Phoneypot: Data-driven Understanding of Telephony Threats

Cyber criminals are increasingly using robocalling, voice phishing and caller ID spoofing to craft attacks that are being used to scam unsuspecting users who have traditionally trusted the telephone. It is necessary to better understand telephony threats to effectively combat them. Although there exist crowd sourced complaint datasets about telephony abuse, such complaints are often filed after a user receives multiple calls over a period of time, and sometimes they lack important information. We believe honeypot technologies can be used to augment telephony abuse intelligence and improve its quality. However, a telephony honeypot presents several new challenges that do not arise in other traditional honeypot settings. We present Phoneypot, a first large scale telephony honeypot, that allowed us to explore ways to address these challenges. By presenting a concrete implementation of Phoneypot using a cloud infrastructure and 39,696 phone numbers (phoneytokens), we provide evidence of the benefits of telephony honeypots. Phoneypot received 1.3 million calls from 250K unique sources over a period of seven weeks. We detected several debt collectors and telemarketers calling patterns and an instance of a telephony denial-of-service attack. This provides us with new insights into telephony abuse and attack patterns.