The How & Why of Caller-ID/SMS Spoofing

Caller-ID Spoofing?  There’s an App for that!

I recently received correspondence from individuals that I did not communicate and quickly determined that an unknown party has been spoofing my phone number.  Between 2006 and 2007, I did some work for a small, local CLEC that had a CLASS 5 switch in St. Petersburg.  They had redundant SS7 (Signaling System #3) A-Links to Verisign’s nationwide SS7 network; interconnecting to Verizon and MCI switches.

In the network, it was trivial to spoof Caller-ID for both phone calls and SMS messaging.  The network did not sanitize Caller-ID from client VoIP networks, so spoofing could occur from their customer’s VoIP PBX systems (Asterisk, etc.).  The FCC did issue a recommendation for all Carriers to stop allowing spoofed Caller-ID from telemarketing companies but problems persisted, mostly from Canadian Call-Centers.

Eventually, SS7 queries were offered over TCP/IP services with simple source-IP Access Controls and even free PBX systems, like Asterisk, provided SS7 interconnection modules.  There has been a push worldwide to encrypt these connections, but SS7-based spoofing continues today, especially prevalent in Europe and other countries within the “1” Country Code (the Caribbean countries).

As a point of note, standard database interrogatory is called a “query“, a blockchain query is called “mining“, and a SS7 query is called a “dip“.  There is an amazing amount of metadata associated with SS7 phone number dips, including Name and Address information of anyone that has ever used a particular number; it’s downright scary.

Subsequent legislation was passed and is detailed in a FAQ from the FCC, the text of which can be found here.  Even Lifehacker has a post about spoofing.  The legislation is defined in 2009’s “Truth in Caller-ID Act” and states that such spoofing is not illegal except where there is intent to defraud, cause harm, or wrongly obtain anything of value.

 

It turns out that doctors are the #1 users of Caller-ID spoofing services, followed by Law Enforcement Officers.  Some sites that can assist you with spoofing are: