ANI and Caller ID Spoofing

by Lucky225

Update - 08/2004:  I wanted to correct this horribly misleading textfile and bring it up to date.  I have added more content at the bottom, and replaced "flex ANI" to "CPN," the real telco term.  Remember, flex ANI is just the identification indicator class of service, it isn't the CPN.  Check out the DEFCON 12 speech slides at stromcarlson.com

Update - 05/2003:  AT&T's Automated Operator (10-10-288-0) has blocked 800-646-0000 from being called through AT&T  All other 800 numbers go through fine, but 800-646-0000 says, "We're sorry, the number you have dialed is either incomplete or not valid.  Please enter the number you wish to call again."  I guess AT&T really does read 2600.

Please note the article that appeared in 2600 Magazine, Vol. 20, No. 1 (Spring 2003) has some clerical errors that have been corrected in this text!

This article will explain many methods of Caller ID and ANI spoofing that can still be used as of today.  I have also included a brief FAQ for those of you who may not be familiar with the terminology and should help you understand this article more.  I hope that this article will make many of you aware that Caller ID and ANI, although often great tools, can also be a waste of your time and money.

Please don't confuse this article with past ones I've written.  While I mention techniques I have used in the past, I also include up to date accurate information.  This is meant to be a reference article on how Caller ID and ANI can be spoofed, as well as on how they've been spoofed in the past.  All those telco techs out there who claim it can't be done will find definite proof that it has been.  You will also find some useful links at the end of this article.  Enjoy.

FAQ

So, just what is ANI?  ANI stands for Automatic Number Identification.  ANI is a service feature that transmits a directory number or Billing Telephone Number (BTN) to be obtained automatically.  In other words, your number is sent directly to wherever you are calling to automatically.  Unlike Caller ID, you can not block this feature from happening.

What is flex ANI?  Flexible ANI provides Identification Indicator (II) digits that identify the class of service of the phone you are calling from.  Flex ANI is transmitted as II digits + BTN.

What is CPN?  Calling Party Number, the number used for your Caller ID.

What are ANI "II" digits?  Identification Indicator digits describe the class of service of the telephone.  Some examples are:

What is an ANAC?  ANAC stands for Automatic Number Announcement Circuit.  This is a phone number you can call that will ring into a circuit that announces the ANI or CPN number you are calling from.  Examples of ANACs are 800-555-1140, 800-555-1180, and 800-444-4444.  When you call these numbers you will get an Audio Response Unit (ARU).  This is the circuit that announces your ANI/CPN.  When you call 800-555-1140 or 800-555-1180, the ARU will say the following:

"The ARU ID is [ARU ID].  Your Line Number is [TRUNK NUMBER].  The DNIS is [DNIS NUMBER].  The ANI is [II digits followed by CPN, even though the recording claims to be reading ANI]."

ARU ID:  Audio Response Unit ID number.  This identifies which ARU in a group of ARUs you reached.

Line Number:  The trunk you came in on.

DNIS:  Dialed Number Identification Service.  Tells you which number you called.  (i.e. 800-555-1140 is 03123, 800-555-1180 is 03125)

ANI:  Identification Indicator digits followed by ANI.

What is a BTN?  Billing Telephone Number is a phone number for which charges are to be billed to.  It is not necessarily the phone number of the line you are calling from.

What is Pseudo ANI?  Pseudo ANI or PANI is a unique non-dialable number used to route cellular calls.  PANI is used by 911 operators to find the cell site and sector from which the cell phone is calling.

What is an ANI fail?  An ANI fail is when no ANI is sent.  Usually the area code of the tandem office completing the call will be sent.  (For instance, if the tandem office is in 213, the ANI will be sent as 213-000-0000.)

How do ANI fails occur?  ANI fails can occur when the tandem office completing a call didn't receive ANI from the central office originating the call.  ANI fails can also be caused when ANI is intentionally not sent.  This can happen by using a method called "operator diverting" or "op-diverting."  Another way you can cause ANI fails is through the use of the AT&T long distance network.  Simply dial 10-10-288-0 or dial 0 and ask your operator for AT&T.  When AT&T comes on the line, simply Touch-Tone in a toll-free number and the call will be completed with no ANI.  Note, however, that this method is dependent upon the AT&T center you reach.  Some AT&T centers still forward ANI, others send an AT&T BTN as ANI.  But most AT&T centers currently don't forward ANI.

What is op-diverting?  "Op-diverting" is a term that describes the process of intentionally causing an ANI fail by having your local operator dial the number you wish to reach.  Most operator centers are not equipped to forward ANI and so they complete the call with no ANI.

What's the difference between ANI and Caller ID?  ANI is the BTN associated with the telephone and is the direct number from where you are calling from.  Caller ID is usually the BTN, but occasionally can be incorrect, i.e., the main number of a business instead of the actual number being called from.  Another difference in ANI is that it shows the class of service of the phone number, while Caller ID just shows the name and number.

Now that you have an idea of what ANI is and how it differs from Caller ID, I will explain some methods for spoofing both of them.

Spoofing Caller ID

Method #1 - Using a PRI line.  Major companies that have a PBX with many hundreds of lines hooked up to a Primary Rate ISDN (PRI) line can spoof Caller ID by setting the Caller ID number to whatever number you want for a given extension on that PBX by typing a simple command on the PBX's terminal.

Some telephone switches also use whatever Caller ID is sent from the PBX as ANI - a major hole in the telephone network that I hope will someday be fixed since the spoofed ANI can be billed for long distance calls!  Telephone company billing records should be inadmissible for this reason.  I hope the telcos have switch logs for backup!

Note:  In my 2600 article, I was talking about how this method also spoofs ANI.  I'm actually wrong about this, it spoofs CPN, not ANI!  Hah, maybe I should read my own FAQs!  Anyways, CPN is the Directory Number (DN) on the switch, it is not the BTN!  The real ANI is the BTN.  Most 800 numbers use CPN, not real ANI, so I thought ANI was being spoofed but in actuality it was only the CPN being spoofed.

Method #2 - Orange Boxing  Orange Boxing is Caller ID signal emulation through the use of a Bell 202 modem, sound card software, or a recording of a Caller ID transmission.  Orange Boxing is not very effective because you have to send the signal after the caller has answered their phone.

  However, through the magic of social engineering, you could have one friend call a number and pretend he has reached a wrong number while sending a call-waiting Caller ID signal fooling the victim into believing he is receiving another incoming call from the name and number spoofed and when the victim "flashes over" have your friend hand you the phone and continue with your social engineer.

Method #3 - Calling Cards  I learned this method from some phone phreaks on a party line a long time ago.  I can't recall the name of the calling card company, but all one had to do was provide a credit card as a method of payment to obtain a PIN.  Once you have the PIN you just op-divert, or cause an ANI fail, to the 800 number for the calling card and it would ask you to please enter the number you are calling from.  You Touch-Tone in any number you want, then it would ask for your PIN and then what number you wanted to call.  The person you call would see the number you Touch-Toned in as the Caller ID for that call.  If the number is in the same area as the caller, it will also show the name associated with the phone number.

Method #4 - Social Engineering  This method for spoofing Caller ID is social engineering a TELUS operator to do it for you.  I stumbled upon this method when I was testing out a theory.  In my previous 2600 article about spoofing ANI through AT&T, I mentioned something known as the "710 trick."

This was a method of making collect calls that the called party wouldn't be billed for.  The way the 710 trick worked in the past was, you'd op-divert to 800-CALL-ATT and give the operator a "710 area code number" as where you are calling from and then have her place a collect call to the number you want to call.  The called party would never get a bill, because 710 is a non-existent area code.

AT&T does its billing rates by where the call is being placed from and the calling destination.  But because you used a 710 area code number, the rates were undetermined.

I was testing to see if the 710 trick also worked with a Canadian phone company called TELUS.  After testing it out, my friend in Canada dialed *69 and it read back the 710 area code number I gave the operator.  This is how I discovered Caller ID spoofing was possible through TELUS.  I then began coming up with a social engineering method to get them to place a call for me without selecting a billing method.  I now know that it is also possible to spoof ANI through TELUS.  TELUS' toll-free "dial-around" is 800-646-0000, by simply calling this number with an ANI-fail you can give the operator any number as where you are calling from.

As of January 2003, TELUS can now place calls to many toll-free numbers and the CPN will show up as whatever number you say you're calling from.  So by simply causing an ANI-fail to TELUS dial-around service, you can spoof Caller ID to anyone you want to call.  If the person you are calling is in the same area as the number you are spoofing, the name and number shows up on the Caller ID display.

To cause an ANI fail to TELUS, all you have to do is op-divert to 800-646-0000 or dial 10-10-288-0 and Touch-Tone 800-646-0000 when AT&T comes on the line.  You can social engineer the TELUS operator to place "test calls" for you, which is a free call with no billing.  You simply tell the TELUS operator at the beginning of the call that you are a "TELUS technician" calling from [number to spoof] and need her to place a "test call" to [number to call].

The social engineering pretext looks like this:

  1. You pick up the phone and dial 10-10-288-0.
  2. AT&T Automated Operator: "AT&T, to place a call..."
  3. You Touch-Tone 800-646-0000.
  4. AT&T Automated Operator: "Thank you for using AT&T"
  5. <RING>
  6. TELUS: "This is the TELUS operator, Lisa speaking. (or, This is the TELUS operator, what number are you calling from?)
  7. You: "Hi Lisa, This is a TELUS technician, you should see an ANI failure on your screen, I'm calling from [number to spoof].  I need you to place a test call to [number to call]."
  8. TELUS: "Thank you from TELUS."

What just happened was AT&T sent an ANI fail to TELUS, you told the operator to key in your new "calling from" number, then TELUS places the call and uses the number you gave them as both ANI and Caller ID!

Note about spoofing ANI to toll-free numbers:  Not all U.S. toll-free numbers are accessible from Canadian trunks.  So even though you are spoofing a U.S. number, the call will not be able to be routed through TELUS.  Of course, the social engineering trick will probably become ineffective soon.  Though I've demonstrated it at H2K2 in July 2002 and it's now 2003 and is still working.  The spoofed Caller ID also shows up on collect calls (although I think you can only call people in Canada collect with this service), third-party billing (would you accept a third-party bill call if the Caller ID said your girlfriend's number and the operator said she was the one placing the call? :)), and calling card calls.  So you could even legitimately spoof Caller ID if you had a TELUS calling card, however the rates are pretty expensive, though you can get one if you have TELUS as your local phone company.  If you live outside Canada, you can pay with a credit card (you need a Canada billing address though!).  Call 1-800-308-2222 to order one.

Method #5 - VoiceXML  Using a VoiceXML service like cafe.bevocal.com you can write a script to spoof Caller ID for you.  An example script ca be found at www.erased.us/bevocal.xml

Method #6 - VoicePulse  Order VoicePulse VoIP service, turn call-forwarding on, and forward your calls to who you want to spoof your Caller ID to.  Set "Anonymous Call Rejection with Prompting" on.  Call your VoicePulse number with your Caller ID blocked, enter a phone number you want to spoof when asked for your number, your call will go through and be forwarded with your Caller ID spoofed.

Method #7 - Vonage  Call up and order Vonage service, say you want to port your "cellphone number" over while signing up for the service.  When they ask for your cellphone number to port over, give the number you want to spoof.  You'll be notified that you have to send a Letter of Authorization (LOA) into them before they will port the number.  However, your Caller ID will still show the number you're "porting."  You can also receive calls at the "ported" number if someone on Vonage tries to call that number.  All other callers will reach the right number, this is a Vonage glitch.

Method #8 - Asterisk  Find an IAX provider that allows you to set your own CPN.  You can then set up the CPN for your outbound calls as anything you want.

Spoofing ANI

Spoofing ANI is a little more difficult than spoofing Caller ID, unless you have access to a central office switch.

A few years ago when Verizon was still GTE here in California, the local "0" operator center was located close to me and they had the ability to send ANI without ANI fails.  However, I found a test number on a DMS-100 switch in Ontario that would give me a local "0" operator - only she'd see an ANI fail and have to ask me what number I was calling from.  Any number I gave her would be used as ANI for any call I had her place.

A while ago, AT&T used to send ANI when you placed calls to toll-free numbers through the AT&T network and you could only call 800 numbers that were hosted by AT&T.  After 2600 published my article on how to spoof ANI by op-diverting to 800-CALL-ATT, AT&T had their network changed within a month.  Their new network, however, just made it easier to cause ANI fails to toll-free numbers.

On their new network, you could call any toll-free number, not just AT&T hosted numbers, and there would be no ANI on the call, unless you were calling 800-CALL-ATT or a few other numbers that are internal numbers hosted by the call centers itself.

All you have to do to cause ANI fails to toll-free numbers now is dial 10-10-288-0 and Touch-Tone in the 800 number in when AT&T comes on the line.  This method of causing ANI fails is great because you don't have to speak to a live operator and you can even have your modem wardial 800 numbers without fear of your ANI being logged.

However, there might be some AT&T call centers that still forward ANI, and you may be able to reach them even if the call centers aren't in your area.  Try op-diverting to an AT&T Language Assistance operator.  Since it is not likely that your call center will have a Tagalog speaking operator, you will get routed to a different AT&T center that does, possibly an AT&T center that still forwards ANI.  If you get an AT&T center that still forwards ANI, you can spoof ANI by simply giving the operator the number you want to spoof as where you are calling from and social engineering her into placing a call to the toll-free number you wish to call.

Here are some AT&T Language Assistance numbers:

Links

Shouts: Cesssnaa, doug, natas, strom carlson
Return to $2600 Index