Spoofing Your Charge Number

by greyarea

This has been controversial to people who understand the whole concept of Calling Party Number (CPN) and Automatic Number Identification (ANI).  If you don't know the difference between the two, I can give an example and the definitions of both to clear it up for you:

1.)  Peter calls my phone and I have it forwarded to Doug.  Since Peter is the Calling Party Number, that will generate the Caller ID to Doug and Peter's number will show up on Doug's Caller ID display.

2.)  Peter calls my phone and I have it forwarded to NPA-555-1212.  Even though he's the Calling Party Number, Directory Assistance will see my number because I'm the ANI.  I originated the call to Directory Assistance and they will bill me.  In each call, Peter's ANI stopped at me and I became the ANI for both calls.  But Peter remained the Calling Party Number.  Got it?  O.K., let's move on.

There is proof that you can actually change the Charge Number when spoofing.  But it doesn't really change the ANI, just the Charge Number.  There are two different methods I'm going to talk about.

When you use the services of VoIP providers, the majority of them will let you choose your CPN (which as you know, generates your Caller ID).  That's not the ANI though because the call didn't originate from the number you chose.  Some of them will set a ten-digit non-billable number as your ANI so you can't charge someone else's phone with it and some of them will simply pass an ANI FAIL behind your CPN.  An ANI FAIL is just a three-digit area code that the call was homed out of.

There was an ANAC out there that read ANI instead of CPN and happened to be on the same backbone provider that one of my VoIP providers used.  The number was 1-800-862-4622.  (They noticed what I was testing and sent the DNIS to a VRU so it doesn't work anymore.)  AT&T was the backbone provider.  I could never spoof to this.  I put together the theory that if you cross platforms (AT&T to Qwest) passing an ANI FAIL as the ANI and setting your CPN, the receiving systems will recognize your number as the ANI.  But they don't because the ANI is still the three-digit NPA the call was homed out of.  But your CPN does become the Charge Number if the number is a chargeable one without restrictions on the line.  So, since my provider uses AT&T, I have to call a Qwest number.

Some Qwest services that are vulnerable include the following.  1-866-YOU-TELL: Can spoof passing any ANI FAIL and a valid CPN that is chargeable to call domestically and internationally.  1-800-888-7060 and 1-888-700-0400: Both these numbers are the same thing.  They used to bill the CPN anyway but t hey recently fixed that.  But they still didn't fix the problem when it came to spoofing the Charge Number.

They only fix it when people are spoofing Caller ID.  These will only allow you to call domestically and will bill the (billable) CPN you spoofed to it from the crossing platforms method.  To call internationally off these you have to use another method: matching an ANI FAIL's NPA to the NPA of the Charge Number.  This method you could even spoof to the 1-800-862-4622, which was pretty crazy.

Think of it like this.  The systems are already designed to distinguish the ANI from the CPN.  However, when you cross platforms with a fail as the ANI and set your CPN, then the receiving systems don't see the fail, only the ten-digit number hat passed and that becomes the "Phantom ANI."

When you match the ANI FAIL's NPA to the CPN's NPA then that becomes the actual ANI.  Even though the call was never originated from the number you chose, the receiving systems will place the CPN into the ANI fields and also the Charge Number field as well.

To test this, just spoof regular Caller ID to 1-800-CALL-ATT with a provider that passes an ANI FAIL behind your CPN and you will get the prompt: "AT&T, can I have the number you're calling from, please?"  (The ANI they received was a fail.)  Now find out what your provider is passing as the ANI in t he ANI FAIL and match it.  Let's say it was 517.  Set your CPN to 517-XXX-1337, call the same number again, and you won't get intercepted like you did before.  You'll get them as though you had dialed from a regular PSTN phone.

Crazy, huh?  Something to remember when spoofing, it matters who your provider uses for their backbone services and who the service provider is that hands off the calls to the terminating number.

When I did the whole test on spoofing the Charge Number, I made the charges to my house phone so that I wouldn't be charging up some poor noob's bill.  This wasn't intended to be put out there for people to start charging other people's lines either.

That's just plain stupid and gives you bad karma.  It was put out to show how it works and the great vulnerability going beyond just spoofing Caller ID.  Phreaking isn't getting free phone calls or any of that other shit.  It's finding out how something works and recreating it yourself or making it better or more secure.  But the key is being interested in how things work.  Now, with the knowledge of finding out how shit works comes the ability to place free calls and so on, but those types of decisions are up to the individual, not the phreak scene.

So, in summary this is how it goes: ANI generates the Charge Number, Charge Number generates the Calling Party Number, Calling Party Number generates the Caller ID.  You can change everything except for the ANI.  When you change the Charge Number, the system thinks it's the ANI.  But in the raw data that is being passed through SS7, it will still show the ANI as being a fail.  But the receiving switch would have to be in debug mode for that to even be seen.

Shouts: www.oldskoolphreak.com, natas, dual, www.defaultradio.com, lucky, doug, whitesword, royal, ic0n, clops, moy slatko duniadjuka, cup0spam, majest|c, av1d and licutis, nottheory, KRSTN, and most of all decoder.  When I needed encouragement and support, you were there and I hope you keep your head up in the times of bullshit.  Fuck the police.  Peace.