Caller ID Spoofing through TELUS -- This was the prepared speach I had for
H2K2 however I got cut off early, there are links at the bottom for the
CID spoofing software mentioned during the con.
Read this if you already understand ANI and op diverting
Go to the bottom for caller id spoofing software links
Automatic Number Identification, or ANI, was developed by the telephone
companies long
before Caller ID and was originally developed for billing purposes only.
ANI is a service, similar to Caller ID, that displays your phone number to
the called party when you place a call, except that because it is used for
billing purposes and emergency services you can not block your phone
number. ANI was used by telephone companies to determine what number to
bill when you placed a long distance call. This service soon became
available to toll free numbers and 911 emergency services.
The reason it is available to toll free numbers is that when you call
one of these numbers it's a free call -- to you -- the company or person
who owns the toll free number has to pay for the call, and rates can be
different depending on the area the call was placed from, so even if you
block your Caller ID, your ANI is still sent to the toll free number.
ANI, because it supposedly can't be blocked, is used as the premisis for
(C)LASS services. What is (C)LASS you ask? well it stands for Custom
Local Area Signalling Services. These services are all the overpriced
services that the local phone companies are always trying to offer to you,
such as *69 Call return, *57 Call trace, Caller ID, etc...
Now ANI sounds like the greatest thing since sliced bread, however it is
not full-proof. There are two types of ways ANI can be signaled, the
newer way is refered to as ANI II which provides a 2 digit code along with
your phone number that identifies the class of service of the phone line
calling from, for example a payphone's ANI II code is 27, a regular phone
is 00, etc... Before ANI II was implemented, the telephone companie's
local operator had no way of re-transmitting the number calling from when
placing calls to toll free or local phone numbers, instead your ANI would
simply read the area code of the operator center and that was it, so if
you called a toll free number from a local operator in areacode 909 all
that would show as your ANI is 909, this is known as an ANI fail, and just
because the 909 shows up doesn't necissarily mean you were calling from
the 909 areacode, that's just where the operator was stationed. You can
still cause ANI fails today from most local operators though it is said
there are a few that do pass ANI with ANI II equipment.
ANI Fails causes problems for (C)LASS services such as Call Trace or Call
Return, if you place a local call through the operator, though you may be
billed operator assited charges so there is a record of the call being
placed, if the person you are calling trys to *57 Call trace you they will
receive a message that the call could not be traced, this is because there
was no ANI provided for the call. Here's where it gets fun, because ANI
is used for billing purposes, sometimes when you call a toll-free number
that offers Collect, third number billing or Calling Card services such as
800-Call-ATT, they also use your ANI to put on the phone bill of the
person you call collect or bill third-party to, but how can they do this
if the call is has an ANI fail? They can't, so generally instead of the
automated system you usually get, you will get an operator asking where
you are calling from and you can give the operator any phone number you
want as where you are calling from. This is where things get interesting.
AT&T's operators handle very many calls, they handle calls that come from
their 10102880 dial-around, from long distance customers that dial 00 to
reach them and of course from calls that come in over the toll-free
number. If the operator is not paying close attention she will not notice
that you dialed a toll free number to reach her, and you can give her any
number you wish as where you are calling from and then say you are a
visually impaired customer and need her to dial a toll free number, she
will believe that you dialed 00 to reach her, which many visually impaired
customers do, and not the toll-free number. In the past AT&T used to use
the number you gave them as where you are calling from as ANI and actually
passed that ANI along to any toll free number you called, and other
telephone company toll-free numbers would allow you to bill long distance
calls to the ANI you were calling from, bellsouth was one of these
companies, you could simply call 1-800-bellsouth from your home phone and
have the operator place a long distance call and bill it to the number you
were calling from, When it was possible to spoof ANI through AT&T's
800-Call-ATT service, you could give the AT&T any phone number you wish as
where you were calling from, then have her call 800-bellsouth leading her
to believe you were a visually impaired customer and needing assistance
dialing that number, then you could press 0 for the bellsouth operator and
have her place a long distance call and have it billed to the number you
gave the AT&T operator because that's the number bellsouth thought you
were calling from.
All this has been published in 2600 magazine and is now history, bellsouth
has learned from their mistakes and no longer bills to ANI that comes in
over their 800 number, and AT&T does not even pass ANI to 800 numbers
anymore, you can dial 00 or 10-10-288-0 and touch-tone in an 800 number
and it will connect you to that 800 number with a an ANI fail, you don't
even have to speak to an operator. The problem with this is it makes it
easier to cause ANI fails, sure it solves the ANI spoofing problem but now
you can toll-free numbers with an ANI fail more easily.
Inspite of the fact that AT&T and Bellsouth has learned it's lesson, there
are still many telephone companies that have not. Telus is one of these
companies, and not only do they allow you to spoof ANI, but they allow you
to spoof Caller ID too. Telus' toll-free "dial-around" is 800-646-000, by
simply calling this number with an ANI-fail you can give the operator any
number as where you are calling from. Telus is odd, in that they keep
upgrading and downgrading there dial-around call center, you used to be
able to call any toll-free number through the Telus operator and it would
pass whatever number you gave the operator as ANI to the toll-free number
you called, now it apears that they have new toll-free trunks that only
pass ANI-fails to toll-free numbers, and you can not call MCI owned
toll-free numbers for some reason either. Never-the-less, the ANI is
still passed when you call a long distance number through Telus
dial-around service and the ANI is also used as Caller ID So by simply
causing an ANI-fail to Telus dial-around service you can spoof Caller ID
to anyone you want to call, not only that if the person you are calling is
in the same area as the number you are spoofing, the NAME and number shows
up on the Caller ID display. To demonstrate this I will cause an ANI fail
to Telus dial-around using AT&T's 10-10-288-0 and then calling
800-646-0000, I will then place a collect call to this phone from a
spoofed number, I will use xxx-xxx-xxxx as an example and you will see the
name and number show up on the screen. Now I know you're thinking yea
that's great, but can you only use it to spoof Caller ID on collect calls?
NO, you can social engineer the telus operator to place "test calls" for
you which is a free call w/ no billing, however I'm not sure if that is
considered toll fraud or not so I will not be demonstrating that. Telus
is not the only telephone company that has this type of dial-around
system, AT&T as stated used this in the past though they didn't use
spoofed ANI as Caller ID, and there are a few other phone companies out
there besides Telus that you can also use this trick on. The sad thing is
that ANI spoofing and Caller ID spoofing is so easy, yet many companies
use ANI and Caller ID as a security feature, for example I got a credit
card in the mail once that the only verification you needed to activate it
was to call from your "home phone". It didn't ask for the last 4 of my
SSN or anything else, had the card been mis-delivered to my neighbor or I
accidently through it away anyone could have easily spoofed ANI and
activated the card without me knowing it. Hopefully this presentation
will make everyone more aware that ANI and Caller ID should not be relied
on as where you are really calling from.
-- What you saw at H2K2 when it said "Lucky225 Rules" was spoofing by
emulating bell 202 FSK signals, near the end of the panel was me social
engineering the Telus operator telling her I was calling from 909-661-2600
and having her place a call to the phone next to me, the reason it didn't
work the first time is because I tried to make it quick and just have her
call the phone collect but the lines had a collect block, so then I tried
telling her I'm a tech and the call went through and the Caller ID was
spoofed but the line I was calling didn't have the Caller ID projector
hooked up to it, so I finally switched phones and did a final social
engineer through telus to call the phone that had the Caller ID projector
hooked up and thats when you saw "California 909-661-2600" flash up on the
screen. Spoofing Caller ID through Telus still works, but social
engineering them to get a free call is most likely harder now that I have
told you all how to do it during the speach, but if you happen to have 2
phone lines and one of them doesn't have a collect block you can call the
one next to you collect through the Telus operator, but only to numbers in
Canada(op divert to her first and give her the # you wish to spoof as
where you are calling from). I suppose you could also do third number
billing *wink wink*
Pictures from the panel are now up!
Spoonm's Open-Source software wrote in perl, also has a web based cgi that allows you to create and download a wav file w/ the spoofed info you want.
Software Orange Box Closed-source SHAREWARE Windows version wrote by The Fixer
Return to $2600 Index