Phone Based Social Engineering Tools: Caller ID Spoofing
From Learn to be a true Social Engineer
Caller ID has become a common place technology in both business and home use. Especially with the advance of cell phones replacing many of the phone lines people use, caller ID is part of our daily life. Being aware of this fact and how to use this to your advantage is a must for a successful social engineer.
The basic principal behind caller ID spoofing is to change the information that is displayed on the caller ID display. A few of the points discussed in this framework under authority state that we can use the idea of authority and/or commitment to influence a person. An even stronger presence is the use of credibility. Building credibility can make or break a successful social engineer attack.
These can be used in a social engineering situation to display that a call is coming from:
- A remote office
- Inside the office
- A partner organization
- A utility/service company (telephone, water, Internet, exterminator, etc...)
- A superior
- A delivery company
One of the most popular methods of caller ID spoofing is by the use of a SpoofCard. By purchasing one of these cards you call up the 1-800 number, enter your PIN number, what number you would like the caller ID to display, and then the number you would like to call.
- No extra hardware or software needed
- Proven service with thousands of customers
- Costs extra money
- Extra computer or VM needed
- Linux knowledge required
- Current VOIP service / provider
Under the realm of cell phones like the iPhone, Android or the Blackberry you can look at SpoofApp. SpoofApp uses the SpoofCards method mentioned above but bundles the features into a package on your cell phone.
One of the major attacks that can be launched using cell phone number spoofing is listening to voicemail.
Many people turn on a feature that allows them to enter their voicemail without having to enter a password. If an attacker was to obtain the victims cell phone number and spoof it, the voicemail systems of many major carriers would allow them to access that voicemail and listen to the messages saved. This could, of course, release very important and confidential matters to the attacker.
Unmasking Caller ID
On the other side of caller ID spoofing, there are some methods to help you find the actual source of a call. Kevin Mitnick gave a talk at The Last Hope in which he demonstrates a method for “Unmasking Caller ID”. The demo and talk about "Unmasking Caller ID" starts at approx. 25 minutes and can be found here.
- ↑ http://www.social-engineer.org/wiki/index.php?title=Authority
- ↑ http://en.wikipedia.org/wiki/Credibility
- ↑ http://www.spoofcard.com/
- ↑ http://www.asterisk.org/
- ↑ http://social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingInfo.html
- ↑ http://social-engineer.org/wiki/archives/CallerIDspoofing/CallerID-SpoofingWithAsterisk.html
- ↑ http://www.spoofapp.com/
- ↑ http://www.social-engineer.org/wiki/index.php?title=Caller_ID_spoofing#SpoofCard
- ↑ http://en.wikipedia.org/wiki/Kevin_Mitnick
- ↑ http://en.wikipedia.org/wiki/H.O.P.E.#The_Last_HOPE
- ↑ http://video.google.com/videoplay?docid=417390258297273732&ei=aWldStnXEozMqAK73oAx&q=kevin+mitnick+last+hope#25m0s