Caller ID Spoofing

The basic principal behind caller ID spoofing is to change the information that is displayed on the caller ID display. A few of the points discussed in this framework under authority state that we can use the idea of authority and/or commitment to influence a person. An even stronger presence is the use of credibility. Building credibility can make or break a successful social engineer attack.

Caller ID has become a common place technology in both business and home use. Especially with the advance of cell phones replacing many of the phone lines people use, caller ID is part of our daily life. Being aware of this fact and how to use this to your advantage is a must for a successful social engineer.

Useful Situations for Caller ID Spoofing

These can be used in a social engineering situation to display that a call is coming from:

  • A remote office
  • Inside the office
  • With a partner organization
  • Utility/service company (telephone, water, Internet, exterminator, etc…)
  • A superior
  • Delivery company

SpoofCard

One of the most popular methods of caller ID spoofing is by the use of a SpoofCard. By purchasing one of these cards you call up the 1-800 number, enter your PIN number, what number you would like the caller ID to display, and then the number you would like to call.

Pros

  • Simple
  • No extra hardware or software needed
  • Proven service with thousands of customers

Cons

  • Costs extra money

Asterisk

If you have a spare computer and a VOIP service you can also use Asterisk to spoof caller ID. Some information about this method can be found here and here.

Pros

  • Free

Cons

  • Extra computer or VM needed
  • Linux knowledge required
  • Current VOIP service / provider

SpoofApp

Under the realm of cell phones like the iPhone, Android or the Blackberry you can look at SpoofApp. SpoofApp uses the SpoofCards method mentioned above but bundles the features into a package on your cell phone.

Voicemail

One of the major attacks that can be launched using cell phone number spoofing is listening to voicemail.

Many people turn on a feature that allows them to enter their voicemail without having to enter a password. If an attacker was to obtain the victims cell phone number and spoof it, the voicemail systems of many major carriers would allow them to access that voicemail and listen to the messages saved. This could, of course, release very important and confidential matters to the attacker.

Unmasking Caller ID

On the other side of caller ID spoofing, there are some methods to help you find the actual source of a call. Kevin Mitnick gave a talk at The Last Hope in which he demonstrates a method for “Unmasking Caller ID”.  The demo and talk about “Unmasking Caller ID” starts at approx. 25 minutes into the video.

Video of Kevin Mitnick “Unmasking Caller ID”
Original source: YouTube.