled with licensing.

      Foreign entities spoofing U.S. numbers on international calls should not be allowed.

      This whole thing with caller ID is due to stupid people rushing out new products and services without doing a proper security analysis. I see this over and over again and I don’t know how we can stop it.

      1. Reader

        And THAT is the crux of the matter: companies want to cover up the fact that they’ve outsourced their call centers and their employees are poorly supervised, paid poorly, spread throughout the world, and have no interest in customers’ information security. Telecommunications companies are just as guilty of covering up their outsourcing through spoofing, which is why you’ll never see the problem solved in the way customers want.

      2. Beeker

        There are legitimate companies that do spoof numbers when they make calls simply for security reason. I once worked for a firm that deals with mental health referral services for TRICARE members and they used a spoof number number when employees returns their calls. It is designed to protect employees who would be threatened if they are doing their job providing services.

      3. acorn

        I for one don’t have spoofed numbers ringing. They want to spoof=blocked when I have my no – ring blocker enabled. Only callers in my contacts or added to my whitelist ring my phone:
        krebsonsecurity dot com/2017/06/got-robocalled-dont-get-mad-get-busy/comment-page-1/#comment-434535

        Yes, I’ve missed legitimate calls, which I blame on the spam callers which at times outnumber my legitimate callers by a hugely larger magnitude.

    2. JasonR

      Spoofing the CallerID doesn’t spoof the BTN or associated address information when calling 9-1-1 in the US. E9-1-1 can see both numbers.

      Source: used to work for a PBX/voip installer, and had to make sure 9-1-1 calls were routed to the right local POTS lines and not out of other sites. Also had to make sure that the E9-1-1 showed the proper company name and address, and document this, so that if in the future something went wrong it couldn’t be blamed on us, the installers.

      1. Bruce Hobbs

        So if E9-1-1 gets two phone numbers, how does a swat attempt get past them? I don’t believe you.

        1. Joseph

          Investigated a lot of swatting calls and they go through the non-emergency line. Since they are most likely calling from another state or area, they just look up the non-emergency number for the department servicing the target and call that number.

          1. BrianKrebs Post author

            Also, a lot of times they use TTY services for the deaf, which rely upon a third party operator relaying what the swatter is typing.

            1. timeless

              Fwiw, part of the reason that the TTY bridge works so well is there confidentiality requirement in US law. The reason it exists is that for normal conversations between two parties, both parties have a reasonable expectation of privacy. When you add a TTY agent, they by necessity act as a (wo)man in the middle of what could legally be a very intimate protected conversation (including speaking with a spouse, a doctor, a lawyer,…). If the operators could talk about these calls, that would violate the privacy of these users, and they wouldn’t use the service. So, to enable/encourage users of the TTY service, the privacy protections were included.

              There service was designed a long time ago, long before these various abused became common, and no one has to my knowledge tried to revisit this/rebalance the protections.

              I think that the TTY bridge could probably be authorized (via an act of Congress — and this isn’t a particularly good Congress to ask for reasonable acts…) to have access to both parts of caller ID, but I’m not really sure how helpful it’d be.

            2. Beeker

              Brian,

              The TTY services is a service provided by the state which fees are collected from the phone service within the state and used to provide services for deaf people. Technologically it is moving away from that to Video Phone (VP).
              But they are prone to abuse by people trying to get around it.

  6. Jeff Martin

    What does it mean “let phone companies block more unwanted calls.”? Is there some FCC rule preventing them from doing this now? I always wondered why they are allowed by the telco to spoof calls in the first place.

    1. Frank Q

      E-mail is typically a free service, where the costs sit on the shoulders of the provider. When a provider has poor spam filtering, it is considered by the average person to be a failure on the part of the provider. There is also quite a lot of good competition in that market, and switching e-mail providers is not particularly difficult.

      Phone providers often charge for phone use, and customers are less likely to equate a spam phone call with a failure on the part of the provider. Switching phone providers is often such a hassle that people will continue paying high prices to avoid it.

    2. spagafus

      The phone companies (claimed they) were afraid that common carriage rules would be applied if they tried to block calls known to be scams/illegitimate. The FCC did not change anything but did reassure the telcos that the rules would not be enforced under these circumstances.

  7. Bruce Hobbs

    I am convinced that adding your phone number to the Do Not Call registry will get you more robocalls and other solicitations, not less. The FTC has completely lost control of this situation. I have an inactive phone number that I will test this on later this year.

    There are two trends I’m seeing: First, the spoofed phone number has the same exchange as my phone number (say, 513-407-xxxx) so that I’m more likely to answer.

    Second, if I DON’T say ‘Hello,” then I only get silence at the other end. After 10 seconds, I ask “Is anyone there?” and the call gets disconnected.

    Because of spoofing, blocking phone numbers by caller ID is not very effective.

    1. Mahhn

      I expect they use it as a confirmation DB for the phone numbers.

    2. Robert

      Generally I rarely get calls on my cell phone, perhaps one every other month. Of late I can get two in a day, 4 for the week and then it stops for weeks if not months. Same deal each time, they spoof my area code and exchange and probably start with suffix 0000 then go up to 9999 and start on the next exchange.

      If I let it go to voice mail, they do not leave a message. What I usually do is answer and immediately hang up, they never call right back, just move on to the next number in the auto dialer’s list.

      I did get a call last year from a woman who wanted to know why I called her. I told her most likely my number was spoofed.

      I don’t have text on my phone plan so I never see any junk there. Heaven knows how much of that is still going on.

      My home phone is a different story. They call numerous times a day. AC Services was the culprit in the past, a for profit that tells the person called that they are a non-profit and exempt from the DNC rules. They were fines $100,000 by one state, other states also have also gone after them.

      Most of the home calls I get are scams, recorded voices, computer voices and live ones too. They seem to be aiming for seniors to scam. Free medical alert gear, free stuff if you’re on medicare, change your electric provider, credit repair, the list is endless.

      What I do notice is about many of the calls is the “noise” I hear before they start talking. Sorta sounds like a “bloop, bloop” sound, then after a moment of silence someone now speaks. I assume it’s the software they use but do not know. I have plenty of recordings I’ve made of the calls and notice that all types of scammers have this sound at the start of their calls.

      Anyone know what software/hardware they are using that helps ID the call imediately as a scam call? Never heard a legit company call make this sound. Perhaps it’s something available to scammers to help them auto dial.

      BTW, fwiw, it’s NOT the “sit tone” I’m hearing. It sounds more like the old Lost in Space TV series sound that Debbie the space chimpanzee made but more of a poping sound to it.

  8. Ronal Kumar

    Perfect timing for this article – I was beginning to think US residents are sheep for fake corporate’s.

    Some of the calls are such a nuisance and the nature of the calls are totally nonsensical.

    Two months ago I went to LA (work related) and stayed at a hotel chain – unfortunately gave my phone number. Now getting calls – Hey! we are giving you a special discount.

    Robo caller kept on calling and became a nuisance to my workplace until I had to listen for 2
    minutes and then got an option to opt out.

    Now this is unacceptable to me – I am not used to this kind of stupidity – I am used to Island living where people do not bother each other.

    Normally residents rely on agencies to tackle these basic issues and apply common sense – however feels like I have moved to a place where common sense does not exist – whether at road or at time wasting cold calling.

    1. Bruce Hobbs

      I would think the same advice for email would apply to spam calls: Do not opt out. You are just confirming that your phone number is valid and you will receive more calls, not fewer.

  9. john Jie

    I solved my robo/telemarketing problem my installing ‘RoboFence’, a free program, on my iPhone.

  10. Bob

    Since I don’t run a business, my rule is I don’t answer any call that isn’t in my contacts list. Towards the end of the day, I got through my call list and block all the numbers that haven’t left voice mail. After I listen to my voice mail, I block all numbers that are junk calls. I haven’t had a land line for 10+ years, so that’s not an issue.

    My phone says it’s blocked 85 calls as of 10:05. That’s pretty typical for a weekday. I seem to get a few new numbers to block each week. I’ve had the same cell number for 15+ years.

    I’ve told my wife about the AT&T app. She will see if it helps any for her iPhone.

  11. Jason

    I’ve been getting swamped with these, lately. The “opt out” option doesn’t work either, FYI.
    Unfortunately, due to my work, I do get legitimate calls from unknown numbers rather often, so this is becoming more and more of a real problem.

  12. James F. Pasquini

    I like when I receive a call from the area code “011” – definitely fake. My home phone gets these 3-6 times per month!

    1. Kent

      Portfolio Recovery used to call my home phone several times a day and never leave a message. I decided to answer and give them an $%^-chewing they’d never forget. It turned out to be a debt collection company looking for my ex-wife, whom I divorced over 25 years ago, long before getting this phone number or this home address.

      They, like many debt collectors, use associations without regard for when a person was associated with their debt collection target.

      So, they still got that $%^-chewing I mentioned. But I gave them a short story about a jealous 2nd wife and made them feel badly about invading our privacy with my ex-wife’s business.

      I get all kinds of calls on home and cell phone though. Scams from a computer-generated voice about security software they installed on my computer last year that’s now reporting major trouble, calls from foreign people claiming they are Microsoft and that my computer is signalling them about a virus (what BS both of those are).

      1. Beeker

        Anyone calling to help you with your computer is a scam because they have no way of knowing if there’s a problem with MS unless you had it serviced.

        Let me give you an example, my mother got a call about a Windows OS problem and they want to sell her some software to fix it. The first thing I said, how would they know you have a problem with the OS? They couldn’t.

  13. Sandy

    I love nomorobo. It catches all those spammy calls. Love it!!!

  14. Drew

    Surprised nobody else has mentioned this Google, at least on my Nexus device without installing anything, the whole screen goes red and says ‘possible spam caller’ (or close) at the bottom.

  15. Erica

    The iPhone DND mode works wonderfully. I have it set to allow calls from Favorites, then I just add callers that I want calls from on my favorites list. The rest do not ring.

    If I’m expecting a call that’s not on the list (car shop or doctors office) I either turn DND off or leave my phone where I can see the screen.

    #noAppNeeded

  16. Kidd

    Every time I get one of these calls, when I call the number back, it’s usually someones home or cell number. What do you do then? report the other person’s number? That is not right. I hate these Fn calls. it’s like they always know when you are eating and call you during that time.

  17. Jason

    Great investigation! I hate these robocalls so much. I was once in an elevator and the emergency phone inside it rang, it was a robocall…literally said “press 1 for more info”. I’ve noticed that while the FCC supposedly takes action against these scum, the “fine” they impose is usually suspended and they place an injunction preventing that violator from making future robocalls. Hardly seems like much of a deterrent.

  18. davemich

    The simplest way to handle this problem is the same simplest way to handle the spam problem – have two phones. One number is freely available, but you never answer it. A landline or a burner phone works well here. Only give your personal cellphone number to trusted parties, and very few of them.

    1. Anon

      Except when they call you anyway by random dialing.

  19. Will

    It won’t work for most people, but for my landline I have uverse and they have a very limited whitelist option. Only phone numbers on the list will ring through to my landine and I get absolutely no robocalls/spam.

    As with other solutions discussed above, if I need a call from random contractors, etc, I have to log into the website and disable the feature temporarily. And it also provides a call log on the management site that allows me to see who has been blocked in case I need it. It’s not a perfect solution, but it more-or-less works for me for now.

  20. Ninja

    Why anybody can actually spoof phone numbers if there are mechanisms to prevent it is a mystery. Not.

  21. Max Power

    The article claims that “The FCC recently approved new rules that would let phone companies block robocallers from using numbers they aren’t supposed to be using.”

    I don’t think this is accurate. The FCC has published a draft rule on this:

    https://www.fcc.gov/document/robocall-blocking-nprm-and-noi

    But it has not gone into effect yet and probably won’t until sometime towards the end of the year.

    That said, if the FCC and carriers can get past some technical hurdles then once these rules do go into effect then there is a chance for some significant relief for subscribers in this realm.

    I personally get 1-3 such calls a day on average I’d say.

  22. John Moore

    I would like to just not answer calls with no caller ID, except…

    Two places that physicians call me from always call with a “RESTRICTED” or blank caller ID. One of them, naturally, is the Veterans Administration.

    So, if I want those calls, and I do, I get to answer lots of robocalls.

  23. scott

    A few times I picked up the call only to be connected to a call center in India. Each time the person on the other end decided that he did not like my questioning and started using words that could not be broadcast on the public airwaves.

    The script is the same every time. Once I started to recite the script back to the caller and he hung up. When I am in a good mood I will throw the insults back. Being from the streets of Brooklyn, I’m pretty good at “doin’ the dozens” (look it up, youngsters). They can’t handle it and hang up on me! Maybe this is why I haven’t been called in a while!!

  24. angryinadk

    I have taken to answering calls I do not know with as nasty a obscenity as I can come up with. If it is a robocall I will go through what is necessary to talk to someone to offend. Some of the telemarketers continue as though I said hello. If I suspect they may be of a certain culture or religion I tailor my nasty toward them. Proposition the women, ask very personal questions, tell them their privates stink so bad you can smell them over the phone. Tell the males that their breath smells like their moms crotch. You get the idea. I am not bound by any personal restraint when it comes to these scum.They called me. I will make them regret it..

  25. Brian Lev

    I’m _not_ shilling for either company, but apparently Verizon now offers NoMoRobo as a free add-on for their landline customers. I haven’t tried it yet but am desperate enough to give it a go.

Comments are closed.