Identifying and mitigating cross-platform phone number abuse on social channels

Abstract

Online Social Networks (OSNs) have become a huge aspect of modern society. Social network usage is on a rise, with over 2 billion people using it across the globe, and the surge is only expected to increase. Online Social Networks not only aid users to engage in online conversations, but also help them in staying updated with current news / trends, keep up with friends, and participate in online debates etc. Some experts suggest that OSNs will soon become the new search function – people will search lesser time navigating through Internet websites, but consume the content available on OSNs. A significant fraction of OSN spam research has looked at solutions driven by URL blacklists, manual classification, and honeypots. Since defence mechanisms against malicious / spam URLs have already matured, cybercriminals are looking for other ways to engage with users. Telephony has become a cost-effective medium for such engagement, and phone numbers are now being used to drive call traffic to spammer operated resources. The convergence of telephony and the Internet with technologies like Voice over IP (VoIP) is fueling the growth of Over-The-Top (OTT) messaging applications (like WhatsApp, Viber) that allow smartphone users to communicate with each other in myriad ways. These social channels (OSNs and OTT applications) and VoIP applications (like Skype, Google Hangouts) are used by millions of users around the globe. In fact, the volume of messages via OTT messaging applications has overtaken traditional SMS and e-mail. As a result, these social channels have become an attractive attack vector for spammers and malicious actors who are now abusing it for illicit activities like delivering spam and phishing messages.

Therefore, in this work, we aim to detect cybercriminals / spammers that use phone numbers to spread spam on OSNs. We divide this thesis into 4 parts – (1) Understanding the threat landscape of phone attacks on OTT messaging applications leveraging information from OSNs, (2) Uncovering the spam ecosystem on OSNs and identifying spammers which contribute in spreading spam, (3) Evaluating the trustworthiness of current caller ID services and machine learning models that identify spam calls / spammers, (4) Proposing a robust phone reputation score for identifying spam phone numbers on OSNs. We first focus our attention on understanding various ways in which spammers can attack OTT messaging application users by leveraging information from OSNs.

To understand the effectiveness of such attacks, we do an extensive online crowdsourced study to identify highly impactful phone based attack. Further, we list down the factors that govern why a user falls to phone based attack on OTT messaging applications. Our analysis revealed that social phishing attacks are most successful to lure victims. In addition, victims are deficit in regulating OTT messaging applications usage, hence vulnerable to attacks.

Next, we identify and characterize the spam campaigns that abuse a phone number on OSNs. We create ground truth for spam campaigns that operate in different parts of the world like Indonesia, UAE, USA, India, etc. By examining campaigns running across multiple OSNs, we discover that Twitter detects and suspends _93% more accounts than Facebook. Therefore, sharing intelligence about abuse-related user accounts across OSNs can aid in spam detection. According to our 6 months dataset, around _35K victims and _$8.8M could have been saved if intelligence was shared across the OSNs. In addition, we analyse the modus operandi of several campaigns to understand the monetization model of spammers behind such attacks. Finally, we compare the characteristic behavioral difference between the spam and legitimate phone based campaigns.

We further look at the effectiveness of caller ID applications that identify an incoming phone call as spam. These applications are vulnerable to fake registration and spoofing attacks which make them inefficient in correctly identifying spammers. Further, we explore that supervised machine learning models to identify spammers are prone to manipulation, therefore, not a reliable solution.

To build a robust solution to uncover spammers, we model OSNs as a heterogeneous network by leveraging various interconnections between different types of nodes present in the dataset. In particular, we make the following contributions – (1) We propose a simple yet effective metric, called Hierarchical Meta-Path Score (HMPS) to measure the proximity of an unknown user to the other known pool of spammers, (2) We design a feedback-based active learning strategy and show that it significantly outperforms three state-of-the-art baselines for the task of spam detection. Our method achieves 6.9% and 67.3% higher F1-score and AUC, respectively compared to the best baseline method, (3) To overcome the problem of less training instances for supervised learning, we show that our proposed feedback strategy achieves 25.6% and 46% higher F1-score and AUC respectively than other oversampling strategies. Finally, we perform a case study to show how our method is capable of detecting those users as spammers who have not been suspended by Twitter (and other baselines) yet. We finally use spammer metrics to design a phone reputation service, called SpamDoctor 1 that can flag a potential bad phone number.

In conclusion, this thesis aims to bring out methods to detect spammers abusing phone numbers on Online Social Networks. We propose methods to give a reputation score to phone numbers such that the score is tolerant against external manipulation. To summarize, the research contributions of this thesis are - (1) Building automated framework to evaluate the effectiveness of phone based attacks on OTT, (2) Building automated detection method to identify phone based spam campaigns and the users behind it, (3) Evaluating the trustworthiness of current caller ID services to detect spam calls, (4) Supervised detection method to identify spammers and building SpamDoctor to flag phone numbers abused on OSNs.