Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States Security

US Authorities Seize iSpoof, a Call Spoofing Site That Stole Millions (techcrunch.com) 38

An international police operation has dismantled an online spoofing service that allowed cybercriminals to impersonate trusted corporations to steal more than $120 million from victims. From a report: iSpoof, which now displays a message stating that it has been seized by the FBI and the U.S. Secret Service, offered "spoofing" services that enabled paying users to mask their phone numbers with one belonging to a trusted organization, such as banks and tax offices, to carry out social engineering attacks. "The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords," Europol said in a statement on Thursday. "The users were able to impersonate an infinite number of entities for financial gain and substantial losses to victims."

London's Metropolitan Police, which began investigating iSpoof in June 2021 along with international law enforcement agencies, in the U.S., the Netherlands, and Ukraine, said it had arrested the website's suspected administrator, named as Teejai Fletcher, 34, charged with fraud and offenses related to organized crime. Fletcher was remanded to custody and will appear at Southwark Crown Court in London on December 6. iSpoof had around 59,000 users, which caused $58.2 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of $3.64 million, while the average amount stolen was $12,100.

This discussion has been archived. No new comments can be posted.

US Authorities Seize iSpoof, a Call Spoofing Site That Stole Millions

Comments Filter:
  • ispooof, not ispoof (Score:5, Informative)

    by echo123 ( 1266692 ) on Thursday November 24, 2022 @12:47PM (#63077238)

    https://ispoof.cc/ [ispoof.cc] has been seized by the Feds, but https://ispooof.cc/ [ispooof.cc] is open for business. For greater detail, may I refer you to https://www.whois.com/whois/is... [whois.com]?

  • by Chagar ( 7037134 ) on Thursday November 24, 2022 @12:54PM (#63077248)
    Here's an idea, fix the damn phone system so it can't be easily spoofed. It's been suggested fixing callerid for many years now but it would cost the phone companies numbers. So no go ...
    • by david.emery ( 127135 ) on Thursday November 24, 2022 @01:07PM (#63077270)

      Actually, progress is slow but being made on caller ID: https://en.wikipedia.org/wiki/... [wikipedia.org] But more significantly, FCC is -finally- cracking down on companies that have not implemented STIR/SHAKEN: https://www.cnn.com/2022/11/22... [cnn.com]

      I still get a lot of crap calls, so there's work to be done.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        That is a typical techie solution ("oh! I know! We'll throw PKI at it!") for what is ultimately a regulatory problem. And it doesn't fix POTS.

        The simple fix is for the telcos to filter: Check that the incoming call carries a caller ID number that is at least vaguely in range. So a call coming in from the neighbouring country doesn't get to say it's from some other country, much less the local police station. Same with customer connections, even if they have signalling protocol access. And telecom is a heav

        • That's a very poor understanding of the problem on your part, not to mention you literally argued that a technical solution won't work and then suggested a technical solution.

          The problem is the calls are being routed through a domestic carrier who then acts as the originator, then looks the other way when they provide fake caller ID data. Regulation is now in place so that the FCC can effectively ban carriers that do this, which is what the article said is happening.

          • No need for routing through a domestic carrier even. Anyone with a non-ip PBX can accept and forward calls with any caller id and the phone system will accept it and pass it on undisturbed, even under STIR/SHAKEN, at least AFAIK but it has been a while since I was in on this shit.

            Even with ip based systems, STIR/SHAKEN is a bit of a bag of hammers because it depends on everybody doing the right thing.

      • Yeah, just got an obvious scam call just an hour or so ago. A recording plays "Your service is being disconnected today for non-payment. Please press one to talk to a consumer representative... blah blah..." I mean, first, disconnected on Thanksgiving? And *which* service, pray tell? But I'm sure they'll panic a few people into talking to someone... Disgusting parasites...

    • by Anonymous Coward

      It can be fixed, but the US needs to do like other countries and turn the screws on the telcos to use STIR/SHAKEN or some other form of authentication that actually has some decent security.

      The reason why CID spoofing is so trivial is that there are no real incentives for telcos to bother with it, and security has no ROI.

  • by daten ( 575013 ) on Thursday November 24, 2022 @01:04PM (#63077262)
    When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all. So a requirement of VOIP is that the calling party supplies the caller ID information.

    The way this works is simple. When you have a VOIP PBX there is a space for you to enter the caller ID digits in. Whatever you want - there is no built-in capability for anyone to verify this. It is presumed that the people responsible for setting up such phone systems will only put in phone numbers that the owner of the system actually has the use of. It was this way for years.

    Now, telemarketers have started using VOIP systems to place international telemarketing calls. It relieves them from burdensome regulations, allows them to utilize the Internet for passing calls around and makes international borders disappear. The fact that they can also give the people they call bogus caller ID information is just a side benefit and makes it harder to block telemarketer calls.

    Why do telecom companies allow this? Because it is part of the VOIP specification and they really have no choice. It is possible that some group somewhere is going to propose a new VOIP specification and do away with the current implementation. That should not take more than 10â"20 years to finalize and implement worldwide. Then they are going to have to phase out all of the existing systems and devices all over the world. That, on an accelerated pace might take only three years. So I would expect a solution in no more than about 25 years or so.

    • by ugen ( 93902 ) on Thursday November 24, 2022 @01:28PM (#63077322)

      filter.

      That said, there are larger VOIP operators that peer with many systems, both VOIP and PSTN. They may handle many phone numbers (even from different countries), so simplistic filtering won't work here. However, consider that this is not terribly different from the way IP networking works - there is essentially no validation of an IP address. It is mostly validated throgh routing and administrative procedures.

      So, if telephony operators wanted to do that - they certainly could (it's no worse than the Internet in terms of technical demands). The answer is that they do not want to, because being able to apply arbitrary phone numbers is very very lucrative. That's unlike the "interwebs" where source IP spoofing is unpleasant at most, and certainly not a moneymaker for anyone.

      Follow the money, make it more expensive to not filter/pin down phone numbers than the potential profit from doing so, and technical solutions will be promptly found.

      • Is that actually true? A TCP connection sends packets back to the source. If the source real address 2.2.2.2 lies about its source address, say 1.1.1.1 (and is possible to do that) then the destination is going to send packets to 1.1.1.1 which are going to be routed to the real 1.1.1.1 address and no connection will be created. And no telephony does not want to do that, because your bank for example wants the destination to think the call is coming from the bank main number even though it is coming from a e
        • You don't just leap directly to the source phone number in this case, since the the whole impetus is that you think the source phone number is spoofed.

          Each switch in the circuit for the call knows (or should know) what the next upstream and downstream switch is, otherwise you would not have been able to create the circuit. You let the provider for each switch pass the liability to its upstream connection, which will pass it to its own upstream connection in turn. At some point you get to the service provide

    • by EvilSS ( 557649 ) on Thursday November 24, 2022 @02:33PM (#63077454)
      This actually pre-dates VOIP, going back to the beginnings of caller ID. Companies with PBX systems generally have more phones than lines, so the PBX grabs a line, ties it to the dialing phone on the system, and because the numbers assigned to the DIDs is usually useless, the system allows the PBX to set the caller ID info for the line. My old ISDN line allowed me to do this and yes, I had some fun with it back in the day. VOIP just made it a lot cheaper and easier to do. Problem is, the system wasn't built with the idea that it could be easily and cheaply abused so it's always worked on the honor system. SHAKEN/STIR is a potential fix but honestly, the system really should be setup to only allow Caller ID assignments to numbers owned by the customer associated with the physical lines they go out on, or a system to associate them to a VOIP provider's lines with some proof that you are the person or company that those numbers are assigned to. If you try to set a caller ID not associated with the account the lines are billed to the call should fail.

      And to be clear, when the calls exit the VOIP system and enter the PSTN, there IS a phone number associated with it, and the phone company knows who owns the line it's entering the PSTN on, because you better bet that when it comes to billing, they are not dropping the ball. And the VOIP provider SHOULD know who the customer is that made a call at a time/date and outbound number on a line they control, as they need to bill the customer. So any VOIP call, spoofed or not, can be tracked back to the gateway and the owner of the lines they used to put the call onto the regular phone network. The real problem is there are no strict "know your customer" rules for VOIP providers so a lot of time it dies there because the VOIP provider accepted bogus info and either stolen or not easily traceable payment. Change the law to make the VOIP provider financially responsible for their customers misdeeds if they cannot provide authorities a definitive identity for their customers and watch how fast that end of the problem gets fixed.
      • To the best of my knowledge, the following only applies to ISDN PRI and CAS trunks;

        All carriers can apply 'Call Screening' to a set of TDM trunks. Call Screening just means that the carrier allows the outbound calls to send whatever CID number the PBX outpulses *as long as that number is found in a pre-determined list of numbers that the customer was assigned when the service was turned up*. If the number is not on the list, I believe they just substitute the BTN (Billing Telephone Number). Some carriers al

        • by EvilSS ( 557649 )
          I can't think of any reason they could not, after all the VOIP calls have to translate to the PSTN at the gateway and travel through a telco switch. The VOIP carrier is going to have the equivalent of BTNs for their lines (the billing systems are all designed around things on the network being assigned a number). I suspect they felt like it's too much trouble to implement (although SHAKEN/STIR isn't exactly a lightweight implementation). I think one problem is a lot of these VOIP services are using shady CL
    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Thursday November 24, 2022 @02:56PM (#63077492)

      When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all. So a requirement of VOIP is that the calling party supplies the caller ID information.

      Presumably the VoIP provider isn't providing the service for free out of the goodness of their hearts, so they know perfectly well who is making the call. And they can filter based on their customer information the allowed list of phone numbers that can get sent.

      So the call can come from anywhere, but it has to be associated with a user otherwise it's a perfect way for others to make phone calls (especially those juicy 1-900 calls) on someone else's dime. And when you're associated with a user, you can limit what phone numbers can be displayed.

    • "When you use VOIP no calling number is available when the call moves to the PSTN. Literally, the call is anonymous. No way to figure it out at all."

      The call does not magically appear on my phone. It is connected my my phone provider. The liability moves upstream one stage.

      The call does not magically appear on my phone provider's network. Something connects to them. The liability moves upstream one stage. There may be a series of such stages.

      The VOIP provider knows who to bill for the usage, therefore they

  • The real problem is caller ID, there is no security in the system at all.
  • Comment removed based on user account deletion
  • $58.2 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of $3.64 million, while the average amount stolen was $12,100

    My arithmetic might be a bit rusty, but I make that average to be £291.

  • Who would conceive and do this thing? Their brain must have serious deficiencies if they cannot feel any empathy doing this stuff. Wonder if it was intrinsic or the redoubt of some kind of abuse and negative experiences.

    • And it will get worse as people become more authoritarian, greedy, abusive, and have control of others and become Jesus and God over them.

      "Look at me, you are locked in your cell and here I am on the outside holding the keys and dancing. Go fuck yourself! Kee kee kee kee!"

       

Genius is ten percent inspiration and fifty percent capital gains.

Working...