GRAND RAPIDS – Among the technical security chatter among InfraGard Presidents in January was a reference to someone spoofing a company?s caller phone ID. While the incident was not used for a phishing scam, concern was expressed that a hacker could adopt the technique to dupe some unsuspecting soul out of precious private information ? such as bank account numbers. If the recipient of the call thought he was receiving a call from his own bank, why wouldn?t he give the scam artist his sensitive information?

The actual exploit happened to one of InfraGard?s Atlanta members and went something like this: An person received a telephone call at their residence of an undesirable nature. The person made note of the Caller ID number displayed. When the call was researched, it was determined that the call did not originate from the business telephone indicated by the Caller ID indicated.

It appears that someone managed to successfully spoof a valid phone number so that it would display on the recipient’s caller ID system. In this case it was used to deliver a threat, it could also be used successfully to solicit information and if the recipient of the call believed they were speaking to say…their corporate office, their financial institution, could lead to some real problems in terms of compromised security.

This tactic may be an isolated issue, but it could also be an emerging trend to get around telemarketing guidelines, or become an effective tool in delivering threats or in social engineering of information from unsuspecting victims.

One of MI InfraGard?s Board Members (Tony Robinson of Pioneer Technology, www.pioneertechnology.com) points out three possible explanations of how such spoofing could occur:

Compromise of a PBX system via easy passwords ? once compromised, the perp then uses the PBX system as their private call center until someone notices the larger then usual phone bill, (takes awhile in large Corp’s).

Hack the PBX (assuming no clean way in via default passwords) ? once in, the hacker would setup one of the extensions via a call forwarding scheme allowing it to be use (and obscured) in the midst of the internal switching on a company?s trunk/T1 lines. This allows the hacker to have a call hit the extension in the corporation, and then be forwarded out (allowing one to dial out another number).

Utilize Voice over IP (VoIP)- With services like Vonage and other home grown VoIP telco services, I can have a number assigned within a block of numbers in any area of the country. My offices in Michigan. (616-555-0000) could all access a number within the area of Ft Mead, MD in and around the block of numbers assigned to the NSA (or DOD, etc…), initial look see without careful forensic examination could cause someone to believe that the NSA was calling (or GM, or Boeing, or your mother-in-law, ….)

Upon further investigation, it was found that there are actually some commercial sites formed that will promote a service that will allow participants to spoof their telephone ID numbers. A user types in their phone number, the number they wish to call, and the number they’d like to wear as a disguise. The system instantly dials back and patches the call through with the properly-forged caller I.D.

The service is being pitched to law enforcement and debt collectors. Caller ID spoofing has been around for a lot of years, but up until now the technology needed to launch such an exploit was quite costly. With the advent of VoIP and pricing of communication equipment dropping significantly, the ?tools? are now much more available.

Bottom Line: Be careful who you give out information to over the phone. Just because its says, ?My Bank? in the caller ID slot, doesn?t mean you should turn over anything sensitive to the caller. Remember, most financial institutions are very cautious about asking for sensitive information over the phone. If you can?t verify the source of the call, FOR CERTAIN, get the contact?s number and extension, hang up and call them back. If there?s any push back from the caller, you probably shouldn?t be talking to the person on the other end of the line.

This article was written by Larry Shattuck, Midwest Regional Council, InfraGard. Infragard members are solely responsible for the content of their articles. Nothing in this publication necessarily expresses the views of Michigan Infragard or any federal agency.