The aim of this post is to share tools for Social Engineers to include vishing in you engagements, and to make the rest of the world aware of just how simple and easy it is to Spoof someones Caller ID, so you can increase your health paranoia levels when receiving a call.
This is something I looked into many years ago when I first started doing Social Engineering, but there still doesn’t seem to be many places that has info centrally and perhaps why not many people include this element in engagements.
Also before conducting any sort of caller id spoofing please make sure you are aware of the legalities of where you are placing the call from and too. It can be hard to fully understand the legal position as not all countries have things clearly defined (unlike the 2009 Truth In Caller ID Act in USA), but in general if you have approval from the owner of the number, not looking to defraud, cause purposeful harm or wrongfully obtain information. So in terms of Social Engineering engagements make sure this things are covered in terms of approved objectives and as always signed off with someone with the right authority to approve.
In the below video I provide a quick demo of a couple of these tools in action and speak briefly about you can do to minimise the effects of caller ID spoofing and becoming a victim of this sort of attack. When using a VoIP service to conduct this sort of work, make sure you understand the terms of service and check if you are in breach of these if spoofing the caller ID, I recommend you simply call the provider and have a professional discussion with them, they may require a letter from your company confirming your actions and then you are able to proceed without concern.
Tools List: (this will be added to over time)
- Spoof Card – https://www.spoofcard.com/
- Bluff My Call – http://bluffmycall.com/
- Crazy Call – http://crazycall.net/
- Caller ID Faker – http://calleridfaker.com/
- SpoofTel – https://www.spooftel.com/
Please add recommendations for other caller ID spoofing in the comments!
What can you do to minimise the impact of caller ID spoofing?
First of all just being aware that someone can spoof the caller ID on your phone is a great start to exercising your healthy paranoia, so when you get a call from a “known number” and if information is being asked for, just let them know you are busy right now but will call them back on the number that you “know” to be correct. You can also Google (other search engines are available) for the number if not known and see if there is legitimate association with the company, and also if anyone has reported suspicious calls from this number. Also if you utilise any services that support pin numbers or other forms of multi factor authentication, enable them so the system isnt simply utilising the number as authentication. Basically, remember to verify prior to verbosity, keep things to yourself before you start blabbing all the things 🙂
