Caller ID Spoofing for Fun or Profit

By | September 4, 2004

Although the ability to spoof caller ID has been around for quite awhile, I wasn’t aware of any public services that offered that capability. On August 31, a company called *38 launched a service for spoofing caller ID. With stories quickly appearing on SlashDot and the New York Times (registration required), *38 picked up a lot of publicity very quickly.

Perhaps too quickly for founder Jason Jepson, as an article in the Houston Chronicle revealed that he received “harassing e-mail and phone messages and even a death threat taped to his front door”. Since the *38 website suggests that the service would primarily be targeted at bill collection agencies, I presumed the threats would have been from people running from the repo man. But, he contends that they are coming from hackers who are upset that a tool available only in the underground was suddenly now available to anyone, somewhat like how magicians get mad when another magician reveals how a popular trick works.

I would have thought a more likely source of the threats would be the big phone companies, since caller ID is nearly pure profit for them. If people stop trusting caller ID, there goes a fantastic source of revenue for them.

As a sheer coincidence, early last week I built a caller ID spoofing application on our speech platform at work. It was a really simple app to write, and it works like a charm. The very next day I saw the article on *38 on Slashdot.

With their service, you first register your phone number with them and agree to pay $20/month plus 7-10 cents per minute, based on calling volume. Then, you go to their website and enter a number to call and the calling number you want to spoof. An automated service calls you back, dials the first number, while spoofing the caller ID with the second number.

I like my implementation better, since it doesn’t require Internet access. I call a toll free number that connects me to my application hosted by a VoiceXML service provider. My app then asks you to enter (speech or DTMF) the number to call. Then, it asks you for the number to spoof. Seconds later, the phone at the first number is ringing, but the calling number that that person sees (assuming they have caller ID support) is the second number.

From the NY Times article:

“The developers of Star38, who say they required only 65 lines of computer code and $3,000 to create their service …”

Heh, the original version of mine was 51 lines of commented code and took me only about four hours of coding and testing time to complete. Even if I was charging 1999 dotcom era consultant wages, that would come in well under $3,000. If I had written it in static VoiceXML, it would have been about twenty-five lines of code (and that’s human readable code with no wacky obfuscations to shorten the length). I could easy rewrite it in fewer than twenty lines of clean, albeit uncommented, code on our platform, which dynamically generates VoiceXML.

26 thoughts on “Caller ID Spoofing for Fun or Profit

  1. ahqiang

    I think Caller ID spoofing can be a great thing if use correctly. I have similar idea for ip spoofing too…. maybe we can talk. I love to see your code too. by email? not here definitly. or can you teach me?

    Reply
  2. D

    I’d pay you to use your service. Can we set something up? I deal with people who jump bail bonds. I don’t want them having my number. Would have used *38 but they seem defunct.

    Reply
  3. EowynArwen

    Fun -oh sure, especially for the receiver of endless spoofed phone calls. I’ve received more than 150 so far. Very amusing.

    Reply
  4. Pam

    I’d be very interested in hearing from you … I have a legitimate commercial application for this (calling businesses, not homes). Please contact me.

    Reply
  5. Bade

    I wish information was not abused and used for information like it is intended.

    Reply
  6. h4x0r

    Caller id can be funny , but in the same time dangerous. Think that if someone spoofs the number of M S , also knowing he’s credit card & bank account details , he/she can take all the money from the account/credit card ? It’s funny but VERY risky to have this service provided for only a few bucks. :))))))) Think that , i have 18 years old , and i know this service for over 2 years. I’ve made US $27,500.00 , by using this service ilegal 😀 don’t be mad , the money are insured and u`ll get it back from the goverment … i hope ! 😀

    Reply
  7. Pingback: WombatNation » More on Caller ID

  8. Tarron

    hello! my names tarron from uk. i need uk caller id spoof any 1 know where i can get it from? also am into carding and etc contact me on [email protected] if you have anything usefull or can work togheter? laters!

    Reply
  9. Ed

    Here’s a great idea, start up several websites that offer pay per spoof or the pre-paid card idea is even better. Then, like the txcovertcard.com site, sell them to several hundred persons who want to spoof their number and then close up shop.

    You will snag many telemarketers who are trying to get around the national Do-Not-Call list, who will they complain to?

    There is no legitemate purpose for spoofing except possibly law enforcement.

    Reply
  10. PDXUSA

    Guaranteed caller ID…
    PDXUSA will soon go public with ANI support, allowing for identification of “unknown” numbers. Telemarketers, collection agencies and other
    large businesses such as HOTELS / MOTELS use T1 phone lines that often appear as unknown number. This can cause you to simply not answer the phone when it could be your employer or job opportunity!!
    You don’t need 800 numbers or call forwarding to have this and you can keep your old number.

    Not only do we provide ANI, we authenticate it with the carrier who owns the number so for the few out there who can spoof ANI, you’ll find yourself running into a brick wall trying to spoof a PDXUSA telecom customer.

    http://www.pdxusa.net

    Reply
  11. Pingback: WombatNation » Truth in Caller ID Act of 2007

  12. Jim H.

    Ed said:
    “There is no legitimate purpose for spoofing except possibly law enforcement.”

    I would beg to disagree.

    I am a private individual – my wife is a Real Estate agent, and we have three lines of service: One copper pair from the local Telco, and two VoIP lines.

    It would be damn convenient if the two VoIP lines would reflect the phone number of our main line – this way clients and prospective clients would always get the correct number to call back on regardless of which of the three lines were used to make the call.

    I “own” all three numbers.
    I’m not trying to rip anyone off.
    I am trying to make things as convenient as possible for both us and our clients.

    Yet our VoIP provider won’t redirect our caller ID due to fears of being sued out of his socks.

    Any ideas?

    Jim

    Reply
  13. geo

    I actually have a legitimate use for spoofing. I use prepaid cell phone when traveling, and receive calls through grandcentral (this is an awesome new (beta)free service from google at http://www.grandcentral.com-check it out), and need my friends and family to see my number on their caller id, so they know its me.

    Reply
  14. freedom first

    this is a great tool. certainly!

    if companies are dumb enough and lacking in security so much that when their customers call for information about their credit card or bank account for example, that if the caller id is used as a major security layer to establish identity of the caller, then God help your organization. Anyone living in a huge apt. complex with twisted pair and activate everybody’s credit cards that usually come in the mail on the same day. Also, the whole world used cordless phones in their houses now. Not too hard to grab that frequency while your sitting on the sidewalk in front of the victim’s home.

    point is that caller id spoofing is not going to undue the security protocols for id verification, unless a company is lazy enough to use caller id as the sole source of id verification.

    BTW. Jim H. it is not difficult to move caller id’s around in voip whatsoever. you should be able to figure it out.

    we don’t need another act from state or federal congress. we are over inundated with laws enough already. of course, law enforcement will seem to have no problem using this tool for themselves. I’m sure congress will overwhelmingly approve also, so we can protect the weak and the children of course.

    of course, once it becomes illegal, then that’s where the true fun always starts. haha.

    i think it is great. i have been able to speak with people at potential job assignments and get things done in a way now that is unprecedented. see how easy it is go get an appointment with a medical specialist instantaneously.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *