Man
Professional
- Messages
- 3,218
- Reaction score
- 783
- Points
- 113
Call spoofing is a technique in which an attacker changes the caller ID information to hide their real number or to impersonate someone else (such as a bank, government agency, or acquaintance). It is an illegal practice often used in fraudulent schemes (such as voice phishing or identity theft). Below is a technical explanation of how spoofing works for educational purposes so you can understand the risks and protect yourself.
Example of SIP request:
1. What is SIP?
SIP is a signaling protocol used to establish and manage communication sessions in VoIP networks. It operates on a client-server model and uses text messages (similar to HTTP) to:- Registration of devices on the network.
- Establishing and ending calls.
- Transferring information about session parameters (e.g. audio/video codecs).
Example of SIP request:
HTTP:
INVITE sip:user@example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.100:5060
From: <sip:caller@example.com>
To: <sip:callee@example.com>
Call-ID: 1234567890@example.com
CSeq: 1 INVITE
Content-Type: application/sdp
Content-Length: 142
v=0
o=caller 2890844526 2890844526 IN IP4 192.168.1.100
s=-
c=IN IP4 192.168.1.100
t=0 0
m=audio 49170 RTP/AVP 0
a=rtpmap:0 PCMU/8000
2. How does call spoofing work?
Technical background
Modern calls are transmitted via VoIP (Voice over IP) or traditional telephone networks (including SS7). Information about Caller ID (number and name of the subscriber) is transmitted separately from the voice signal, which allows it to be modified. The main methods are:A. Changing SIP Headers (VoIP)
- SIP (Session Initiation Protocol) controls the establishment of VoIP calls. An attacker can forge fields in SIP requests:
- From: Sender's name and number.
- P-Asserted-Identity (PAI): Authenticated identity of the caller.
- Remote-Party-ID (RPID): Additional information about the caller.
- Example:
HTTP:INVITE sip:user@example.com SIP/2.0 From: <sip:+18005551234@example.com> To: <sip:target@example.com>
B. Using VoIP services with spoofing support
- Some legitimate services allow you to specify a custom Caller ID for corporate purposes (for example, to display a single company number). Attackers abuse this:
- SpoofCard (https://www.spoofcard.com): Send calls with a fake number.
- Burner (https://www.burnerapp.com): Temporary numbers for anonymous calls.
- TextNow (https://www.textnow.com): Free calls with the ability to change Caller ID.
C. Software Spoofing Tools
- SIPVicious (https://www.sipcrack.org): A tool for testing VoIP network vulnerabilities, including Caller ID modification.
- Asterisk (https://www.asterisk.org): An open-source PBX system that can be configured by attackers to spoof calls.
- Wireshark + SIP Requests: Manually modify fields in SIP packets to manipulate Caller ID.
D. Manipulation with SS7 (for mobile networks)
- In traditional mobile networks, an attacker can exploit vulnerabilities in the SS7 protocol to change the sender's number data. For example:
- Sending MAP_SEND_ROUTING_INFORMATION command to redirect calls.
- Using tools like SS7 MAP Explorer to change network settings.
F. Voice Templates and AI
- Modern AI models (like Google Duplex) can generate natural speech, making calls more convincing. An attacker can combine Caller ID spoofing with voice synthesis to impersonate bank employees or friends of the victim.
3. Examples of real attacks
Example 1: Tax fraud
- The attacker sends a call with a Caller ID displaying the tax service number.
- Posing as an inspector, he claims the victim owes taxes and threatens arrest if the money is not transferred immediately.
Example 2: Attack on crypto exchange clients
- The attacker calls the owner of the crypto wallet from a number spoofed to look like Binance support.
- Convinces the victim to send a 2FA code to "confirm security", after which he withdraws the cryptocurrency to his wallet.
Example 3: Corporate Spoofing
- The attacker calls a company employee, introducing himself as the director.
- Using a fake internal line number, he asks to urgently transfer money to a "partner account", citing an urgent project.
4. Why is call spoofing dangerous?
- Caller ID Trust:
People tend to trust a number, especially if it matches an official one. - Psychological pressure:
The attacker uses fear (e.g. threats of arrest) or urgency to prevent the victim from verifying the information. - Difficulty of tracking:
VoIP services and anonymous numbers make it difficult to identify the attacker. - Combination with other attacks:
Spoofing is often combined with vishing, SMS phishing or SS7 attacks to increase effectiveness.
5. How to protect yourself from call spoofing?
A. Don't trust Caller ID
- Even if the number looks official, do not give out the details over the phone.
- Call back the official number listed on the company's website or receipt.
B. Check the authenticity
- Ask the caller his name, title and department.
- Let them know that you will call back later to verify the information.
C. Use secure authentication methods
- Ditch SMS codes in favor of hardware tokens (like YubiKey) or authenticator apps (like Google Authenticator).
- Set up two-factor authentication using biometrics or secure keys.
D. Install Call Blocking Tools
- Use spam blocking apps:
- Truecaller (Android/iOS) — identifies suspicious numbers.
- RoboKiller — blocks autodialers and spam.
E. Training and Awareness
- Educate loved ones (especially older ones) about the risks of spoofing.
- Conduct social engineering training (e.g. attack simulations) in companies.
F. Use STIR/SHAKEN
- These call authentication standards (implemented in some countries) encrypt Caller ID data to prevent it from being spoofed.
- Check with your carrier to see if they support STIR/SHAKEN.
6. Legal consequences
Call spoofing violates the laws of many countries:- USA: Truth in Caller ID Act (fines up to $10,000 per violation).
- Russia: Article 138 of the Criminal Code of the Russian Federation (unauthorized access to computer information) and Article 159 (fraud).
- EU: GDPR (unlawful collection of personal data, fines up to €20 million).
7. Educational resources
If you want to learn about protection against spoofing and other attacks:- Books: "The Art of Deception" (Kevin Mitnick), "Hacking Exposed 7" (McGraw-Hill).
- Platforms: TryHackMe (social engineering courses), OWASP .
- Certifications:
- Certified Ethical Hacker (CEH) - analysis of social engineering methods.
- CISSP — Cybersecurity.
Summary
Call spoofing is a powerful social engineering tool that can be used both offensively and defensively. Never try to use these methods in real life — it is illegal and dangerous. Instead, focus on protecting your data and educating others. If you are interested in practical examples or code for learning — let me know!
Last edited by a moderator: