A clever, albeit annoying, example of caller ID spoofing recently hit Delaware's largest city, Wilmington. Caller ID spoofing can range from pesky marketing calls to far more serious confidentiality breaches that could result in identity theft and the associated financial pain -- not to mention the laborious chore of clearing your name. Spoofing can even lead to serious bodily harm and death. Let's start with the pesky phone calls.
For those of you who are too young or not up on all the one-hit wonders of the 1980s, there was a little song by Tommy Tutone called Jenny, perhaps more commonly known as 867-5309. I admit it. I called the number. Jenny never answered, but some 20 years later, Jenny started placing some calls of her own in the wee hours of the morning in Wilmington. Those who answered Jenny's call were met with a recorded message from a mortgage refinancing company.
What is caller ID spoofing?
Jenny and her famous telephone number do not exist within Delaware's 302 area code. Enter caller ID spoofing. This is very much like email spoofing. Nefarious ones, and/or telemarketers, can make it appear as though a message is originating from any email address they choose. The same principle applies to caller ID spoofing. A call can be made to appear to come from any phone number the caller picks.
Caller ID spoofing is nothing new. It has been around as long as caller ID. It was first used by businesses with PRI (Primary Rate Interface) telephone lines. Essentially, a business with one PRI line could support up to 23 unique phone numbers and make each of those appear to have originated from a single phone number, most likely the company's main number. Innocuous enough -- that is until the phreaks entered the scene.
By 2000, phreaks were playing a game they tagged "orange boxing." Orange boxing was a rather crude way of spoofing that typically employed software that imitated a caller ID signal by pushing a series of tones through during the first few seconds of a call. This technique was iffy at best.
VoiceXML provided the foundation for slightly more sophisticated and reliable spoofing techniques. VoiceXML applications are programmable like websites and thus can be programmed to act like PBXs. Since VoiceXML service providers are connected to PRIs, phreaks took advantage of the more dynamic VoiceXML platform by mimicking PBXs. Though an improvement over orange boxing, VoiceXML still did not permit the infallible, consistent caller ID spoofing serious phreaks sought.
Spoofing for sale
According to a 2004 New York Times article by Ken Belson Citing threats, entrepreneur wants to quit caller ID venture, Jason Jepson launched a spoofing company, Star38, and sold the company a mere three days later.
Star38 was a service that permitted users to call people or businesses for a fee and appear to be anyone the customer chose, calling from any number they chose at any time they chose.
Jepson apparently never secured any real customers but claimed to have stirred up a lot of interest in the service – both positive and negative. The negative attention, which even included death threats, coerced Jepson into shutting down Star38.
Allegedly, Jepson was denounced and forced out of business by hackers and phreaks for selling out -- a cardinal sin among the high-tech counterculture, especially among phishers (those who fraudulently use email and caller ID spoofing to obtain confidential information from unwitting victims).
Threats against Jepson and his family and the subsequent shutdown of Star38 did little to dissuade other startups from offering similar services. Companies like Camophone, CallNotes.net, PiPhone.com, SecretCalls.net, StayUnknown.com, SpoofTech.com, SpoofTel.com, SpoofCard and Telespoof started cropping up all over the Web.
SpoofCard is still around today and is arguably among the most widely recognized caller ID spoofing companies. The company describes itself as "a provider of enhanced calling card services," however, rather than a caller ID spoofing service.
Celebrities spoof too!
In August 2006, the provider of enhanced calling card services announced that it had terminated the accounts of more than 50 customers who used the SpoofCard service to obtain unauthorized access to voicemail accounts on a national mobile telephone network. Many of the terminated customers and the victims whose mailboxes were accessed were well-known celebrities.
Paris Hilton was allegedly one of the many celebrities cut off from using SpoofCard because of misuse of the service. Reportedly, Miss Hilton used, or rather misused, her account to anonymously harass her on-again off-again BFF Lindsey Lohan and to gain access to Miss Lohan's voicemail account.
Paris, in a karmic twist, was herself a victim of a hacker. The hacker allegedly called Paris and posed as a technical-support person from her mobile carrier and convinced her to give him her password. He was then able to access her voicemail account.
Caller ID spoofing gets dangerous
Having your voicemail invaded is one thing, but what if your home were unexpectedly raided by local police or swarmed by a SWAT team? Some phreaks are using caller ID spoofing to call 911 as an elaborate means to harass or prank unwitting individuals.
Here's how it works. The phreak calls a 911 dispatch claiming to have an intruder in his home, or even worse, claiming to be in a hostage crisis. Keep in mind that phreaks can call any police dispatch within the U.S., Canada and Puerto Rico from any location and appear to be a local call. This type of spoofing, like Ashton Kutcher's Punked on steroids, is dubbed "swatting."
Swatting is precisely what Stuart Rosoff of Cleveland pleaded guilty to in November 2007. According to court records, Rosoff worked with an erudite team of phreaks to acquire "telephone numbers, pass phrases, employee identification numbers, and employee account information used by the conspirators by various means, including through 'social engineering' or pretexting of telephone calls to telecommunications company employees, 'war dialing,' trafficking in pass phrases and access information with other phone 'phreakers,' etc."
A group of co-conspirators in Rosoff's circle of phreaks went so far as to spoof the phone number of the father of a woman with whom one of the group members had become acquainted in a chat room frequented by phreaks and the like. A co-conspirator spoofed the father's phone number and placed a call to the police department in Alvarado, Texas, pretending to be the woman's father.
The caller falsely confessed to the police dispatcher that he was under the influence of hallucinogenic drugs, was holding hostages and had already shot and killed some family members within the household. He demanded a $50,000 ransom in return for the safety of the remaining hostages and transportation across the border to Mexico. If the ransom demands were not met, he would kill the remaining hostages with the AK-47 he claimed to have in his possession.
Swatting is costly and dangerous and is draining precious state and federal resources. It's also leaving unsuspecting families feeling violated in their own homes. One swatting incident, reported in the OC Register, happened in the home of a couple with two toddlers. SWAT officers with assault rifles, trained police dogs and a police helicopter surrounded the family's home.
Naturally the ruckus woke the couple. The husband, looking for the source of the noise, surveyed his home and yard armed with a kitchen knife. SWAT officers assumed the armed homeowner to be the reported perpetrator. Though this incident did not result in any physical injuries, SWAT could have reasonably shot the armed man. In the confusion, the father could have unknowingly harmed a SWAT officer in defense of himself and his family.
It doesn't take much imagination to speculate how such a situation could quickly escalate, resulting in critical injuries, even death. Though no one suffered any bodily harm in this case, the psychological impact will no doubt haunt the family for some time to come.
Though swatting incidents have reportedly been targeted primarily at private residences, swatting an enterprise-size business could domino into any number of devastating circumstances, including a perceived terrorist attack.
How can caller ID spoofing affect businesses?
Acquiring pass phrases, employee account information and identification numbers can be likened to having the combination to the safe that holds a company's most valuable resource – its data.
To access this valuable data, phreaks employ social engineering to imitate someone they deem important or one who has access to the information they're seeking. Social engineering is based on the theory of cognitive biases. Essentially, phreaks are using basic human psychology to identify patterns most of us rely on when making decisions in any given situation.
Help desks offer a good example of how this technique plays out. Phreaks will call a help desk with a fabricated problem. Typically, help desk staffers unsuspectingly offer solutions to the problem. After all, the call is originating from a trusted source, according to the caller ID, and help desk staffers are paid to solve problems efficiently and move on to the next. And, in a matter of moments, phreaks have accessed important priority information.
Pretexting is a spin-off of social engineering whereby phreaks create a situation designed to elicit specific information. Phreaks will pretend to be a person who is authorized to access data such as a customer's social security number, his mother's maiden name, and so on. Pretexting can also be used for corporate espionage. Someone with a modicum of acting skills and who is quick on his feet can usually get the information he wants by leveraging the unsuspecting person's innate instinct to help solve a problem -- especially when that person thinks he is talking to a trusted source.
Protecting yourself from caller ID spoofing
Guarding against caller ID spoofing is challenging simply because we've come to trust caller ID so much. We see a familiar name pop up on our caller ID, and we pick up the line. There are some commonsense approaches everyone should adopt to guard against the doling out of valuable information.
- First, protect your voicemail with a password.
- Second, give information out only to people you know, people whose voices you recognize.
- Third, don't accept calls from credit card companies or banks that are asking for credit card numbers or bank account information. If you are dubious about the intentions of the caller, ask for his number and call back.
Dig deeper on Unified Communications Security