>The rapid-fire dialing of numbers also indicates that the user had a list of targets at the ready, and a specific focus on schools, law enforcement agencies, fire departments and emergency dispatchers. Together, these accounted for 92% percent of the places that the VOIP number called.
Hundreds of calls all across the country in short bursts, focused on a few states at a time. Whatever it is, it was an intentional campaign. I would think a state actor or state-associated actor (if that's an important distinction) might do it as part of a campaign to exploit existing cultural stressors.
I know from my experience on the east coast that multiple additional calls have occurred since Oct 21.
This article claims that the hoax calls must be someone operating out of Ethiopia, based on IP address geolocation. This is wrong; the attacker is almost certainly somewhere else, proxying their traffic through a random compromised computer. Attributing cybersecurity incidents this way basically never works; if someone is doing major cybersecurity mischief, this implies they have both the skills and the motivation to set up a proxy like this.
Is there some form of Gell-Mann Amnesia effect here? This doesn’t seem true:
> For instance, Mack noted that on the day her office received the false bomb alert, the caller stayed on the same IP address through hundreds of calls they made over several hours.
> "A VPN will generally change by itself, whether you log in or out, about every 30 seconds," she said.
Note: This is a US (and Canada) based answer. Things can be quite different elsewhere, especially if you need to interact with landlines. It looks like the rest of the world is probably going to end up adopting some version of STIR/SHAKEN eventually but adoption is going to be limited for now if you need a phone number that doesn't start with +1.
You can block based on STIR/SHAKEN attestations, and have a blocklist of calling carriers, but you'll have to run your own PBX and SIP trunk to do it. That's not too big a lift anymore, at least.
You would probably also have to block all C attestations and unattested calls though, which is going to lose international calling and some older domestic phone systems.
So - yeah, you can kinda do this now, and will be able to do it more in the future, but keep in mind that carrier level blocking like this is the equivalent of null routing entire ASNs.
> You can block based on STIR/SHAKEN attestations, and have a blocklist of calling carriers, but you'll have to run your own PBX and SIP trunk to do it. That's not too big a lift anymore, at least.
Wow thanks very much for your response!
I have this. What carrier provides this metadata in the SIP headers? AT&T doesnt. I used to be able to obtain ANI/RPID fields on our circuit switched lines, but I get very limited metadata now. What do I need to ask for?
I understand the implications of this type of blocking, and I give absolutely zero fucks. I should have more ability to determine whether or not I want to take the call traffic or not.
One motive I can see is to inflate the reports of school shootings. How often is news reported, then "if" there is a debunking, in print its inside the back page whereas the initial report was a lead on the front page. Starting a story is much harder than stopping a story, especially when motivation is considered.
>The rapid-fire dialing of numbers also indicates that the user had a list of targets at the ready, and a specific focus on schools, law enforcement agencies, fire departments and emergency dispatchers. Together, these accounted for 92% percent of the places that the VOIP number called.
Hundreds of calls all across the country in short bursts, focused on a few states at a time. Whatever it is, it was an intentional campaign. I would think a state actor or state-associated actor (if that's an important distinction) might do it as part of a campaign to exploit existing cultural stressors.
I know from my experience on the east coast that multiple additional calls have occurred since Oct 21.