Handling Caller ID Spoofing?

An anonymous reader writes "A nice little old lady I know has had her number spoofed by some car warranty scammers. They're calling hundreds of potential victims per day pretending to use her phone number, and the angry ones call her back; some of them have even left death threats. She's terrified. Some well-intending anti-telemarketing folks have posted her address on the 'net as well. How can we figure out where these scammer bastards are, and what's the state of the current legislation to prevent caller ID spoofing? I called the FBI in Boston (near where she lives) and they said they can't help. She's called her phone company, but they said they can't help either. She's had the same number for over 50 years and doesn't want to change it." If the Feds can't or won't handle it, what's the best approach here?

Election Time

[jaredmauch]

Call local elected reps (state & federal) saying that you're unable to get anyone to deal with the issue. Call the FBI in DC as well. If she's getting interstate death threats, that's illegal and the FBI can call the people back. I've had good luck with my local FBI office (Ann Arbor) when I received an interstate death threat.

Call the FCC?

[urbanriot]

In Canada, we have a governing body similar to your FCC called the CRTC. Whenever we have such problems we can contact them and they'll conduct an investigation. So far I've put an end to three instances of harassing telemarketing / late night fax blitzing. I'd contact the FCC next, see what they have to say. Someone somewhere is in charge of moderating this...

Call the FBI and telco again

I'd call the FBI and the telephone company again. Be firm but polite when asking for help. Get names and phone numbers of everyone you talk to. If that person says no, ask for the next person up in the chain of command.

Oftentimes, people just don't know how to ask for help correctly when contacting an agency such as the FBI or telephone company. If she can't clearly articulate the problem to the person on the other end of the phone they simply might not be aware of the issue or its ramifications.

If you're able to clearly articulate the issue and still get denied, start writing letters. To the SAC of the local FBI office, or as high up as you can go to the telco. And as others suggested, contact the media: the local newspaper omsbudman, the local TV station's investigative reporter. And also as others have suggested contact your local elected representatives.

I'm not defending the FBI or phone company, but I've seen instances where a problem simply isn't stated clearly enough for the other party to understand what's going on. So the first thing to do is ensure that when the FBI and telco are involved, that the problem is stated in correct terms (and that you're talking to the proper person in the organization).

Re:same here

[Z00L00K]

The phone companies shall have so called call data records, often declared as CDR:s. These provide information about the calls made to/from a certain number. Using these records it is possible to back-track the phone call to the originating operator. The phone companies have a lot of information available to allow for tracking, but since it requires a lot of work to dig through the data they are very reluctant to do so.

Another way is to catch on to the caller and check who purchased their service and then follow the money trail.

Unfortunately it is possible that the caller that spoofs the number is offshore somewhere.

And if the FBI won't help, I suggest that you also check other channels of law enforcement and keep everything in writing so that you have a history to refer to. Taking help from a lawyer may be one way to continue this. It's always interesting if you can get in touch with the right lawyer who knows which buttons to push to get some results.

Re:Vigilante Justice ala Slashdot Anyone?

[Lookin4Trouble]

http://www.digitcom.net/

Re:Ouch

[JTorres176]

I've worked accounts receivable before. If you call a company and don't like the answer you get, be polite, say thank you, then hang up. Call back immediately and 9 times out of 10, you get a different person. It's called "shopping", and people do it with doctors, salesmen, and even government offices. Call back until you get the answer you want or someone who's willing to help.

Phone logs and the FTC

[killmofasta]

Dosn't matter a bit FBI? CIA? RGB? TFB?

If she was getting call backs, she should tell EVERY ONE WHO CALLS, AWS are scammers, and they should register with the FTC: and START Signed and dated PHONE LOGS. Every one I hear gets these phone calls, I show them the origional post card that started it all, and my phone log. I have clued in about 20 people, and we have filed over 15 reports for illegal telemarketing contact, i.e. Dont call EVER, and ... they ... call @ $500 per complaint.

http://www.ftc.gov/

Scammer name:
Automotive Warranty Solutions
6501 congress ave, ste 140, boca raton, fl 33487
877-700-5880,
Call their 800 number, and ask to be put on their do not call list. ( just everone call plz )

This is a Attorney General who is taking this problem seriously. ( Note: California and Florida are probibly NOT ):

http://www.ct.gov/AG/cwp/view.asp?A=2795&Q=411422

a blogger who did a lot of flatfoot work:

http://www.markturner.net/2007/11/08/car-warranty-scam-continued/

Remember: REMEMBER! Documented phone logs make diffrence. If you can document DNC and the call back time and date. Give them a call and get on their DNC list ANYWAY. So when they do call...

Caller ID spoofing - ILLEGAL

[Phil_at_EvilNET]

The US Senate Committee on Commerce, Science, and Transportation passed S. 704, a bill that would make it a crime to spoof caller ID.

Dubbed the "Truth in Caller ID Act of 2007," the bill would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempted from the rule.

Specifically these sections:

SEC. 2. PROHIBITION REGARDING MANIPULATION OF CALLER IDENTIFICATION INFORMATION.

Section 227 of the Communications Act of 1934 (47 U.S.C. 227) is amended -

(1) by redesignating subsections (e), (f), and (g) as subsections (f), (g), and (h), respectively; and

(2) by inserting after subsection (d) the following new subsection:

`(e) Prohibition on Provision of Inaccurate Caller Identification Information. -

`(1) IN GENERAL - It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such transmission is exempted pursuant to paragraph (3)(B).

`(3) REGULATIONS -

`(A) IN GENERAL - Not later than 6 months after the enactment of this subsection, the Commission shall prescribe regulations to implement this subsection.

`(B) CONTENT OF REGULATIONS -

`(i) IN GENERAL - The regulations required under subparagraph (A) shall include such exemptions from the prohibition under paragraph (1) as the Commission determines is appropriate.

`(ii) SPECIFIC EXEMPTION FOR LAW ENFORCEMENT AGENCIES OR COURT ORDERS - The regulations required under subparagraph (A) shall exempt from the prohibition under paragraph (1) transmissions in connection with -

`(I) any authorized activity of a law enforcement agency; or

`(II) a court order that specifically authorizes the use of caller identification manipulation.

Law enforcement is negligent if they fail to take action. IMO - If the Law doesn't work, the local newspaper and/or television station might get the ball rolling.

Re:same here

[Phrack]

A CDR may or may not have accurate information as to the source of the call. If the call is entirely local (the LEC handles call termination on both ends as well as transit), then it should have all the information. However, if the call transits a different carrier, then the LEC that handles termination for the target of the scammer only knows the caller ID that was passed to it from the transit carrier. If it's unknown, then that's what is passed into the CDR. You may be able to glean other source information about the handoff to the transit carrier, then get THEM involved to find the call that was routed to that handoff at that time, and so on.

Oh, and since those aren't her calls (the scammer wasn't calling HER), then you must have a subpoena. If one of the scam targets cooperates, then THEY might be able to request their own records, but to get intervening carriers to cooperate, you'll need a lawyer or law enforcement. I'd try the latter, first. Keywords like "terroristic threats" and such may get you some attention. Once you know it crosses state lines, and perhaps some idea of how wide sweeping the scope is, then you might have something the FBI can/will look at. Try your local state bureau of investigation first, as they may have more immediate resources.

Ob. disclaimer: Though employed in telecom, I am not a lawyer.

Re:Ouch

[IP_Troll]

Wrong, neither of those entities are supposed to take care of this king of thing.

The correct agencies are the FCC and the FTC.

Here is an article about Caller ID fraud that gives the contact name and number for the FTC investigator in charge of this kind of thing.
http://www.ftc.gov/opa/2006/05/scorpio.shtm

It is from 2006, so the hierarchy may have changed, but it will send you to the right office. It the number doesn't work call - 1-877-FTC-HELP

Re:same here

[twistedsymphony]

on my voice mail it says to "enter your password followed by the # key" but if you're calling from the number associated by the account you can simply press "#" and get your voice mail... it doesn't say it on the message but that's how it works.

Re:same here

[CyberVenom]

Actually, I am sure that ANI is what is being spoofed here. (I have received calls from the same group myself.) ANI can be spoofed if the originating carrier allows, which is common practice for high-volume outbound automated calling campaigns. It is usually used legitimately to provide a number via which the called party can call back later if they miss the call or are disconnected.

(I work for a company which legitimately performs this sort of high-volume outbound calling.)

One other thing to note - this is actually the jursidiction of the FCC, not the FBI (at least not yet). As soon as you can prove that there is some sort of actual fraud going on beyond just violating FCC rules, then they might get involved.

Re:same here

[quetwo]

There are two "caller-id" fields that are sent in SS7 (the out-of-band signaling that occurs between telcos) -- the BTN (Bill To Number), and the CPN (Calling Party Number). The BTN refers to the actual carrier, and account number that is placing the call, and the CPN is what is displayed by consumer Caller-ID units.

Large customers who have direct access to SS7 information over ISDN would be able to pick up the BTN, which would identify, at the very worst, the caller's local exchange carrier.

The phone companies are not allowed to reveal the BTN to a consumer or police agency without a signed subpoena by a judge with jurisdiction of the crime. The only exception to the rule seems to be the whitehouse, but that is a different matter all together. There are direct FCC violations to reveal that information without the proper paperwork.

As far as the lady keeping her phone number, that is akin to somebody keeping their credit card number after fraud. Yes, it is the number that she has had for years, and its the number that everybody knows, but in all honesty, the number is black listed now. She hasn't had the number for 50 years, as in the 70's going into the 80's NuStar renumber all the phone numbers from 4,5, and 6 digits to 10 digit numbers.