Notifications
Clear all

Phone Spoofing

20 Posts
9 Users
0 Reactions
3,439 Views
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
Topic starter  

kmau,
Ok, so after trying to soak up some of what you mentioned I'm understanding that one makes a call there are two numbers that are actually being transmitted; a CNID and an ANI. If I am correct it is the CNID that is being spoofed, but the ANI can not?

I'm now wondering when a number shows up as being called or received, what information did the service provider have access to in gaining the information. Was it the CNID, ANI or a combination of both? What sort of data do they use to verify the actual number.

I sent a question similar to this to a contact at Verizon and Cricket. Both of them were out of town till next week, but I will post their responses when I get them.

Cheers,


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

ANI can be "spoofed" just as well as CNID.

It depends on the connection to the upstream CO.

If one orders a voice T1, or ISDN PRI, fractional or whole, in my experience will also allow the sending of any ANI, upstream. I have tested this years ago using AT&T/Lucent/Avaya Definity, InterTEL, and even Asterisk. The upstream CO does not care, and will happily pass even out of area #s onto the destination.


   
ReplyQuote
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
Topic starter  

jhup,
You seem to know what you're talking about so I'll ask you. Can these spoofed calls be traced or are we basically out of luck?

Cheers


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

In my opinion, it is possible, but would require all the telephone offices in between the caller and called to agree to search for the information. I have never requested anything like this, but there might be an agreement or method already thought of such call.

Because each exchange keeps track of the routed call source and destination there is ways to match the actual calls from the DNIS, and the source - even if the ANI was fake.

The process would have to be initiated at the called terminal and work backwards from called local exchange, to called main exchange, to called international exchange to caller international exchange to caller's main exchange, to caller's local exchange.

You can get lucky, and intermediary pairs can be dropped.

Here is where you start . . . pick the right local exchange -


   
ReplyQuote
(@steveq98)
New Member
Joined: 15 years ago
Posts: 4
 

In my opinion, it is possible, but would require all the telephone offices in between the caller and called to agree to search for the information.

Not only that but you have to hope that all carriers involved actually stored the information. The closer to actual call time the information is requested the more likely it is available - but in my experience most major carriers only keep out-of-band signaling history up to 14 days, with the majority of mom and pops having no ability to store it at all. Any in-band signaling you have to hope it was contained in some fashion in the CDRs.


   
ReplyQuote
 kmau
(@kmau)
New Member
Joined: 15 years ago
Posts: 3
 

jhup,

I have never personally seen a provider allow you to set your own ANI, ATT, MCI, Broadwing, Level3, Global Crossing, McLeod, XO, etc unless you area a CLEC yourself. By design ANI is used for billing purposes and the ability to set your own ANI would allow you to bill calls to any entity you want this is obviously not wanted by the service providers as mass fraud would ensue. This can be easily determined by dialing a realtime ANI and realtime CNID announcement circuit.

To get around this and allow customers to set caller id info they also allow the use of CNID that entities with the necessary signaling requirements (pri, voip) etc can utilize. More and more providers are starting to also limit the CNID that that will accept from a customer to the block they bought or just the btn.

I agree with the SteveQ98 Oout-of-band signaling history is kept for a limited period of time and is typically shorter then the CDR's that are published to customers.

hcso1510,
Yes two numbers are transmitted ANI is used by the telco for billing and also sent onto 800 numbers if they subscribe to realtime ANI service. Along with CNID if CNID data was sent.

The information that shows up depends on the call terminating provider and the equipment / configuration they are using. If ANI and CNID differ its typically the CNID. If the ANI exists and CNID isn't available depending on the CNID flags set the ANI may be delivered.

The service provider has whatever information is passed onto them from the originating carrier. They have ANI so they can bill back appropriately if necessary, along with the CNID if any was passed.

The problem lies in three area's record retention, terminology used by engineers, and automated systems.

If the ANI records arn't maintained for a long enough time after billing you may be stuck with CNID data only

Within the telco industry a lot of engineers assume when you say ANI, you actually mean CNID. This can lead to confusion until you can prove to them you understand exactly what your asking for.

Automated systems used to pull reports such as CDR's (call data records) sometimes pull ANI data, sometimes pull CNID data, its all hit and miss.


   
ReplyQuote
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
Topic starter  

I can see from some of the responses I'm going to have to take lessons on the side to keep up with the technology discussed on this board!
Today I went to telespoof.com for my free trial. I put in my office phone number, the number of the target hand set (mine) and the number I wanted to show up on the Caller ID of my hand set.
I was immediately called back from 888289153. I tried a Google Search and placed this number into the Search Bar with numbers 0-9 at the end and nothing jumped out at me in the results each time I checked it.
When I picked up the phone I pressed 1 and my handset was called. The Caller ID on my phone/target displayed 555-123-4567. I talked for a few seconds and hung up. I then had the accounts manager get me a printout of my call activity. The records showed a call for 1 minute, but there was no number associated with it. During an hour and a half period I apparently had several calls that didn't register. Later I received several 1 minute calls that did. There were calls I received within the Verizon network and some from outside. I also tried this spoof test late in the day and the call went to my voice mail. I tried to make sure I kept the connection going for at least two minutes. I am going to have the records checked again tomorrow. I don't think checking the records 24 hours later will make a difference, but I think it’s worth checking.

I asked a Verizon LERT supervisor what they would see on their end. He believed they would see the spoofed number and nothing else. He told me he would check and get back with me. “Probably needs to check with an engineer on this one!”

My next question to him will be is whether or not their call records are drawn from CNID or ANI numbers.
Just what is in band or out of band?

If we ask the service provider to trace back from switch to switch can that be done in minutes, hours or days? Would it be a nominal fee or would I be looking at big bucks? I may be going a bit overboard on this subject, but if I had a victim in a case that was spoofed I’d like to tell them something other than they were out of luck.

I’ll post Verizon’s response when I get it

Cheers,


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

@kmau, my experience differs.

I have done this on AT&T, XO and Verizon.


   
ReplyQuote
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
Topic starter  

I just got off the phone with the head of the Verizon Law Enforcement Relations Team. He advised me they can not trace a spoofed number. Their switch only sees the spoofed number. I asked about CNID and ANI, but he stated again that they only saw the spoofed number. He futher stated that he couldn't even look at my CDR's and say that something looked strange or out of the ordinary. Oh well. cry

He understands that this seems to be a growing concern with Law Enforcement and that it may be necessary to increase their capabilities. I asked him about a rumor I heard that Verizon was thinking about not maintaining SMS "text" content and he told me he had not heard that. It is his opinion that we may see some Federal legislation in the near future requiring service providers to maintain the content for a specified time.

I am assuming that all the providers are using the same technology, but I will check with Sprint. T-Mobile and AT&T to see what they can do with a spoofed call. I'll update as I go!

Cheers!


   
ReplyQuote
(@drxcitement)
Active Member
Joined: 15 years ago
Posts: 6
 

All

this is all very helpful and useful information, but regardless of the network being spoofed or the CID or ANI layers, those are all network specific, which is enough to get you to the MAC Address or the MEID of the device in the ethernet layer. These are not easily spoofed not by someone of average criminal intelligence.

The data map should look like this

Perp's phone/computer to www.phone spoof. com > ethernet / network layer IP > to network layer of phone you want spoofed message to > ethernet layer to deliver message to spoofed phone receipient. There should be MEID's or MAC's on both ends of that data transmit regardless of the spoofing, and if you have the device that received the spoofed message under warrant or subpeona shouldn't this be able to be proved out?

Just asking? Is there some hole in my theory?

Thanks,

JH


   
ReplyQuote
Page 2 / 2
Share: