Caller-ID Spoofing? There’s an App for that!
I recently received correspondence from individuals that I did not communicate and quickly determined that an unknown party has been spoofing my phone number. Between 2006 and 2007, I did some work for a small, local CLEC that had a CLASS 5 switch in St. Petersburg. They had redundant SS7 (Signaling System #3) A-Links to Verisign’s nationwide SS7 network; interconnecting to Verizon and MCI switches.
In the network, it was trivial to spoof Caller-ID for both phone calls and SMS messaging. The network did not sanitize Caller-ID from client VoIP networks, so spoofing could occur from their customer’s VoIP PBX systems (Asterisk, etc.). The FCC did issue a recommendation for all Carriers to stop allowing spoofed Caller-ID from telemarketing companies but problems persisted, mostly from Canadian Call-Centers.
Eventually, SS7 queries were offered over TCP/IP services with simple source-IP Access Controls and even free PBX systems, like Asterisk, provided SS7 interconnection modules. There has been a push worldwide to encrypt these connections, but SS7-based spoofing continues today, especially prevalent in Europe and other countries within the “1” Country Code (the Caribbean countries).
As a point of note, standard database interrogatory is called a “query“, a blockchain query is called “mining“, and a SS7 query is called a “dip“. There is an amazing amount of metadata associated with SS7 phone number dips, including Name and Address information of anyone that has ever used a particular number; it’s downright scary.
Subsequent legislation was passed and is detailed in a FAQ from the FCC, the text of which can be found here. Even Lifehacker has a post about spoofing. The legislation is defined in 2009’s “Truth in Caller-ID Act” and states that such spoofing is not illegal except where there is intent to defraud, cause harm, or wrongly obtain anything of value.
It turns out that doctors are the #1 users of Caller-ID spoofing services, followed by Law Enforcement Officers. Some sites that can assist you with spoofing are:
- There is also prankdial.com and a companion Android App, Evil Operator, which seems good for spoofing SMS messages.