Towards measuring the role of phone numbers in twitter-advertised spam

Abstract

The telephony channel has become an attractive target for cyber criminals, who are using it to craft a variety of attacks. In addition to delivering voice and messaging spam, this channel is also being used to lure victims into calling phone numbers that are controlled by the attackers. One way this is done is by aggressively advertising phone numbers on social media (e.g., Twitter). This form of spam is then monetized over the telephony channel, via messages/calls made by victims. We refer to this type of attacks as outgoing phone communication (OPC) attacks. By collecting approximately 70M tweets containing over 5,786 phone numbers over a period of 14 months, we are able to measure properties of multiple spam campaigns, including well-known tech support scams. Our contributions include a novel data collection technique that amplifies tweets containing phone numbers, clustering of tweets that are part of a given OPC attack campaign, and brief analysis of particularly interesting campaigns. We also show that some of the campaigns we analyze appear to attempt to avoid account suspension by Twitter, by including reputable URLs in their tweets. In fact, we find that Twitter suspended only about 3.5% of the accounts that participated in the top 15 spam campaigns we measured. Our results not only demonstrate a new kind of abuse exploiting the telephony channel but also show the potential benefits of using phone numbers to fight spam on Twitter.