Tel-Tales

May-June 2010

by
Bob Lottero

Tracing Spoofed Caller ID Calls

We’re currently involved in tracing a series of harassing calls to multiple victims where the caller
spoofed his caller ID. The case is in progress as I write this, so I won’t be able to share much of
the details with you at this time. Tracing a call can be very simple as long as the caller just
direct–dials the recipient and doesn’t block his CallerID. If he does block caller ID (using *67 or
permanent caller ID block) it’s still relatively simple, requiring a check with the telco of the
victim’s AMA or switch dump records (landline) or the telcos on-line detailed switch dump records
(as opposed to billing records) for a cell company. In most situations, this will give you the
original, unblocked number. Where it really gets challenging is when the caller uses some
method to spoof his caller ID. Then the real fun begins. There are only a couple of ways a caller
can spoof his caller ID.

The first is to buy a spoof card or otherwise subscribe to a caller ID spoofing services. The
second is to get the appropriate hardware and/or software and make the spoof happen yourself.
If you have some time and want to do some light reading, google “caller ID spoofing” – I got
262,000 hits. If you don’t have a lot of time, click or enter this link and you can read about the
history of caller ID spoofing and see how it’s done (http://www.calleridspoofing.info/).

Here’s a scenario: An agent working a drug case receives a threatening call and the caller ID
showed an unknown telephone number. A check at NeuStar’s web site indicates that this is a T-
Mobile number. A subscriber & CDR (call detail records) subpoena to T-Mobile for that number
reveals the subscriber but shows that no call was ever placed from this number to the agent. A
call to T-Mobile security confirms this fact – even a check of the T-Mobile switch dump database
shows that the T-Mobile number in question never placed a call to the agent’s phone. Evidently,
someone placed the call and was able to send a bogus caller ID (in this case a T-Mobile number)
that he probably picked out of thin air on the spot. Now the trick is to identify the actual
telephone number from which the call was placed.

Depending upon the exact mechanism and function of the caller ID spoofing technology
employed, a caller has the option of injecting any random series digits to be transmitted as the
“caller ID” message that is sent to the receiving phone between the first and second rings. By
the way, be sure to caution a victim to let the phone ring twice before answering to ensure that
caller ID is received. We have seen actual 10-digit telephone numbers, a random series of any
number of digits, 411 – you name it. Back in the 90’s I actually made up and sent a Mexican
landline telephone number for caller ID when I called my supervisor. I was actually calling from
a landline telephone in New Hampshire. We happened to be working a case which involved
some of the bad guys being in Mexico. His comment, “What the hell are you doing in Mexico?”
And that was before foreign telcos ever sent caller ID to US telephones.

Sometimes our part of the investigation is only to trace back spoofed calls and other times
tracing a spoofed call (and sometimes a series of spoofed caller ID calls) is just part of the overall
analytical effort.

1
Technical discussion: When serving legal paper on this type of case I ask for both incoming
and outgoing calls on the phone that received the spoofed calls. If a victim reports a harassing
or threatening call, I never believe in ignoring the possibility that the victim could be a part of the
hoax, know the perpetrator, or mistakenly/purposely under-report the number of contacts. I also
make sure to ask for at least a month’s worth of calls (the month prior to the last reported
harassing call), more if the situation warrants. Victims don’t always remember(or tell) all – this
serves as a reality check.

The way we typically deal with call traces, particularly when caller ID spoofing is involved, is to
serve legal paper to the victim’s phone company to identify where the call came from (note that I
did not use the word “originated”). Our initial return would come back with either the caller ID of
the caller or spoofed caller ID and the trunk identification of the telephone company that
transmitted the call to the terminating victim’s telephone company. Once this reverse trace is
done, we go to a “forward” trace where we serve paper to the company that was identified as
the primary or intermediate source of the call, demanding which of their customers originated the
call (a call-to-destination subpoena). If the results from that come back with an individual
subscriber, we got our bad guy; if the results show the call came from a telephone company, we
serve that company a calls-to-destination subpoena and continue up the line until we identify the
call originator. On one case, we traced a sexual harassment call to an embassy in the US back
through four telephone companies to the call originator in London using this method.

Here are three situations you may run into:

• The best and easiest – The victim reports that no caller ID was received on the call. A
subpoena to the victim’s telephone company reports the caller ID for the call in question.
You subpoena subscriber information for that number, research it, and it comes back to
an individual whom you subsequently identify as the actual caller.

• A victim’s telephone company reports the caller ID for the call in question. The caller ID
reported agrees with the caller ID the victim saw on his/her telephone. You subpoena
subscriber information for that number, research it, and it comes back to an individual
totally unrelated to that victim and whom your investigation determines did not make the
call. This is spoofed caller ID call.

• A victim’s telephone company reports the caller ID for the call in question. The caller ID
reported agrees with the caller ID the victim saw on her telephone. But the caller ID is
not a real, dialable number. Some typical “non-numbers we have seen… 411, 411-000-
0000, 000-000-0000.

Analytical plan: The following is adapted from the analytical plan I wrote for my work and the
two analysts I assigned to the case. I have expanded it to a step-by-step discussion of how to
handle spoofed caller ID for calls to landline, VoIP, and cell phones.

1. Landline: Serve an AMA (Automated Message Accounting) court order to the landline
carrier asking for call detail records on all incoming calls during this period. An AMA
system is a database maintained by most landline carriers that contains all incoming and
outgoing calls to each of their customers. We specifically ask for about a month’s worth
of records (unless we have budget limitations – many landline providers charge for this
service because it is not billing records). This usually requires a court order – few telcos
will do this on a subpoena. We specifically ask for date, time, duration, originating
number, originating in-trunk and identification of what telco owns the in-trunk. Although
an AMA court order will show caller ID, many callers find some way of sending a spoofed
caller ID; this makes it necessary to identify the in-trunk (i.e., what telephone company
presented the call to the victim’s telephone company’s system).

2
a. Once you get the information back from the AMA order, compare the date/times
of the call records they returned to the date/time of the call reported by the
victim. Be sure to take into account any discrepancies in time zone and/or
daylight versus standard time. You can get a fairly accurate date/time if the
victim has caller ID unit installed – it may or may not show a spoofed caller ID,
but it certainly will give you the actual time of the call. I can tell you from
experience that victims seldom give you an accurate call time, and sometimes
even get the date wrong!

b. If the AMA records show an incoming call corresponding to the date/time of the
harassing call, most likely the AMA record will also show the spoofed caller ID.
Don’t worry about that; the AMA record should also show incoming trunk
information and the telco should be able to identify the telephone company
who’s trunk that call came in on. Now serve a calls-to-destination subpoena to
the telco that owns that incoming trunk. In effect, you are telling that company
that one of its customers called the victim’s number and demanding that they
produce the telephone number and subscriber information of that caller. Oh,
and by the way, if you have multiple victims, be sure to list all of the victims’
telephone numbers in case the same perpetrator called more than one victim.
There are two possible responses you will receive.

i. The telephone company that delivered the call to the victim’s telco (i.e.,
the owner of the incoming trunk) is a VoIP (Voice over Internet Protocol)
provider.

1. Check out that company on the Internet – it probably was the

one the generated the spoofed caller ID. If it indeed offers
caller ID spoofing service, you are almost there.

2. Research the procedure to place a spoofed call with that

company; sign up for their service and actually make a spoofed
call to be sure. Typically, you dial a toll-free number, put in a
PIN (a lot like a prepaid calling card – which they actually are),
select a voice (male, female, special accent, etc.), enter the
spoof number, and enter the number you wish to call.

3. That toll-free number is the key. Determine the service provider

for that toll-free access number. Now subpoena call records for
that number from that provider for the suspected spoof service
provider. What? Never heard of writing a subpoena for a toll-
free number? I have included examples of calls-to-destination
and toll-free subpoenas at the end of this issue.

4. The toll-free subpoena will give you all of the calls placed to the
call spoofing company AND it will show the actual caller ID of
each of the users – they can’t block their real caller ID when
calling a toll-free number.

5. All you have to do now is find the original call placed by the perp
to the call spoofing company’s toll-free number by comparing
the appropriate dates and times and making allowances for the
time it takes for the caller to set up the call and also being
careful to take time zone and standard versus daylight savings
into account.

3
 6. Take the [real] caller ID of the original call and subpoena
subscriber and call records and you will have your bad guy!

ii. The call is a telephone company, but your research indicates it did not
generate the spoofed caller ID. In this case, serve a calls-to-destination
subpoena to this new company and keep tracing back in this manner
until you get to the source of the call. Then employ follow-up steps 1-6
in the previous section.

c. If the AMA records show no incoming call at the date/time in question, it is

almost certain that the call originated from a local landline number and the caller
is hi-tech and able to generate his own caller ID spoof. Landline telcos typically
do not retain incoming and outgoing local calls for customers who subscribe to
unlimited local service. If this is the case, you are on your own – telco records
have gone as far as they can and you’ll have to go into plain-old-detective mode
to resolve the case (who might want to harass this person and is also hi-tech,
etc.).

2. Cell phone: Serve a subpoena for all incoming and outgoing calls to a cell phone victim’s
cell phone service provider that asks for records from the past month to date. Be sure
that your subpoena specifies that you want electronic format call records from the telco’s
on-line system and not billing records. Also specify that call records for incoming calls
should include the incoming trunk designation and the identity of the telephone company
that presented the call. Most cell companies maintain at least the past 30 days of call
records as obtained from their switch which includes in-trunk information. Once you
have the subpoena returned, and hopefully, the in-trunk telco identified, follow the same
procedure as outlined above for the landline scenario.

3. VoIP carrier: This applies to cable companies offering telephone service as well as
companies such as Vonage and Skype. Serve a subpoena for all incoming and outgoing
calls to a VoIP phone victim’s cell phone service provider that asks for records from the
past month to date. As in the case for landline and cell phone records, be sure to specify
that call records for incoming calls should include the incoming trunk designation and the
identity of the telephone company that presented the call. I have found that VoIP
carriers tend to maintain more complete records and for a longer period of time that
landline or cell companies, including in-trunk information. That being said, I have also
found that VoIP companies are more reluctant to work with us and need
“encouragement” before they will give you what you want. Once you have the subpoena
returned, and, hopefully, the in-trunk telco identified, follow the same procedure as
outlined above for the landline scenario.

4. If you have multiple victims, review all calls to all victims looking for similarities of
incoming calls and comparing any calls from suspected perpetrators to the number of
calls reported by victims.

Special situations you may encounter: Some companies purposely generate a spoofed
caller ID while meaning no harm to the people they call. For instance, many telemarketers
actually send their toll-free number as a caller ID. They do this for two reasons. First (and most
important) so their call will not be rejected by anyone who has Anonymous Call Rejection (ACR),
a telco-offered service that rejects calls from callers who block their caller ID. The other reason
is so the person they called can call them back (Who would ever want to call back a
telemarketer?).

4
Other telemarketers have the capability of not only spoofing caller ID, but also injecting bogus
tracking information into the public switched telephone network. They do this by setting up their
own telephone company. These days it is very easy to start your own telephone company. It
doesn’t even have to have any customers. Just set up a VoIP system and hire or teach yourself
the hardware & software skills necessary. This can make it especially challenging for us. When a
telco places a call that is to be handled by another company – for instance, when T-Mobile places
a call from one of their customers who has dialed a Sprint cell phone, they are supposed to
include certain data to accompany the call. This data tells the receiving company (Sprint, in this
case) where the call came from and where it is to be terminated. A clever tech at a VoiP
company (or any telco, for that matter – except that big telcos are careful to not allow this sort
of scam) could inject data showing that a call came through seven other telcos and send that call
to the terminating telco. The terminating telco (the victim’s telco) would then have a difficult
time determining the origin of the call. We have run into this situation before. It is difficult, but
we can usually work with the telephone company (the good one at the terminating end) and
determine the actual source and path of the call.

Alternative techniques: Using the above techniques, you should be able to trace almost all
caller ID spoofed calls. There are only three reasons you might have a problem. If the call was
a local call from a landline number to another landline number and the caller was a hi-tech type
that could generate his own spoofed caller ID, you’re out of luck. Fortunately, this seldom
happens. The other two reasons are administrative – your agency is unwilling to pay a telco the
fee they charge for an AMA, or the prosecutor’s office does not want to issue the legal demand
you need to pursue the case.

You won’t be able to stop the calls by having the victim subscribe to anonymous call rejection
(ACR) service, because the calls will not be anonymous as far as ACR is concerned – any caller
ID, legitimate or not, is acceptable. You can come up with an effective solution if the caller
always uses the same telephone number for his spoof. There is a combination caller ID/call
forwarding/rejection device you can buy that can be configured to forward the bad guy’s call to
wherever you want. I have one called “Person-to-Person”. It’s a caller ID unit on steroids. You
enter the caller ID you want to reject and it can send it directly to voice mail or forward it to
another number. Imagine the surprise of a caller making a sexual harassment call when his call
to the victim is forwarded to your “hello” phone. If this is the only option you have left, and the
bad guy is using a consistent spoofed caller ID check them out at…
(http://www.interceptorid.com/products/p2p.htm

The other option (changing the victim’s number) seems simplistic, but when used with a purpose,
can also ID the perp. You can use your imagination to exploit this. One idea is have the victim
change their number and then, in a carefully controlled manner, let out the new number to
selected people in stages until a harassing call comes in to the victim’s new number; then
backtrack to make an educated guess as to who made the call.

Sample Calls-to-Destination Subpoena

Conduct a calls-to-destination search for the period _______ of <telco> call detail
records databases to identify any and all <telco> mobile telephone numbers used to
place calls to the following number(s). …

813-555-1212
603-888-8888
etc…

5
Provide the then-current subscriber information and their corresponding CDRs for incoming
and outgoing calls for the above specified period. Also provide the phone number(s) and
above information for any other numbers or, in the case of a mobile service, accounts
involving the same IMEI and/or IMSI as numbers found by the above search. Provide the
phone number(s) and above information for any other phone numbers listed to the same
account as any of the numbers found by the above search AND for any other accounts billed
to any subscriber at the same address as for any of the numbers found by the above search.

If the calling party was not a <telco> subscriber and the call came into the <telco> system
via another telephone company’s trunk, identify that trunk and the name of the
corresponding telephone company.

Subscriber information is to include billing address, subscriber name, account number,

Social Security Number, date of birth, so-called “Can-Be-Reached” (CBR) numbers –
alternate contact numbers given by the subscriber, long distance carrier, dates of service
and associated subscribed-to telephone numbers, direct-charge credit card or account,
any and all notes recorded in the subscriber record, and any other credit and/or account-
type information on file for this customer. Also provide the above information for any
person authorized to access the account on behalf of the account holder.

Provide all CDR information electronically in ASCII, comma separated values (.csv) or
fixed field length (SDF) format. Only where this is not possible, provide information in
"print image" format (i.e., a textual or graphical representation of a customer bill) in
ASCII (preferable), text-convertible .pdf format, or graphical format .pdf or .tif files (the
forgoing to be in decreasing order of preference). If neither of the forgoing formats
cannot be produced, provide information in dark, clean typeface, machine-scanable/OCR-
interpretable hardcopy.

Sample Toll-free Number Subpoena

Supply subscriber information and telephone call detail records (date, time, duration,
originating number, and charge for each call) for incoming calls for the period
__________________ to _________________ <or to the date of this subpoena> for the
following toll-free number(s):

800-555-1212
888-555-1212
… sample list of telephone numbers

Provide the phone number(s) and above information for any other toll-free numbers listed to
the same account as the above listed number(s) AND for any other toll-free number accounts
billed to any subscriber at the same address as the listed number(s).

Provide all CDR information electronically in ASCII, comma separated values (.csv) or
fixed field length (SDF) format, or Microsoft Excel format.. Only where this is not
possible, provide information in "print image" format (i.e., a textual or graphical
representation of a customer bill) in ASCII (preferable), text-convertible .pdf format, or
graphical format .pdf or .tif files (the forgoing to be in decreasing order of preference).

6
 If neither of the forgoing formats can be produced, provide information in dark, clean
typeface, machine-scanable/OCR-interpretable hardcopy.

---------------------------------------------------------------------
“Tel-Tales,” is a monthly newsletter written by Bob Lottero for investigators, intelligence analysts, and prosecuting
attorneys and distributed by FBI-LEO (Law Enforcement On-line). Bob and his team of analysts provide in-depth,
contract analytical and operations support and training regarding telephone/communications issues to federal, state,
and municipal agencies. Each Tel-Tales issue covers techniques and innovative approaches to the acquisition and use
of telephonic information to build and prosecute cases. Call Bob at 603-586-7156 (email Robert.Lottero@leo.gov) if
you have any questions or you want more detail on the information presented here. The material presented in Tel-
Tales is Copyright © 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by Bob Lottero, and may not be reproduced
and/or distributed in whole or in part without the express permission of the author. Previously unpublished
investigative and analytical techniques presented herein may not be used by any person or enterprise for commercial
purpose.