CALLING NUMBER SPOOFING - APPLICATION ATTACKS - Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

PART II. APPLICATION ATTACKS

CHAPTER 6. CALLING NUMBER SPOOFING

That’s weird—my bank is calling me. I wonder what they want. I better answer; someone might be abusing my credit card.

—Victim of calling number spoofing

One of the key values provided for all calls is the calling number. This number represents the user, consumer, or business originating the call. Another common term for the source number is “Caller ID.” Although this term actually has a specific meaning, which we will cover shortly, it is often used to refer to the source or calling number. Although we currently take being able to see the calling number for granted, it wasn’t that long ago that you had no idea who was calling you when your home phone rang. Even today, you can still find and buy inexpensive analog phones that don’t show the calling number. Over time, different technologies were developed, including the ability to transmit the calling number, convert it to an alphanumeric identifier, and display this information on the phone.

Calling Number 101

Caller ID refers to an alphanumeric string that is transmitted to help identify the calling number. In the early days of this service (and still to this day, in some cases), you had to pay for it or you wouldn’t get the calling number. On analog lines, Caller ID is transmitted via a modem, between the first and second rings. If you answer a call too quickly, you will not get Caller ID. For enterprise trunk types such as ISDN-PRI and SIP, Caller ID is transmitted via different fields/headers in a setup message or INVITE request. We commonly see Caller ID on our enterprise handsets and home phones. Caller ID has been made less useful on smartphones because the calling number for known callers is converted to a name stored in an individual’s contact list. Although Caller ID continues to be used as a generic term for the calling number, we will avoid using that term in this way in the book and instead use the more correct term, “calling number.”

For inbound calls, how the calling number is delivered to the enterprise depends on the type of trunk—whether it is analog, T1 CAS, ISDN PRI, SS7, or SIP. For outbound calls, the trunk and IP PBX determine how much control is available for sending the calling number to the public network. For analog and T1 trunks, you don’t have a lot of control. For ISDN PRI and SIP/VoIP trunks, the caller has a lot of control. The most common trunk protocol for enterprises remains ISDN PRI, and it is very easy for the IP PBX to send out any number it wants. For example, it is common for an enterprise to send out a general number rather than the specific extension. This is just as easy with SIP trunks. Herein lies the issue: It has become so easy to change the calling number, it isn’t safe to use it to identify the caller or use it for authentication. In addition to the ability to change the calling number via an IP PBX and ISDN PRI or SIP, a number of network services can be used to change or spoof the calling number. Also, applications that run on smartphones can do the same thing. There are also popular voice services that allow to you to make calls with an anonymous number (although you can’t control the calling number).

It is also easy for a caller to block transmission of the calling number by adding the *67 prefix when making the call. This is different from spoofing the calling number and can be detected by the receiving IP PBX and dealt with accordingly. We have all received these calls on our home and cell phones where the calling number shows up as “Blocked,” and most of us ignore those calls. Note that the *67 prefix does not work with Automatic Number Identification (ANI), discussed later, because the calling number is still delivered.

Figure 6-1 illustrates the proportion of inbound voice calls to enterprises for which no source number is presented, as measured from our experience. On average, 3.45 percent of inbound voice calls have no source information. Of these, 75 percent have Caller ID intentionally removed by the caller, and the remaining 25 percent have no source information from the originating carrier. The rate is usually higher in financial contact centers.

Image

Figure 6-1 Proportion of calls with no calling number presented

You may see the number of blocked calling number calls increase for unsophisticated TDoS attacks. More sophisticated attacks will spoof the calling number to a variety of random or legitimate-looking numbers.

Another type of calling number is the ANI. ANI was originally developed as a way of transmitting the calling number for some trunk types, such as T1 CAS. ANI delivers the billing number, and is an extra feature that enterprises must pay for. ANI is often provisioned in contact centers for 1-800 numbers so that the enterprise has a better idea who is calling. ANI is more difficult to spoof than the calling number, but it can still be changed through some network services and with an IP PBX using SIP trunks. If you would like to determine the calling number and ANI generated for a call from your enterprise phone, home phone, cell phone, network service, or whatever, you can call 1-800-437-7950. The service will provide an announcement with your calling number and ANI. It is a great way to learn what you are sending, especially if you are trying to test spoofing this information. For more information on ANI, see “Automatic Number Identification”1 and NANPA ANI II Digits2 in the “References” section at the end of the chapter.

Consumers, enterprises, and applications often still trust the calling number. If a naïve consumer sees a calling number, they often still assume it is the legitimate caller. Some contact centers see the calling number or ANI and trust that it is really the consumer who is calling. Some simple IVRs, such as those in grocery stores for pharmacies, still use the Caller ID to verify that the caller is the real consumer. This is convenient, but can be used to the attacker’s advantage. Some voicemail services use the calling number for authentication. The widely publicized scandal involving Rupert Murdoch, his News Corporation, and its subsidiary, News International, were accused of using voicemail hacking to gain information for news stories. There are many links to this scandal—see the “References” for a recently updated timeline of the scandal from CNN.3

Attackers can easily spoof their calling number, either for disguising themselves or for masquerading as legitimate users in order to trick their target. This is a useful technique for many attacks, including voicemail hacking, harassing calls, voice phishing, voice spam, call pumping, TDoS, and social engineering. As an example, if an attacker wants to trick a consumer into thinking they are a legitimate bank, they simply make a call and change their calling number to the bank’s 1-800 number, which will trigger the display of the bank’s caller ID. Spoofing the calling number is also very valuable for contact center attacks to mimic a consumer from whom the attacker is trying to steal funds. Although the calling number is rarely the only item used for authentication, it is a great start. When coupled with discovery of basic personal information, which can easily be found on the Internet, the attacker is well armed for a social engineering and financial fraud attack.

Figure 6-2 provides some metrics for the percentages of calls with a spoofed calling number. The call sample size is in the millions of calls into contact centers. This information comes from TrustID (www.trustid.com), a company that’s able to detect calling number spoofing.

Image

Figure 6-2 Percentage of spoofed calling number

This data shows that approximately 5 percent of calls are spoofed. This number will only go up over time. Some of these calls may have a legitimate reason for changing the calling number, but a large percentage are intentionally spoofed. The data shows that approximately 80 percent of the calls could be authenticated to legitimate callers. Just over 12 percent are calls that were likely from an enterprise PBX where the calling number was legitimately changed/masked. Another 3 percent were from Internet/PC softphones, which could not be authenticated. In a real-world scenario, for a moderately sized contact center with 10,000,000 calls a year, 5 percent of calls with a spoofed calling number equates to 500,000 calls a year. That’s a lot of spoofed numbers.

Intentionally spoofing the calling number for harmful reasons is illegal. The Truth in Caller ID Act of 2009 prohibits calling number spoofing for the purposes of defrauding or otherwise causing harm. The FCC has adopted rules that implement the Truth in Caller ID Act. See the FCC’s website4 for some good information on the law, along with the FCC’s recommendations. Note that although spoofing a calling number may be illegal, the laws only affect “legitimate” telemarketers—they do not have any impact on real voice spammers, voice phishers, and so on, who do not play by the rules. Another good resource can be found from the Federal Trade Commission. The FTC has been working to eliminate “robocalls,” which are automatically generated SPAM or phishing calls.5 Although the focus here is on robocalls, there is a lot of discussion about spoofing calling numbers and how this issue makes dealing with robocalls that much more difficult. The Los Angeles Times published a good lay-reader’s article on calling number spoofing.6

The remainder of the chapter covers various ways to spoof the calling number. This includes programming IP PBXs as well as using popular Internet-based voice services, network services, and applications on smartphones. If you do a little research on Google, you will find many resources and companies offering calling-number-spoofing services—it has become quite a business.

Spoofing/Masking the Calling Number with an IP PBX

There are many ways to change or spoof the calling number. You definitely want to use one of these techniques in conjunction with the calling “attacks” covered in Chapter 7. Calls to enterprises and especially contact centers are tracked through CDR and possibly call recording, so you won’t want them to be able to trace back to your actual calling number. In this section, we start by covering techniques using IP PBXs.

Image Masking the Calling Number with an IP PBX

Image

Virtually every IP PBX supports the concept of number masking on outbound calls. The idea here is that although an IP PBX can send out the number of the actual extension, many enterprises would prefer sending out a general number for the site or organization. Some organizations, including parts of the government, do not want to send out their actual number. This practice is also friendlier for caller ID, which can convert the general number to a string such as “SecureLogix,” but won’t do this for each extension/DID that is used by SecureLogix.

Note that for ISDN PRI trunks, it isn’t normally possible to spoof the ANI, which is set by the service provider.

This isn’t malicious spoofing, but does involve changing of the source number for outbound calls. It is perfectly legitimate and legal. We mention it here mainly because it is a very common practice and, of course, anyone with access to the IP PBX—whether it is Cisco Unified Communication Manager, Microsoft Lync, Avaya, or Asterisk—can do this as well, including for malicious calling number spoofing.

Image Masking the Calling Number with an IP PBX Countermeasures

The practice of masking the calling number for enterprises really is common practice and not an attack.

Image Calling Number Spoofing with Asterisk

Image

The Asterisk free PBX is a great platform for generating many types of calls, including those for attacks such as voice SPAM, voice phishing, call pumping, TDoS, and so on. Asterisk also has the capability to set the calling number for every call it generates. This is true for both ISDN PRI and SIP trunks. Asterisk also allows the ANI to be spoofed when SIP trunks are used. Asterisk remains the platform of choice for high-volume call generation. We will cover this, along with how to spoof the calling number, in Chapter 7, where we cover inbound calling attacks.

Image Calling Number Spoofing with Asterisk Countermeasures

As with all forms of calling number spoofing, there is very little the enterprise can do. The calling number is determined at the origination point and passed through the various service provider networks “as is.” The service providers currently do nothing to block spoofed calling numbers and are actually in a tough position to do so, because calls often pass through multiple service providers. For example, if a reputable service provider receives a call with a spoofed calling number, there isn’t much they can do other than pass it along to the destination.

For phone numbers for which the service provider is responsible, the service provider could check to see if the calling number passed is legitimate. It could check this before the calling number is passed along. This is possible, however, rarely done in practice.

Once the enterprise receives a call with a spoofed calling number, there is very little it can do to determine whether the calling number is spoofed. Some trunk types, including ISDN PRI, do not allow ANI spoofing, so using ANI in a contact center is slightly more reliable than using the calling number, but can still be spoofed with SIP trunks and some of the services we cover later in this chapter, so it isn’t really reliable.

Some SIP RFCs, such as RFC 3325, propose protocols for asserted identity. This RFC only covers asserted identity in a limited trust domain and isn’t very useful in real networks such as the public voice network or Internet. Some new protocol may be proposed and adopted in the future, but to be useful, it would have to work with the public voice network and the Internet as well as be widely adopted by service providers, enterprises, and consumers. See the “References” for a link to RFC 3325.7

TrustID offers a service that can used to detect spoofing of the calling number. TrustID actually focuses on calling sources that can be validated and states that they can validate over 80 percent of calling numbers. The remaining 20 percent are broken into calling numbers that are spoofed, Internet-based VoIP, and calling numbers that can’t be validated, normally because they are masked numbers from other enterprises. TrustID performs validation in the network, before the call is answered and not detectable by the caller. The TrustID service does need to be integrated into an enterprise or contact center infrastructure with an appliance, IVR, or IP PBX. For more information on TrustID, see their website at www.trustid.com.

Pindrop Security offers a solution that analyzes the audio after the call is answered to determine whether it matches the calling number. For example, a call that says it is coming from New Jersey, but has audio characteristics from Nigeria, is probably spoofed. For more information on Pindrop, see their website at www.pindropsecurity.com.

Another very good resource on the calling number spoofing issue, with some comments on solutions by the FTC, FCC, and various vendors, can be found at the FTC micro website focused on robocalls.5

Information discussing techniques for detecting calling number spoofing can be found on the Internet. See Laurie Dening’s paper8 for a technique where, for an inbound call, an outbound call is made to the calling number that checks the status to determine whether an inbound calling attempt is being made. Finally, the Secure Telephone Identity Revisited (stir) IETF working group has formed to look at a standard to secure and authenticate calling numbers.9

Anonymous Calling

You can use a number of very popular network services to create a new anonymous number. This isn’t as good as actual spoofing, where you can pick a random number or mimic another individual’s number, but it can still be useful for selected attacks, such as harassing calls and social engineering. Note that because all of the services that allow you to make anonymous calls have similar countermeasures, we cover all of them after discussing the attacks.

Image Skype

Image

Skype (www.skype.com) is a very well-known over-the-top Internet-based voice service. Millions of people use Skype to make free voice and video calls all over the world using the Internet. Skype also offers the ability to make calls out of the Skype network to normal phone numbers, which is called Skype Credit (and used to be called SkypeOut years ago). You simply make a deposit, ideally through some anonymous electronic wallet service, and you can instantly be making calls to traditional numbers. Figure 6-3 shows an example of using Skype to make a call to a traditional number.

Image

Figure 6-3 Using Skype to call a traditional number

The calling number used by Skype is not predictable; it is not tied to a given area code, exchange, or number. Many of the calls made appear with a number from the Palm Springs area, but don’t count on this. Skype also has a service where you can create your own caller ID. This process takes about a day, and involves authentication that appears proprietary to Skype. Because there is no email, voice, or text authentication, there may be a way to trick this authentication and insert your own number.

Image Google Voice

Image

Google Voice is a great service that is more tightly integrated with the public voice network. Google Voice assigns you a number that can ring your normal number when the Google Voice number is dialed. Also, this service is integrated with other Google tools, transcribes voicemails into email, and has a built-in blacklist that can eliminate some of the voice SPAM you may be getting. Google Voice also allows you to grab a new number—you can’t select any number, but can generally pick one in your area code. Again, you can’t spoof a specific number, but you can create a new number, which is useful for some attacks.

Creating a Google Voice number is trivial, especially if you already use Gmail. The only real trick is that Google does try to verify your real number. Google will call the number you provided and you have to enter a two-digit code. Although you probably won’t want to associate the Google Voice number with your real number, you can get around this if you have access to someone else’s phone. If you know the DID of the phone, can use its number when Google Voice calls for verification, and can enter the code from their website, you are good to go. It is a voice call, not a text message, so you can use a landline phone to verify.

Once you have a Google Voice number set up, making calls is easy. You can do it right from the Google Voice web page and you can also send texts. The calls are free as long as you are in the United States. You enter the destination and then indicate whether you want the call to be connected to your normal (mobile) number or Google Voice. Your phone will ring first; when you answer, it will connect you to the number you entered. Again, the calling number will be the one Google Voice assigns to you. Figure 6-4 shows an example of using Google Voice.

Image

Figure 6-4 Google Voice web page

Google Voice also has an application you can load on your smartphone. The application works the same as the web page—it allows you to make calls and send texts. Figure 6-5 shows this application.

Image

Figure 6-5 Google Voice application on the iPhone

As with Skype, this service is very easy to use, so there’s no need for us to go into a lot of detail. We are certain by the time you read this book, other services will be available for use as well. Although we only showed Skype and Google, there are many free and cheap ways to use the Internet to make anonymous calls over the Internet.

Image SIP Softphone Calls into the Network

Image

If you can get access to the public network via SIP, you can use a SIP softphone to make calls into the network. This is similar to using the Asterisk IP PBX connected to a SIP trunk, but in this case you simply use a softphone to connect to an Internet-based SIP trunk. Any SIP-based softphone will work. The only trick is finding a free (or very cheap) Internet SIP-based service that allows you to make calls. We cover using Asterisk, softphones, and making all manner of attack calls in Chapter 7.

Image Prepaid Mobile Phones

Image

Mobile phones with prepaid service, which come with a preset number, provide an easy way to make an anonymous call. You can’t spoof your calling number, though.

Image Prepaid Long Distance Cards

Image

Prepaid long distance cards offer yet another easy way to call from an anonymous number. These calling cards can be found virtually anywhere, even convenience stores. You buy a card with a set amount of long distance service, call a 1-800 number, enter your destination, and you are good to go. Your calling number won’t typically appear to the destination.

Image Burner Disposable Numbers

Image

Burner is a neat application you can load onto your smartphone. Burner gives you a new, anonymous number that you can use as long as you want (as long as you pay for it), and then it can be “burned,” or disposed of. The app (on the iPhone) costs $1.99 and gives you 20 minutes of voice calls and 60 text messages. Figure 6-6 shows its use.

Image

Figure 6-6 Burner application on the iPhone

Burner does require you to enter your own phone number. This is risky because you have to trust them not to distribute it.

Image Anonymous Calling Number Countermeasures

As with all forms of spoofing calling numbers and anonymous calling, there is very little the enterprise can do to detect or spot it. The number delivered is not a traceable number because it is one used by Skype, Google Voice, Burner, or any other available service. It isn’t practical to build blacklists of numbers for Skype and Google Voice, because enterprises will certainly be receiving many legitimate calls from these services.

It may be possible to build a blacklist of the numbers used by a service such as Burner, but to our knowledge this has not been done. An enterprise can monitor for repeated calls from a specific number, but this only works if the calling number does not change. This will work for services such as Burner and prepaid mobile phones. SecureLogix (www.securelogix.com) has technology that monitors for these types of patterns.

Network Services and Smartphone Apps

You can use certain network-based services to spoof your calling number. Quite a few of these services are available, and they all appear to offer the same features and cost about the same amount of money to use. Also, a number of smartphone apps are available that simplify the use of these services.

Image SpoofCard

Image

SpoofCard (www.spoofcard.com) is a network service that allows you to make calls (and send texts) and spoof your calling number. You can also change your voice and record the call. To use this service, you call a number, enter the destination and desired calling number, and SpoofCard makes the call and connects you. You can even try it for free from their website. See Figure 6-7 for an example from the SpoofCard website.

Image

Figure 6-7 SpoofCard website

We have used SpoofCard for almost five years and can attest that it performs reliably. See Figure 6-8 for an example of using SpoofCard to make a call.

Image

Figure 6-8 Using SpoofCard to make a call

A number of other similar services, including Phone Gangster, SpoofTel, Telespoof, SpoofApp, Covert Calling, and CallerIDFaker, claim to offer the same functionality. Many appear to have the exact same features and cost structure. Some may be reliable, whereas others may be scams. However, we did not test any of these other services.

Image Smartphone Apps

Image

Several apps for Apple iOS and Google Android claim to support the spoofing of a calling number. For iOS and Android, there is no way to spoof a calling number directly. There are apps available on the Apple App Store, but all have very poor reviews and do not appear to work. A couple of the apps for Android do appear to work, although future versions of Android may not support this. SpoofApp (www.spoofapp.com) was available for Android, but was taken off the Android Market. However, you can still download it directly from the developer’s site.

There are also apps that act as frontends for the network services described in the previous section (such as SpoofCard). These apps don’t directly spoof the calling number; rather they just make using services such as SpoofCard easier. You can tell the app works this way when it requires you to enter your own mobile number because it would not need this information if it was making the call directly.

One app we have used for Android is TraceBust. This app allows you to make calls, with a spoofed calling number, by using one of the network services described in the previous chapter. At the time of writing this book, the app was available and did work. See Figure 6-9 for a screenshot of this app.

Image

Figure 6-9 TraceBust Android app

Image Network Services and Smartphone Applications Countermeasures

As with all forms of calling number spoofing and anonymous calling, there is very little the enterprise can do to detect it. Refer the countermeasures in the “Spoofing/Masking the Calling Number with an IP PBX” section.

Summary

Spoofing a calling number, or Caller ID, has become trivial. Users can neither depend on nor trust the calling number presented for incoming calls. Spoofing or using an anonymous calling number is easy and can be accomplished through a variety of ways, such as using an IP PBX, VoIP-based services, network spoofing services, and even apps on smartphones. Although some simple attacks can be executed with calling number spoofing alone, in general, it is an enabler that makes many other attacks much more effective. This includes harassing calls, TDoS, call pumping, voice SPAM, social engineering, and voice phishing.

References

1. Automatic Number Identification (ANI), http://en.wikipedia.org/wiki/Automatic_number_identification.

2. NANPA ANI II Digits, www.nanpa.com/number_resource_info/ani_ii_assignments.html.

3. Timeline of UK Phone Hacking Scandal, CNN, www.cnn.com/2012/11/19/world/europe/hacking-time-line/index.html.

4. Federal Communications Commission (FCC), Caller ID and Spoofing, http://www.fcc.gov/guides/caller-id-and-spoofing.

5. Federal Trade Commission (FTC), Robocalls, www.consumer.ftc.gov/features/feature-0025-robocalls.

6. David Lazarus, “When Caller ID Gets Spoofed,” Los Angeles Times, http://touch.latimes.com/#section/-1/article/p2p-76387545/.

7. Internet Engineering Task Force (IETF), RFC 3325, www.ietf.org/rfc/rfc3325.txt.

8. Laurie Dening, Android Phone Application to Detect Malicious Cell Phone Spoofing, www.cse.sc.edu/files/Laurie%20Dening.pdf.

9. Secure Telephone Identity Revisited (stir), http://datatracker.ietf.org/doc/charter-ietf-stir/.