24

I'm performing a penetration test against a company. Part of my social engineering procedure is to contact the IT department and try to convince them to that I'm an employee in the company and get them to reveal some sensitive information including passwords.

How can I make my call more convincing by making it appear as if it came from some employee's phone number?

[This is a hypothetical question, created to preserve my deleted answer on this question]

Adi
  • 43,808
  • 16
  • 135
  • 167
  • While it is possible to spoof caller ID information, it is a lot less likely that you are going to be able to convince a local PBX that you are an internal caller. Since their internal system likely has control of internal extensions and they are probably not directly on external lines when calling internally, your call would appear from an outside number through the trunk with a number that should be an internal extension. You might have better luck if you use a home phone number though and claim to be from a sick employee who is trying to connect in remotely. – AJ Henderson Jun 05 '13 at 13:30
  • @AJHenderson Or you're currently at the customer's premises calling from your cellphone, or you're the boss on vacation and you want to check your email, or or or... – Adi Jun 05 '13 at 13:33
  • Yeah, I was just highlighting that you would want to use a number that isn't internal. Just an observation that wasn't in the original question and thought was worth noting. – AJ Henderson Jun 05 '13 at 13:46
  • 1
    Adnan already answered this from the technological perspective, so I will just heap on the following. If you're in the United States, be advised of the "[Truth In Caller ID Act][1]" [1]: http://www.fcc.gov/guides/caller-id-and-spoofing – munkeyoto Jun 05 '13 at 14:48
  • 1
    @EricG That's a different question, and exactly because of that I asked this question. That one asks about forwarding a call through the other phone and make it appear in the other phone's internal logs and the phone's provider's logs. – Adi Jun 05 '13 at 16:41

1 Answers1

20

There are many VoIP services that provide ID-spoofing functionality

  • Jumblo: Create an account and add some credit to it (10 Euros minimum excluding VAT), then install their Android app, login, the go to Settings and choose "Add Caller ID" then add the number. (Requires SMS verification) *

    enter image description here

  • Skype: You can create an online number (15 Euros minimum) then add some credit to it (10 Euros minimum). Then go to the Caller ID page, and add the number you want. (Requires SMS verification) *

    enter image description here

  • SpoofCard (10 U.S. Dollars minimum) (No SMS verification required)

  • SpoofTell (0.10 U.S. Dollars per call) (No SMS verification required)

* One way to acquire the SMS verification code from the target phone is by configuring the Caller ID number at the time the employee has left their phone unattended at a restaurant or a bar. Another possibility is by stopping the employee in the street and asking them to borrow their phone for an urgent call.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 2
    Adnan has some good examples here, but basically to spoof the caller ID you need a VoIP provider that will let you enter a CID number (basically all of them) and a VoIP phone or app that lets you enter the Caller ID name. ....or access to a PBX with a digital connection to the POTS (T1 or other PRI), the phone company will trust the CID given to it by a PBX. – Rod MacPherson Jun 06 '13 at 03:20
  • thank you very much! I started using Jumblo and it really helped me – Green Fly Jun 11 '13 at 11:52