Pwn all the Sauce with Caller ID Spoofing

If we’re going to perform some pre-text phone calls we have a couple different options when it comes to the caller ID. We really only have 3 possible options which are: we do nothing to the phone number, we block our phone number, or we spoof our phone number.

Doing nothing to the caller ID will sometimes work depending on the area code you call from versus the area code that your client is located in. In my experiences, sometimes not blocking the number yields better results than blocking the number. I always feel like users are more suspicious when the caller ID says ‘blocked’or ‘unavailable’. Not only are they on heightened awareness, but I feel like they are less likely to even answer the phone thinking it’s most likely a telemarketer.

This brings us to the topic of spoofing your caller ID. I know there are tons of different ways to accomplish this task, but for the scope of this article, I’m going to discuss the method I use, which also seems to be the easiest to implement. Before I continue, I want to give a huge shoutout to my Accuvant LABS colleague Noah Beddome who showed me the ropes on caller ID spoofing. Thanks Noah!

The first item that we will perform is creating an account for a cloud PBX provider. I personally use http://vitelity.net/ because the account is completely free to sign up. The only item we need to pay for is the minutes that we use when we make our phone calls which is extremely cheap.

Once you’ve created your free Vitelity account, you’ll want to login to the Administration portal to configure your PBX to use a softphone. A softphone is nothing more than a software that runs on your computer. It essentially acts as a client that communicates with the PBX server in the cloud which seems to act very similar to an outlook client configured to use exchange.

Once logged into the Administrative portal, we will click on the ‘DID‘ tab which will bring up many other subtabs. We are interested in the ‘Sub Accounts’ subtab. This is the section that we will use to create a list of softphones that are authorized to use out PBX server. The software essentially acts as a client and sends all of the relevant information to the PBX server.

If you look closely there is a section to assign the caller ID for each phone that we configure. By default the caller ID is left blank and will show up as ‘unavailable’ when you make a phone call.

Once we’ve saved our configuration, lets test out what number gets displayed on the caller ID when we make our call (don’t worry, softphone configuration coming next).

Of course we always have the option of blocking out number with a little help from *67. An example of what that type of phone call looks like can be seen below:

Now that we have our spoofed phone number in place, save the settings and your ready to make a test phone call.

Oh my! would you look at that. Just look at it, we’ve successfully spoofed the phone number to make it look like we’re coming from Internal IT.

Now that we know how to configure the PBX server properly, lets move onto the softphone configuration to finish the entire process. We are not going to go into a ton of detail on how to configure the softphone software because Vitelity has a section full of tutorials for different softphone software.

I personally am using the software X-lite on my MAC operating system to sync up with the PBX server. Once the software is installed, you’ll need to configure an account just like you are hooking up an Outlook client for the first time. Here is what my configuration currently looks like:

Now our softphone client is all configured to use the PBX server. We should be all set to start testing it out by making some phone calls. Hope this has been informative, and good look pwning all the sauce on your next phone call gig!