For almost 30 years, Alex Bobotek has dedicated himself to safeguarding mobile communications integrity. As a pivotal figure in the Messaging, Malware, Mobile Anti-Abuse Working Group (M3AAWG), he has served as a past Chairman of M3AAWG and recipient of the Mary Litynski Award for lifetime contributions to combatting online abuse. During his tenure at AT&T Alex has consistently been a leader in industry efforts to identify and protect consumers and wireless networks from emerging threats, helping such measures to become standard industry practices.

A recognized industry authority, Alex combines his professional expertise with personal convictions. As a practicing vegan, it is not incongruous that he talks about the looming threat of Pig Butchering (slow, sinister cons) in the age of AI. 

About The Series

This is the third installment in the “One Expert, One Topic” series, where field experts select a topic and share essential insights. This is an interview presented in written form, edited for brevity, allowing you to absorb the topic in less time. Enjoy! 

Q&A

TJ:

Welcome Alex, before we start discussing Pig Butchering, can you give us a quick intro about yourself? 

Alex:

I’ve been working in controlling messaging abuse, particularly spam and phishing in mobile text messaging, at AT&T for nearly 25 years, and have been working in MWAAG as the chairman or co-chairman of the mobile technical committee, telephony abuse SIG, and various other groups. I’ve spent most of my time in the last few years fighting text messaging abuse in all forms in every way I can, whether it’s through collaboration, developing technology, working with filter vendors, working with some of our policy teams in DC, as well as government and industry partners to try to figure out how we can collaboratively address the spam problems.

TJ:

Before we dive into pig butchering and its origins, could you share how you started in this field and what excites you about your work?

Alex:

Well, what excites me about the work is fundamentally that it’s helping people. The work that we’re doing is helping to secure what is probably the most impactful new technology of the last three decades, the mobile phone, or the early mobile computer as it is today. The smartphone is more than just a phone. And openness in any kind of communications inevitably invites abuse, going all the way back to Roman times. My goal is to try to keep these channels of communication as open and accessible as possible. And that means trying to preserve trust, trying to block the bad messaging, the malicious messaging, while not standing in the way of legitimate traffic.

Technically, it’s very challenging in many ways. One can go as deep into almost any aspect of the technology as one wants, from machine learning to computational linguistics, probabilities, infrastructure development, systems architecture, policy. So there’s a very broad range of activities and a continuing set of new challenges. It’s really warfare. We’re at war with the bad guys, and every day there are new battles, new challenges. So it’s very stimulating, exciting, provides a lot of opportunities, and there’s also a lot of satisfaction. You have some really good days where you find an attack, figure out how to defend against it effectively, deploy defenses, and see how many people have been saved from malicious attacks.

TJ:

How would you explain pig butchering to someone completely new to spam fighting?

Alex:

Pig butchering is a literal translation of a Chinese name for a type of long con. It’s analogous to raising a pig and then performing a slaughter at the end, where the fruits of this long grooming process are harvested. In practical terms, the object is generally cryptocurrency. It was earlier most prevalent on dating sites where people who were motivated to engage in relationships developed trust which was then exploited. And then we saw the shift to text messaging, where we see a rather long con where the first message may start with a word like ‘hello,’ ‘hi,’ or a phrase like ‘how are you?’ It may be as simple as a picture of a bottle of wine.

Basically, any kind of message that has a positive social intent, like ‘I’d like to do something with you’ or ‘exchange messages with you’ may be used.  And very often, the sender pretends that they accidentally contacted you, but since you’re such a nice person, they’d like to continue the conversation. In text messaging, we see it typically start on text messaging, but the attacker quickly tries to move the conversation off to Telegram, WhatsApp or some other application, which is generally lower cost for one thing and potentially less-well policed than text messaging. And what we’ve seen most commonly is some sort of crypto advice, encouragement to become a crypto investor, all the help you need, with their goal being to have it end with somebody transferring a large amount of cryptocurrency to a fake exchange, which is really their own crypto wallet.

TJ:

How do people get targeted by these scams, and should I be worried if I receive one? Does it mean my information is on the dark web, or are they just randomly selecting phone numbers?

Alex:

I don’t know that there’s any one method. There are many attackers, many different organizations, and individuals using these techniques. Should you be concerned? Yes. Somewhere between 20 and 40% of the attacks that I’m seeing seem to be pig butchering. It’s somewhat insidious; it’s hard to defend against technically. Are you targeted? Clearly, your profile, if I profile ‘TJ,’ I’ll find you, and I could score what I find to try to assess whether you’d be a good target or not. But clearly there’s no one targeting method. 

Demographically, of course, they want somebody that has significant money; they’re not after $100 as it takes a significant amount of effort. And currently, it’s human effort. And we should talk at some point about AI replacing the humans that are doing it today because that could be a game changer … I think that there are some demographic incentives to go after people with a little more money, perhaps desperate people, vulnerable people, people who can be conned. And undoubtedly, I know there are some sucker lists that robocallers have been using. I don’t know if they’re using any of these robocaller sucker lists today.

TJ:

So you give us a lot to click down on. What is a robocall sucker list?

Alex:

A sucker list is a list of people who have fallen victim, perhaps repeatedly, to various scams. And clearly, not all individuals are equal here. There are the elderly, there are people who just are susceptible to being conned, people who want to believe, people who are desperate, people who are lonely, and people who may not have the sense of suspicion and caution that they once had. And that’s notable in almost every form of abuse. The elderly are more often falling victims to many of the scams. There are lists of people who are more vulnerable, and often attackers use what they call “sucker lists.”

TJ:

What is the modus operandi of those initiating pig butchering scams, and are there any patterns or footprints that indicate a scam is underway?

Alex:

There most definitely are patterns, and I had a really huge aha moment. One particular network was the source of most of this abuse, likely because they offer web texting accounts with no recurring costs; they’re basically free accounts. I started cataloging the different conversation-opening messages in customer complaints and noticed patterns. And actually, something like 40% of them were the word ‘hi’ at one time. Whereas on a network that wasn’t a source of pig butchering, there were almost none of these messages in customer complaints.  It was amazing.  

And the same goes for other similar expressions: ‘How are you doing?’ ‘Let’s have dinner tonight.’ ‘Can we play tennis this afternoon?’ These seemingly innocuous phrases that were often complained about on a network known to be originating pig butchering were almost unheard of on other networks. So it became clear to me, this is not random. When you have 60 complaints on one network that’s 10% of the size of a larger mobile network, and not even two complaints about that text on the larger network that isn’t the source of these, that’s something worth a deeper look.  That was an ‘aha’ moment.  

These phrases are not innocuous, and there are patterns. And these patterns change every day. One day we might have 20% of the messages being “Let’s play tennis tomorrow.”’ Some days one particular message may be less than 2%. Some days the most common message may be a picture of a bottle of wine. Yes, there are patterns, but they all have one thing in common: they’re intended to start a conversation. So that’s a first clue that there’s some kind of conversation, positive social intent from someone you don’t know.

And they may say, ‘Is this Mike?’ And if you respond, ‘No, this is George,’ or whatever your name is, and they come back at you with some sort of excuse for why they’re contacting you like, ‘Well, you seem like a nice person. I like the way you graciously responded. Can we chat?’ Or something like that with an extreme desire to converse. Most people, if they send you a message and it’s found the wrong inbox, might apologize and end it there. In fact, any kind of out-of-the-blue message from somebody you don’t know is a pretty strong clue right now.

TJ:

Have you encountered a pig butchering scam that impressed you with its cleverness, showcasing a sort of devious genius in its execution?

Alex:

Well, one of the things that impresses me is the size of their catalog of opening messages; they’re huge. On a single day, you may see 8,000, 3,000, 8,000, 10,000 different unique messages that are all conversational openers. And they’ve really adapted to some of the techniques that I’ve used to defend and diversified their attack methods. There are still patterns. A most important aspect is that these are coming from people with whom you have no conversational history. And that’s the first clue to the defenders, people running filters in the middle, as well as to the recipient. Messages from strangers are now suspicious and dangerous.

And getting back to what I said earlier, we really seek to have, my ideal communications medium is one where anybody can reach anybody. Our telephone system used to be a way where two people who didn’t know each other could connect. We’ve lost much of that with robocalls because now many people don’t answer calls from people they don’t know. And I think we’re starting, there’s a thread here to the text messaging ecosystem where we’re probably losing, or there’s a threat of losing, our willingness to respond to communications from people who might be well-intentioned, people who we might want to communicate with but reject because they’re coming from an unknown source. This is a threat to that openness and accessibility that we seek to preserve in the ideal communication system. So it’s an attack like we’ve never had before in that way.

TJ:

And you brought an interesting point about the fact that they’re evolving in their dynamic, in their approach and the open rates. How do you think AI will change that, both the way they’re attacking the network and the way the network defends itself?

Alex:

That’s a great question. Today, most of the pig butchering attacks are run by real human beings, humans who very often have been trafficked; that is, these are basically kidnapped prisoners who are working with quotas and no pay; slave labor.  They may be working in a sweatshop where they have a few automated tools, can click on computers rather than using phones, select from a category, whatever the I think AI is going to make it etechnology. And ven cheaper. You can have conversations. People have to be kidnapped, guarded and provided room & board.  AI will cost less.  

I think it’s another thing, that’s another motivation for me fighting pig butchering when I realized that there’s a lot of human trafficking and ripping off people’s lifetime savings rather than cheating you out of $50 or so. This is today a really terrible crime. And the way that it impacts both the victims, well, there are two victims:  victims that are doing the cons under prison conditions as well as the people who are losing their money. But I think some of that’s going to go away as AI becomes a cheaper and more scalable way, and perhaps less subject to raids. As it becomes less costly to have a seemingly-human conversation, I think we’re going to see growth. The conditions are right for seeing a growth in conversational spam.

Defense, yes, AI can help defend also, but I think that it’s one of the very many upcoming areas where we’re seeing just incredibly rapid evolution. I haven’t seen a lot of chatbots, and we all use commercial chat, sometimes websites try to get us into a chat, and the last thing they want to do is get us to a human. Why? Because humans are expensive. But the commercial chatbots  I’m seeing today are pretty easy to discern from a human. They don’t pass the Turing test. As AI evolves, that may start to change.  We’re going to see much more human-like conversations. And I think it’s going to become much more difficult for humans to discern. 

One of the clues to me that I use in defense is that some of the attackers seem to be using a catalog of up to several thousand opening phrases, but they use them over and over again. With AI, the ability to diversify and increase the number of permutations and the effective size of the catalog, I think, is going to grow. Some of the techniques that we’re using today that depend on repetition are going to start to fail as it becomes more cost-effective to use generative AI, which may be generating unique phrases for every message, using less of a script.

TJ:

Which brings me to the other side of the same question: If the attackers are using generative AI for pig butchering scams, how can the network defend itself against such tactics?

Alex:

That’s a great question. There certainly are many ways that we can defend. And especially in text messaging, access to accounts is generally not free. Yes, there are some free accounts, but there’s still some cost in getting them. So, one of the things we can do is target, rather than individual message content, the identity, the originating phone number, or perhaps the account. We need to do more than filter messages. And that’s an interesting point about text messaging in general, which we can go into at some other time, that most of the attacks come from phone numbers that are controlled and being used exclusively for malicious purposes. So, if we can identify the sources rather than focusing on particular individual message content, we’re going to do better. That’s one aspect.

The attacks typically begin by outreach to a party with whom there’s no conversational history. This suggests that graph analysis methods might be very interesting. Any indication or signal that this is a new conversation with someone with whom there’s no conversational history is very important. And if there’s multiple outreach, a phone number being used to address many new people with whom there’s no conversational history, it’s very likely. 

Which brings us to analysis of intent. This is a great application for AI in defense, whether the attacker is human or AI.  The attacks begin with a clear intent to start and maintain a conversation.  Scoring whether a message encourages or discourages further positive social interaction is not particularly challenging for AI.  Later in a conversation there may be intent to switch media, gain information related to financial status and investments.  Identifying intent and mapping changes is something we do, and now AI can do almost effortlessly.   We’re already using advanced machine learning in defense.  Richer AI is a next step.  

And we can also rely on customer complaints.. You can fool some of the people some of the time.  But I have yet to see a scam where most of the people could be fooled most of the time. So, relying on these human brains, the millions and millions and millions of human brains that are receiving these messages, to help us identify the sources and the content is very powerful. And that’s true not only in pig butchering but in any type of messaging abuse detection. Humans are generally very good at it. Keep in mind that if these scams work 2% of the time, the attackers are having phenomenal results.  If the other 98% are helping us identify attacks, we can put up a great fight

TJ:

Could you share any best practices, what excites you about this field, where people can learn more, and most importantly, how they can protect themselves from pig butchering scams?

Alex:

Technology-wise, we’re going to see a lot more development in machine learning and AI. My main technical thoughts here are that we need to evolve our defenses to focus more on longer-term behavioral analysis. Just policing individual messages isn’t going to work. That’s where the technology needs to go. Machine learning is a very broad term, and the key to most machine learning is finding the right parameters to base the learning upon. And here, intent is very powerful, as well as a history, conversational history. So, I think that there are some very significant changes we need to make in our defense architectures to be more effective.

As a user, I think it’s most important to just be aware that these scams are present, and anything that seems too good to be true may well be. Be suspicious. Why is somebody contacting you? And perhaps they’re just trying to drive you to Telegram where they, or somebody else, apparently another account, is going to send you all kinds of Bitcoin or cryptocurrency investment ‘opportunities.’. It doesn’t have to be cryptocurrency, anything. Just keep your guard up. If there’s something that seems too good to be true, if there’s something out of the ordinary, be suspicious.

This is remarkably similar to a con where I was invited to a tea shop on the street while abroad touring. A friendly person met a friendly person on the street; let’s go have tea. I racked my brain. Something wasn’t right here. I racked my brain trying to figure out how there could possibly be a scam. It took me reading a newspaper article a couple of days later to realize they were in cahoots with a tea shop and that I probably wasn’t going to get out of that tea shop without a few hundred dollars on my credit card. But the point is, keep your guard up. If something seems out of the ordinary, be suspicious and protect yourself. Hold onto your wallet.

TJ:

So basically what we do in the real world applies more so in the virtual world as well.

Alex:

This is ubiquitous in cyberspace. It’s wonderful that we have open communications media allowing us to reach billions of people across the planet. But with this increased access comes risk, and we have to keep our guard up.

TJ:

Thank you, Alex. 

Alex:

Sure. That’s a vegan on pig butchering.

TJ:

Love that. Let’s end on that note. 
Disclaimer:  The opinions and statements expressed by Alex Bobotek are his own, and may not reflect official positions of AT&T or M3AAWG.