Notifications
Clear all

Call spoofing

10 Posts
4 Users
0 Likes
1,329 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Hello honored colleagues,

I have a case involving possible "call spoofing", which is being described to me as the following

One of the two individuals I am working for is receiving "spoofed" phone calls from the other individual I am working for. Each individual claims that they did not make the "spoofed" phone calls. My two clients believe the "spoofed" calls are being sent by a third party respondent (who will be the subject of a protective order).

My plan is to forensically collect each phone (one is a Nokia Windows phone (model currently unknown) and the other is an iPhone 5c) and then analyze each to hopefully identify "spoofing" software if such software does exist.

* Can anyone please point me in the direction of known "spoofing" applications I might look for?

* Any insight into what call "spoofing" is from a technology/technique standpoint would be appreciated.

Please feel free to email/PM me privately if you would prefer not to create a public list of "spoofing" applications/methodologies that could be used by future miscreants.

Larry

 
Posted : 27/03/2015 9:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am not sure to get it. ?
You believe that some spoof ID software has been installed on the recipients' phones?
AFAIK the spoofing is initiated/performed/whatever on the caller side, be it a software/app or an online service.

jaclaz

 
Posted : 27/03/2015 9:45 pm
(@trewmte)
Posts: 1877
Noble Member
 

In addition to the comments above..have a look here

http//en.wikipedia.org/wiki/Caller_ID_spoofing

 
Posted : 27/03/2015 9:55 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

This is very helpful.

What your research link shows, I believe, is that a "spoofed" call is more likely to originate from a 3rd party system such as VOIP.

So, my assumption that a third party could install an application on an unsuspecting person's smartphone to then cause the unsuspecting person's phone to make calls is incorrect?

It makes much more sense that "spoofed" calls originated from neither of my clients' phones but rather from a separate system. The third party respondent would know my clients' phone numbers, so to the extent they could program their "spoofing" application to appear as one of my clients' phone numbers would explain the situation.

Assuming a separate-from-my-clients' devices spoofing system is being used by the 3rd party, is there any information that can be recovered from call records on my clients' devices that could reveal a "spoofed" call versus a call from one of my clients' actual devices?

For example, emails can have header information that I can use to trace back the original sender information.

A long shot, but I am guessing call records stored on smartphones only record the incoming phone number (date, time and duration as well), but no other data that could indicate a "spoofed" call?

 
Posted : 27/03/2015 10:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I see Call ID spoofing as exactly the same of using a fake ID.

Someone knocks on your door wearing (say) a police uniform and showing you a (fake) badge/ID card.

Everything comes from the outside and it is represented to you in a deceiving manner, you have no fault.

The issue here is that - even if you can seize/inspect - ALL electronic devices in the suspect's possession, you might well find no traces of such spoofed ID calls as besides some "apps", there are ONLINE services that do this and that could have been accessed from (say) a public Library or Internet Cafè, see
http//lifehacker.com/5853056/how-to-spoof-caller-id
so you might need to (say) trace the subscription to one of these services (if any), etc.

And (JFYI) if the spoofing was not part of other crimes, it seems like being a criminal issue, but only an administrative one
http//www.fcc.gov/guides/caller-id-and-spoofing

jaclaz

 
Posted : 27/03/2015 11:04 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

OK, so a client received a "Spoofed" call. I just want to make sure we are not talking about threatening or harassing calls from an unknown burner number?

I am assuming that we are talking about a client receiving a call on their Mobile and the Caller ID displayed on the device indicated that another party, whos information was programmed into their contact list was the calling party?

Just for starters, I would assume that the "other party" may be saying your client called them as well? If so at what time were those calls made and what access to devices and or Wi-fi did your client have access to at the time of the alleged offenses? Would they provide those records to you on consent?

Just out of curiosity did they both receive the calls simultaneously?

Several of the more popular Spoofing companies that operate in the U.S. are located in NJ. They are Teltech Systems and BSD Telecom. If it were me and I were conducting a criminal investigation I would contact them by email and see if either target number was contacted through their site.

Another popular site on the net is prankowl.com. The site has an email contact. You might consider reaching out to this individual through email and run your target numbers?
I think this site is run out of a guys house, but I do know someone locally that has gotten records from him.

Another option might be to contact their provider and have them try a reverse. The signal to call your client entered the system somewhere. They may be able to trace that back and supply a another number or IP address of the up link carrier of that signal.

 
Posted : 28/03/2015 1:27 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

hcso1510,

Please see my responses to your questions below

1Q "OK, so a client received a "Spoofed" call. I just want to make sure we are not talking about threatening or harassing calls from an unknown burner number? I am assuming that we are talking about a client receiving a call on their Mobile and the Caller ID displayed on the device indicated that another party, whos information was programmed into their contact list was the calling party?"

1A The respondent in this case was described to be a private sector IT/Telephony expert who happens to consult for LE. The respondent is alleged to be harassing and stalking my client. One part (not all) of the alleged harassment is "spoofed" calls that the claimant and the claimant's relative are receiving, or at least believe they are receiving. In other words, the claimant's relative is receiving calls from the claimant that the claimant is not placing. This is one reason I thought to image both claimant and claimant's relative's phones to compare call records (to see if they match up perfectly or not). I was hoping to see if the "spoofed" calls might jump out from differences in the the two phones' call records.

2Q "Just for starters, I would assume that the "other party" may be saying your client called them as well? If so at what time were those calls made and what access to devices and or Wi-fi did your client have access to at the time of the alleged offenses? Would they provide those records to you on consent?"

2A I have not been made privy to any responses by the respondent. I have not imaged my clients' phones yet, so I cannot answer your questions about Wi-fi. My clients are making their phones and PCs available for preservation and analysis.

3Q "Just out of curiosity did they both receive the calls simultaneously?"

3A I will not know until I collect both phones and can compare Call Detail Records.

4Q "Several of the more popular Spoofing companies that operate in the U.S. are located in NJ. They are Teltech Systems and BSD Telecom. If it were me and I were conducting a criminal investigation I would contact them by email and see if either target number was contacted through their site."

4A I only work in civil litigation and this particular case (Domestic Violence Court) is for my Pro Bono practice. I am hoping to find some LE professionals who will be kind enough to educate me as to what standards and/or tests they use to evaluate their own cases. For example, I would like to know what type(s) of evidence I should make LE aware of if I come across it, so I am not wasting their time in each case I handle. I have been told that threats of physical violence are sufficient for LE to act, but I am hoping to learn if there are other types/levels of evidence that would also be "actionable" (what constitutes harassment for example). I would appreciate any links to statutes, or articles describing presiding case law in this area.

5Q "Another popular site on the net is prankowl.com. The site has an email contact. You might consider reaching out to this individual through email and run your target numbers?
I think this site is run out of a guys house, but I do know someone locally that has gotten records from him."

5A Do you mean my clients' phone numbers as "target numbers"?

6Q "Another option might be to contact their provider and have them try a reverse. The signal to call your client entered the system somewhere. They may be able to trace that back and supply a another number or IP address of the up link carrier of that signal."

6A Very helpful. I had never heard of a "reverse" but your suggestion makes sense

THANKS!!!!!!!

Larry

 
Posted : 28/03/2015 2:16 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Jaclaz,

Now your comments make sense

"I am not sure to get it. Question You believe that some spoof ID software has been installed on the recipients' phones? AFAIK the spoofing is initiated/performed/whatever on the caller side, be it a software/app or an online service."

For some reason (probably because this is my first time dealing with "spoofing") I thought there might be an "MSPY" (www.mspy.com) type spyware that, once installed on the victim's phone could cause, or spoof, the victim's phones to dial call list numbers (and perhaps immediately hang-up so no call duration).

What you are saying is that there is no need to remotely control someone else's phone to "spoof" calls?

So a potential miscreant could either (1) pay for a 3rd party online service (and leave a record of that purchase), or (2) install a "spoof" call capable application onto his/her own phone (and then initiate "spoof" calls.)?

 
Posted : 28/03/2015 3:37 am
(@trewmte)
Posts: 1877
Noble Member
 

Depending upon the nature of the spoofing can you prove harm has been caused - as in the US, the courts have ruled that “non-harmful spoofing” is fine.

Some useful research

‘‘Truth in Caller ID Act of 2009’
http//www.gpo.gov/fdsys/pkg/BILLS-111s30enr/pdf/BILLS-111s30enr.pdf

US Court Ruling
http//www.ca5.uscourts.gov/opinions%5Cpub%5C12/12-60027-CV0.wpd.pdf

IETF STIR Threats
http//tools.ietf.org/pdf/draft-ietf-stir-threats-00.pdf

 
Posted : 28/03/2015 1:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

What you are saying is that there is no need to remotely control someone else's phone to "spoof" calls?

So a potential miscreant could either (1) pay for a 3rd party online service (and leave a record of that purchase), or (2) install a "spoof" call capable application onto his/her own phone (and then initiate "spoof" calls.)?

Yep, that's exactly the idea behind spoofing caller ID, if you are more familiar with PC's there are similarities with other kinds of spoofing, like MAC spoofing
http//en.wikipedia.org/wiki/MAC_spoofing
or IP spoofing
http//en.wikipedia.org/wiki/IP_address_spoofing
but the idea is always the same i.e. to "misrepresent one's identity or provenance".

jaclaz

 
Posted : 28/03/2015 1:48 pm
Share: