US Authorities Seize iSpoof, a Call Spoofing Site That Stole Millions

An international police operation has dismantled an online spoofing service that allowed cybercriminals to impersonate trusted corporations to steal more than $120 million from victims. From a report: iSpoof, which now displays a message stating that it has been seized by the FBI and the U.S. Secret Service, offered "spoofing" services that enabled paying users to mask their phone numbers with one belonging to a trusted organization, such as banks and tax offices, to carry out social engineering attacks. "The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords," Europol said in a statement on Thursday. "The users were able to impersonate an infinite number of entities for financial gain and substantial losses to victims."

London's Metropolitan Police, which began investigating iSpoof in June 2021 along with international law enforcement agencies, in the U.S., the Netherlands, and Ukraine, said it had arrested the website's suspected administrator, named as Teejai Fletcher, 34, charged with fraud and offenses related to organized crime. Fletcher was remanded to custody and will appear at Southwark Crown Court in London on December 6. iSpoof had around 59,000 users, which caused $58.2 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of $3.64 million, while the average amount stolen was $12,100.

Re: Countless people have been damaged already.

[saloomy]

Honestly the real shitty thing about Caller ID is it should be set by the telco. The way business phone systems work, you can present your own caller ID. This is typically done to allow extensions a way to report the DID or the menu main number, but the entire system is janky and there should be no trust. Because I know how this works, I insist on calling the company back every time. I have all my financial companies and credit cards as contacts.

Re:

[dogsbreath]

Yeah, no security at all in the way the phone system works. There is also no security for people wanting to hide their caller id as it is always sent out even if you have set your system/device not to. All that happens is a flag is set so the receiving end point can block the display, if it chooses to respect the flag.

Our local telco dutifully blocks caller id but if you let it go to voice mail, the messaging system does not. Hit 5 during playback and it tells you the originating number.

Don't expect p

Re:

[sg_oneill]

Back when I was at vTEL I was honestly appalled at how insecure almost everything about Telecoms networks are. There is absolutely nothing to stop you setting up your own FreeSwitch /OpenSIP or Astrerix if you want something a bit more off the shelf, server, peering it to one of the more trusting telcos and just using it to send from *any* phone number you want.

Even more so with SMS.

And worse is with the SS7 network where everything just *trusts* everything else, although in the 15 years since I was last in

Re:

[Narcocide]

The real headline should be "FBI moves in on competition after secret amnesty deal falls through."

ispooof, not ispoof

[echo123]

https://ispoof.cc/ [ispoof.cc] has been seized by the Feds, but https://ispooof.cc/ [ispooof.cc] is open for business. For greater detail, may I refer you to https://www.whois.com/whois/is... [whois.com]?

Fix the phone system

[Chagar]

Here's an idea, fix the damn phone system so it can't be easily spoofed. It's been suggested fixing callerid for many years now but it would cost the phone companies numbers. So no go ...

Re:Fix the phone system

[david.emery]

Actually, progress is slow but being made on caller ID: https://en.wikipedia.org/wiki/... [wikipedia.org] But more significantly, FCC is -finally- cracking down on companies that have not implemented STIR/SHAKEN: https://www.cnn.com/2022/11/22... [cnn.com]

I still get a lot of crap calls, so there's work to be done.

Re:

[Anonymous Coward]

That is a typical techie solution ("oh! I know! We'll throw PKI at it!") for what is ultimately a regulatory problem. And it doesn't fix POTS.

The simple fix is for the telcos to filter: Check that the incoming call carries a caller ID number that is at least vaguely in range. So a call coming in from the neighbouring country doesn't get to say it's from some other country, much less the local police station. Same with customer connections, even if they have signalling protocol access. And telecom is a heav

Re: Fix the phone system

[ArmoredDragon]

That's a very poor understanding of the problem on your part, not to mention you literally argued that a technical solution won't work and then suggested a technical solution.

The problem is the calls are being routed through a domestic carrier who then acts as the originator, then looks the other way when they provide fake caller ID data. Regulation is now in place so that the FCC can effectively ban carriers that do this, which is what the article said is happening.

Re: Fix the phone system

[ArmoredDragon]

Computationally intensive? Dude...what kind of computer are you using? A Commodore 64? NFC provides way more than enough power for RSA 2048 signing these days. NFC. Let that sink in. And RSA is the most "intensive" asymmetric encryption in common use. If it was that big of a deal, which it's not -- at all -- there's always EC.

And what you're suggesting isn't going to solve a damn thing, for a lot of reasons. One in particular being the fact that a single phone number can and does exist across multiple carri

Re:

[arete]

Way down in the tangents, but I'm pretty confused by the basic concept of NFC having computing power.

Can you catch me up?

Re:

[ArmoredDragon]

By that, I mean chips that are powered entirely by bog standard Near Field Communication, the very same that your credit card might use, indeed your credit card could even use plain ol' RSA for approving transactions over NFC (I don't deal in payment cards so I'm not sure what they currently use, though it changes often.) This has actually been a thing for a long time now. PIV was initially ISO 7816 only but now it is done via ISO 14443 as well. No batteries or any other energy source whatsoever. And they d

Re:

[arete]

thank you

Re:

[ArmoredDragon]

So you're saying that carriers don't know what numbers they assigned to their customers, because some of those numbers might first have been assigned by another carrier to the same customer?

No, as in the same number can be routed to multiple locations. Analogous to anycast in IP networks. For POTS it serves a different purpose, but it's not even relevant to end users, only very large businesses. Bottom line: Your idea won't work.

You've been opinionated a lot but none of your stated reasons hold water.

Because?

Re:

[dogsbreath]

First off, systems are not "computationally intense" because of the use of certs. If anything, certificate based systems are relatively lightweight.

Also, the carrier really has no way of telling if an incoming connection is legit based on it's claimed id no matter how suspect the id may look. Call forwarding and number portability dictate that anything you think you know by a glance at the incoming number could be wrong and usually is wrong. As much as everyone wants to stop scam calls, purposely dropp

Re:

[dogsbreath]

No need for routing through a domestic carrier even. Anyone with a non-ip PBX can accept and forward calls with any caller id and the phone system will accept it and pass it on undisturbed, even under STIR/SHAKEN, at least AFAIK but it has been a while since I was in on this shit.

Even with ip based systems, STIR/SHAKEN is a bit of a bag of hammers because it depends on everybody doing the right thing.

Re:

[Dutch Gun]

Yeah, just got an obvious scam call just an hour or so ago. A recording plays "Your service is being disconnected today for non-payment. Please press one to talk to a consumer representative... blah blah..." I mean, first, disconnected on Thanksgiving? And *which* service, pray tell? But I'm sure they'll panic a few people into talking to someone... Disgusting parasites...

Re:

[Anonymous Coward]

It can be fixed, but the US needs to do like other countries and turn the screws on the telcos to use STIR/SHAKEN or some other form of authentication that actually has some decent security.

The reason why CID spoofing is so trivial is that there are no real incentives for telcos to bother with it, and security has no ROI.

Why is caller ID spoofing possible?

[daten]

When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all. So a requirement of VOIP is that the calling party supplies the caller ID information.

The way this works is simple. When you have a VOIP PBX there is a space for you to enter the caller ID digits in. Whatever you want - there is no built-in capability for anyone to verify this. It is presumed that the people responsible for setting up such phone systems will only put in phone numbers that the owner of the system actually has the use of. It was this way for years.

Now, telemarketers have started using VOIP systems to place international telemarketing calls. It relieves them from burdensome regulations, allows them to utilize the Internet for passing calls around and makes international borders disappear. The fact that they can also give the people they call bogus caller ID information is just a side benefit and makes it harder to block telemarketer calls.

Why do telecom companies allow this? Because it is part of the VOIP specification and they really have no choice. It is possible that some group somewhere is going to propose a new VOIP specification and do away with the current implementation. That should not take more than 10â"20 years to finalize and implement worldwide. Then they are going to have to phase out all of the existing systems and devices all over the world. That, on an accelerated pace might take only three years. So I would expect a solution in no more than about 25 years or so.

Re:Why is caller ID spoofing possible?

[ugen]

filter.

That said, there are larger VOIP operators that peer with many systems, both VOIP and PSTN. They may handle many phone numbers (even from different countries), so simplistic filtering won't work here. However, consider that this is not terribly different from the way IP networking works - there is essentially no validation of an IP address. It is mostly validated throgh routing and administrative procedures.

So, if telephony operators wanted to do that - they certainly could (it's no worse than the Internet in terms of technical demands). The answer is that they do not want to, because being able to apply arbitrary phone numbers is very very lucrative. That's unlike the "interwebs" where source IP spoofing is unpleasant at most, and certainly not a moneymaker for anyone.

Follow the money, make it more expensive to not filter/pin down phone numbers than the potential profit from doing so, and technical solutions will be promptly found.

Re:

[stabiesoft]

Is that actually true? A TCP connection sends packets back to the source. If the source real address 2.2.2.2 lies about its source address, say 1.1.1.1 (and is possible to do that) then the destination is going to send packets to 1.1.1.1 which are going to be routed to the real 1.1.1.1 address and no connection will be created. And no telephony does not want to do that, because your bank for example wants the destination to think the call is coming from the bank main number even though it is coming from a e

Re:

[radarskiy]

You don't just leap directly to the source phone number in this case, since the the whole impetus is that you think the source phone number is spoofed.

Each switch in the circuit for the call knows (or should know) what the next upstream and downstream switch is, otherwise you would not have been able to create the circuit. You let the provider for each switch pass the liability to its upstream connection, which will pass it to its own upstream connection in turn. At some point you get to the service provide

Re:Why is caller ID spoofing possible?

[EvilSS]

This actually pre-dates VOIP, going back to the beginnings of caller ID. Companies with PBX systems generally have more phones than lines, so the PBX grabs a line, ties it to the dialing phone on the system, and because the numbers assigned to the DIDs is usually useless, the system allows the PBX to set the caller ID info for the line. My old ISDN line allowed me to do this and yes, I had some fun with it back in the day. VOIP just made it a lot cheaper and easier to do. Problem is, the system wasn't built with the idea that it could be easily and cheaply abused so it's always worked on the honor system. SHAKEN/STIR is a potential fix but honestly, the system really should be setup to only allow Caller ID assignments to numbers owned by the customer associated with the physical lines they go out on, or a system to associate them to a VOIP provider's lines with some proof that you are the person or company that those numbers are assigned to. If you try to set a caller ID not associated with the account the lines are billed to the call should fail.

And to be clear, when the calls exit the VOIP system and enter the PSTN, there IS a phone number associated with it, and the phone company knows who owns the line it's entering the PSTN on, because you better bet that when it comes to billing, they are not dropping the ball. And the VOIP provider SHOULD know who the customer is that made a call at a time/date and outbound number on a line they control, as they need to bill the customer. So any VOIP call, spoofed or not, can be tracked back to the gateway and the owner of the lines they used to put the call onto the regular phone network. The real problem is there are no strict "know your customer" rules for VOIP providers so a lot of time it dies there because the VOIP provider accepted bogus info and either stolen or not easily traceable payment. Change the law to make the VOIP provider financially responsible for their customers misdeeds if they cannot provide authorities a definitive identity for their customers and watch how fast that end of the problem gets fixed.

Re:

[PuddleBoy]

To the best of my knowledge, the following only applies to ISDN PRI and CAS trunks;

All carriers can apply 'Call Screening' to a set of TDM trunks. Call Screening just means that the carrier allows the outbound calls to send whatever CID number the PBX outpulses *as long as that number is found in a pre-determined list of numbers that the customer was assigned when the service was turned up*. If the number is not on the list, I believe they just substitute the BTN (Billing Telephone Number). Some carriers al

Re:

[EvilSS]

I can't think of any reason they could not, after all the VOIP calls have to translate to the PSTN at the gateway and travel through a telco switch. The VOIP carrier is going to have the equivalent of BTNs for their lines (the billing systems are all designed around things on the network being assigned a number). I suspect they felt like it's too much trouble to implement (although SHAKEN/STIR isn't exactly a lightweight implementation). I think one problem is a lot of these VOIP services are using shady CL

Re:Why is caller ID spoofing possible?

[tlhIngan]

When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all. So a requirement of VOIP is that the calling party supplies the caller ID information.

Presumably the VoIP provider isn't providing the service for free out of the goodness of their hearts, so they know perfectly well who is making the call. And they can filter based on their customer information the allowed list of phone numbers that can get sent.

So the call can come from anywhere, but it has to be associated with a user otherwise it's a perfect way for others to make phone calls (especially those juicy 1-900 calls) on someone else's dime. And when you're associated with a user, you can limit what phone numbers can be displayed.

Re:

[radarskiy]

"When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all."

The call does not magically appear on my phone. It is connected my my phone provider. The liability moves upstream one stage.

The call does not magically appear on my phone provider's network. Something connects to them. The liability moves upstream one stage. There may be a series of such stages.

The VOIP provider knows who to bill for the usage, therefore they

Caller ID is the real problem

[slazzy]

The real problem is caller ID, there is no security in the system at all.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PPH]

or not answer the phone

I let Lenny take all my calls.

Average Stolen?

[nukenerd]

$58.2 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of $3.64 million, while the average amount stolen was $12,100

My arithmetic might be a bit rusty, but I make that average to be £291.

Humans are sick

[backslashdot]

Who would conceive and do this thing? Their brain must have serious deficiencies if they cannot feel any empathy doing this stuff. Wonder if it was intrinsic or the redoubt of some kind of abuse and negative experiences.

Re:

[Malays2 bowman]

And it will get worse as people become more authoritarian, greedy, abusive, and have control of others and become Jesus and God over them.

"Look at me, you are locked in your cell and here I am on the outside holding the keys and dancing. Go fuck yourself! Kee kee kee kee!"