Docstoc

11- Fake SMS _ Calls

Document Sample
11- Fake SMS _ Calls Powered By Docstoc
					                              FAKE SMS & CALLS

SMS spoofing is a relatively new technology which uses the short message service
(SMS), available on most mobile phones and personal digital assistants, to set who the
message appears to come from by replacing the originating mobile number (Sender ID)
with alphanumeric text. Spoofing has both legitimate uses (setting the company name
from which the message is being sent, setting your own mobile number, or a product
name) and illegitimate uses (such as impersonating another person, company, product).


1.    HOW SMS SPOOFING IS CARRIED OUT?
SMS Spoofing occurs when a sender manipulates address information. Often it is done
in order to impersonate a user that has roamed onto a foreign network and is
submitting messages to the home network. Frequently, these messages are addressed to
destinations outside the home network – with the home SMSC essentially being
“hijacked” to send messages into other networks.
      The impact of this activity is threefold:
     1. The home network can incur termination charges caused by the delivery of these
        messages to interconnect partners. This is a quantifiable revenue leakage.
     2. These messages can be of concern to interconnect partners. Their customers may
        complain about being spammed, or the content of the messages may be
        politically sensitive. Interconnect partners may threaten to cut off the home
        network unless a remedy is implemented. Home subscribers will be unable to
        send messages into these networks.
     3. While fraudsters normally used spoofed-identities to send messages, there is a
        risk that these identities may match those of real home subscribers. The risk
        therefore emerges, that genuine subscribers may be billed for roaming messages
        they did not send. If this situation occurs, the integrity of the home operator’s
        billing process may be compromised, with potentially huge impact on the brand.
        This is a major churn risk.
      The legitimate use cases for SMS spoofing include:
     1. A sender transmits an SMS message from an online computer network for lower
        more competitive pricing, and for the ease of data entry from a full size console.
        They must spoof their own number in order to properly identify themselves.
     2. A sender does not have a mobile phone, and they need to send an SMS from a
        number that they have provided the receiver in advance as a means to activate
        an account.


                                              1
     3. A sender adopts the default network gateway identifier provided by an online
        service, in order to send an anonymous sms, rather than specifying a number of
        their own choosing.
      An SMS Spoofing attack is often first detected by an increase in the number of SMS
errors encountered during a bill-run. These errors are caused by the spoofed subscriber
identities. Operators can respond by blocking different source addresses in their
Gateway-MSCs, but fraudsters can change addresses easily to by-pass these measures.
If fraudsters move to using source addresses at a major interconnect partner, it may
become unfeasible to block these addresses, due to the potential impact on normal
interconnect services.

1.1.    Legality
In 2007, The UK premium rate regulator, PhonepayPlus (formerly ICSTIS) concluded a
public consultation on anonymous SMS, in which they stated they were not averse to
the operation of such services. However, from 2008 PhonePayPlus are introducing new
regulation covering anonymous SMS which will require anonymous SMS service
providers to send a follow-up message to the recipient stating that a spoofed SMS has
been sent to them, and operate a complaints helpline. It is illegal in Australia.


2.     PROTECTING USERS FROM SMS SPOOFING
If a user can prove that their SMS sessions have been spoofed, they should contact both
law enforcement and their cellular provider, who should be able to track where the SMS
messages were actually sent from. A user may also modify the phone's settings so that
only messages from authorized numbers are allowed. This is not always effective since
hackers could be impersonating the user's friends as well.

2.1.    Examples of SMS Spoofing
        Messages sent from Google are sent with the Sender ID "Google".
        Skype sends messages from its users with the mobile number they registered
        with. Note that when a user attempts to "reply" to the SMS, the local system may
        or may not allow the replying message to be sent through to the spoofed
        "origin.”
        A user who does not have a mobile phone attempts to sign up for a Foxytag
        account, which requires an SMS from a phone number that the user registers
        with. A dynamically assigned number from an anonymous SMS service will not
        work because the user is not given the dynamic number in advance to register
        with.
     The Asian School of Cyber Laws (Pune) recently conducted experiments in SMS
spoofing at the national and international level. They were able to successfully spoof
SMS messages and make them appear to come from other people's cellular phones.

                                            2
These people were using GSM based cellular phone services in various parts of India
and other Asian as well as African countries.
     Nitesh Dhanjani discovered a security vulnerability when sending a spoofed SMS
message to Twitter. Twitter used the SMS originator to authenticate the user. Nitesh
used hoaxMail to spoof the SMS message and therefore could trick Twitter to post the
message on the victim's Twitter page.
     At the moment there are many websites offering the service to send spoofed text
messages. Examples of capabilities and information about the legal rules can be found
in the terms and conditions (eg. SMS Spoofing Terms ). You will find answers to
frequently asked questions, whether it is legal, how it works, etc.

2.2.     Call/Caller-id Spoofing
Caller ID spoofing is the practice of causing the telephone network to display a number
on the recipient's Caller ID display that is not that of the actual originating station. The
term is commonly used to describe situations in which the motivation is considered
malicious by the speaker or writer. Just as e-mail spoofing can make it appear that a
message came from any e-mail address the sender chooses, Caller ID spoofing can make
a call appear to have come from any phone number the caller wishes. Because of the
high trust people tend to have in the Caller ID system, spoofing can call the system's
value into question.

2.2.1.    Providers
To use a typical spoofing service, customers pay in advance for a personal identification
number (PIN), allowing them to make a call for a certain amount of time. To begin,
customers dial the number given to them by the company and enter their PIN. Then
they enter the number they wish to call and the number they wish to appear as the
Caller ID. Once the customer selects these options, the call is bridged or transferred and
the person on the other end receives the customer's call. Assuming Caller ID is used on
the receiving end, the receiver would normally assume the call was coming from a
different phone number — the spoofed number chosen by the caller — thus tricking the
receiver into thinking the call was coming from a different individual or organization
than the caller's. Most providers work similarly to a prepaid calling card.
      The above method is a bit complex; many Caller ID spoofing service providers also
allow customers to initiate spoofed calls from a Web-based interface. Some providers
allow entering the name to display along with the spoofed Caller ID number, but in
most parts of the United States, for example, whatever name the local phone company
has associated with the spoofed Caller ID number is the name that shows up on the
Caller ID display. In other words, the name is not derived from the phone network;
instead the originating number is looked up in a database, often over the Internet, and
that name is used instead.



                                             3
     Using a Web-based spoofing service involves creating an account with a provider,
logging in to their Website and completing a form. Most companies require the
following basic fields:
   1. source number
   2. destination number
   3. Caller ID number
      When the user completes this form and clicks a button to initiate the call, the
source number is first called. When the source number line is answered, the destination
is then called and bridged together.
    Some providers also offer the ability to record calls, change the voice and send text
messages.
    Other popular methods by companies include displaying only a geographic name
on the caller ID readout, e.g., "ARIZONA", "CALIFORNIA", "OREGON", or
"ONTARIO".

2.2.2.   Technology and Methods
Caller ID is spoofed through a variety of methods and different technology. The most
popular ways of spoofing Caller ID are through the use of VoIP or PRI lines.
     Another method of spoofing is that of emulating the Bell 202 FSK signal. This
method, informally called orange boxing, uses software that generates the audio signal
which is then coupled to the telephone line during the call. The object is to deceive the
called party into thinking that there is an incoming call waiting call from the spoofed
number, when in fact there is no new incoming call. This technique often also involves
an accomplice who may provide a secondary voice to complete the illusion of a call-
waiting call. Because the orange box cannot truly spoof incoming caller ID prior to
answer and relies to a certain extent on the guile of the caller, it is considered as much a
social engineering technique as a technical hack.
     Other methods include switch access to the Signaling System 7 network and social
engineering telephone company operators, who place calls for you from the desired
phone number.
     In the past, Caller ID spoofing required an advanced knowledge of telephony
equipment that could be quite expensive. However, with open source software (such as
Asterisk or FreeSWITCH, and almost any VoIP company), one can spoof calls with
minimal costs and effort.

2.2.3.   Legislation in the United States
On April 6, 2006, Congressmen Eliot Engel (D-NY) and Joe Barton (R-TX) introduced
H.R. 5126, a bill that would have made caller ID spoofing a crime. Dubbed the "Truth in
Caller ID Act of 2007", the bill would have outlawed causing "any caller identification
service to transmit misleading or inaccurate caller identification information" via "any

                                             4
telecommunications service or IP-enabled voice service." Law enforcement was
exempted from the rule. Three weeks later, an identical bill was introduced in the
Senate. On June 6, 2006, the House of Representatives passed the Truth in Caller ID Act,
although no Senate action was taken on either the House or Senate bill. At the end of
the 109th Congress, the bill expired (all pending legislation not voted into law at the
end of the House term, a.k.a. end of a session of Congress, is dead).
      On January 5, 2007, Congressman Engel introduced H.R. 251, and Senator Bill
Nelson (D-FL) introduced a similar bill (S.704) two months later. On June 27, 2007, the
United States Senate Committee on Commerce, Science and Transportation approved
and submitted to the Senate calendar S.704, a bill that would have made caller ID
spoofing a crime. Dubbed the "Truth in Caller ID Act of 2007", the bill would have
outlawed causing "any caller identification service to transmit misleading or inaccurate
caller identification information" via "any telecommunications service or IP-enabled
voice service." Law enforcement was exempted from the rule. Engel's bill passed in the
House of Representatives. Nelson's bill was referred to the same Senate committee that
approved S.704. The Senate again passed neither version of the legislation.
      In the 111th Congress, Congressman Engel and Senator Nelson once again
introduced similar versions of the Caller ID legislation, H.R. 1258. The bill was
reintroduced in the Senate on January 7, 2009, as S.30, the Truth in Caller ID Act of 2009,
and referred to the same committee The Senate and the House both passed their
respective versions of the legislation, but on December 15, 2010 the House passed S.30
and sent the legislation to the President for a signature. On December 22, 2010,
President Obama signed the bill into law.
      Under the bill, which also targets VOIP services, it becomes illegal "to cause any
caller identification service to knowingly transmit misleading or inaccurate caller
identification information with the intent to defraud, cause harm, or wrongfully obtain
anything of value...." Forfeiture penalties or criminal fines of up to $10,000 per violation
(not to exceed $1,000,000) could be imposed. The bill maintains an exemption for
blocking one's own outgoing caller ID information, and law enforcement isn't affected.

2.2.4.   History
Caller ID spoofing has been available for years to people with a specialized digital
connection to the telephone company, called an ISDN PRI circuit. Collection agencies,
law-enforcement officials, and private investigators have used the practice, with
varying degrees of legality.
     The first mainstream Caller ID spoofing service, Star38.com, was launched in
September 2004. Star38.com was the first service to allow spoofed calls to be placed
from a web interface. It stopped offering service in 2005, as a handful of similar sites
were launched.
     In August 2006, Paris Hilton was accused of using caller ID spoofing to break into
a voicemail system that used caller ID for authentication. Caller ID spoofing also has

                                             5
been used in purchase scams on web sites such as Craigslist and eBay. The scamming
caller claims to be calling from Canada into the U.S. with a legitimate interest in
purchasing advertised items. Often the sellers are asked for personal information such
as a copy of a registration title, etc., before the (scamming) purchaser invests the time
and effort to come see the for-sale items. In the 2010 election, fake caller IDs of
ambulance companies and hospitals were used in Missouri to get potential voters to
answer the phone. In 2009, a vindictive Brooklyn wife spoofed the doctor’s office of her
husband’s lover in an attempt to trick the other woman into taking medication which
would make her miscarry.
      Frequently, caller ID spoofing is used for prank calls. For example, someone might
call a friend and arrange for "The White House" to appear on the recipient's caller
display. In December 2007, a hacker used a Caller ID spoofing service and was arrested
for sending a SWAT team to a house of an unsuspecting victim. In February 2008, a
Collegeville, Pennsylvania man was arrested for making threatening phone calls to
women and having their home numbers appear "on their caller ID to make it look like
the call was coming from inside the house." Some companies even feature voice
changing and call recording features.
     In March 2008, several residents in Wilmington, Delaware reported receiving
telemarketing calls during the early morning hours, when the caller had apparently
spoofed the Caller ID to evoke the 1982 Tommy Tutone song 867-5309/Jenny.

2.2.5.   Valid Reasons to Spoof Caller ID
There are legitimate reasons for modifying the caller ID sent with a call.
   1. Calls from a large company, especially with multiple branches, where sending
      the main number makes sense. For example, a hospital might have the primary
      number 555-1000, with perhaps 250 lines inside the main building, and another
      100 at the clinic five miles away. While some of the phones will have "555-10XX"
      numbers, many won't have any identifiable line. Having all calls "come from"
      555-1000 lets the recipients know it's a hospital call.
   2. Commercial answering-service bureaus which forward calls back out to a
      subscriber's cell phone, when both parties would prefer the Caller ID to display
      the original caller's information.
   3. Most calling-card companies display the Caller ID of the calling-card user to the
      called party.
   4. Business owners have been known to use Caller ID spoofing to display their
      business number on the Caller ID display when calling from outside the office
      (for example, on a mobile phone).
   5. Skype users can assign a Caller ID number in order to prevent their Skype-Out
      calls being screened by the called party (the default Skype Caller ID in the USA is
      0000123456).


                                             6
  6. Google Voice displays its users' Google Voice number when they place calls
     through the service using their landline or cell phone.
  7. Gizmo5 sends the user's Gizmo5 SIP number as outbound Caller ID on all calls.
     Because Gizmo5 IDs are in the format 747NXXXXXX, it is possible to confuse
     calls made from Gizmo5 with calls made from area code 747.
  8. The New York Times sent the number 111-111-1111 for all calls made from its
     offices until 15 August 2011. The fake number was intended to prevent the
     extensions of its reporters appearing in call logs, and thus protect reporters from
     having to divulge calls made to anonymous sources. The Times abandoned this
     practice because of the proposed changes to the caller ID law, and because many
     companies were blocking calls from the well-known number.



Please follow the demonstration for the Identification of Fake SMS and Call in India




                                          7

				
DOCUMENT INFO
Shared By:
Categories:
Tags: hackingz
Stats:
views:135
posted:1/15/2012
language:English
pages:7
Description: hackingz