CLI Spoofing

What is Spoofing?
Calling Line Identification (CLI) spoofing, is a technique used in mobile network fraud where the caller deliberately falsifies the phone number or the caller ID information that appears on the recipient’s device.
There are two types of call spoofing: local and international.
Local call spoofing is used by a fraudster to lend credibility to an attack. In spoofing generally, fraudsters change the CLI in order to disguise their identity or location. Typically, these attacks are used to mislead subscribers into subsequently disclosing sensitive information using phishing techniques.
In local call spoofing in particular, the CLI appears as a local number, or mimics the actual number of a real company or person, often expected to be known to the called party (e.g., the number of a local bank). Perpetrators often leverage victim information from data breaches to enhance the authenticity of their attacks, such as knowing the victim’s name or address before initiating a call.
Similar to the local call spoofing case, in international call spoofing the CLI is changed to disguise identity, but in this case the CLI takes on an international format. Generally, with spoofing:
● Fraudsters may use constantly changing spoofed numbers to attempt to evade detection by a fraud management system (FMS). This technique is often seen with many robocalls and flash calls.
● In Wangiri calls, fraudsters may also spoof numbers from high-cost destinations to induce IRSF calls back to the expensive destinations.
Call refiling can also be employed, where fraudsters manipulate call routing to alter originating information, disguising the true source of the call and bypassing legitimate tariffs.
Why is Spoofing Performed by Fraudsters?
The spoofing is typically done by manipulating the data that is transmitted to the recipient’s phone when a call is made. Across both local and international attacks, the goal of CLI spoofing can vary, but common motivations include:
● Hiding the real identity: The caller might want to conceal their true phone number, often for privacy reasons.
● Impersonation: In some cases, attackers use CLI spoofing to impersonate a trusted entity, such as a bank, a service provider, or a company, to carry out social engineering or phishing attacks or fraudulent activities.
As outlined in our last Cellusys Blog on IRSF, CLI spoofing can be used as a vector to then subsequently carry out an IRSF attack and this could of course, involve both revenue bypass and call destination falsification.
A Snapshot of the Regulatory Reaction
Mobile phone networks used to traditionally use SS7 signalling which while certainly not infallible was more specialised than IP-based protocols. For voice calls and signalling, mobile networks now use the SIP protocol which is based on IP. This is more common globally but while it represents a unification of protocols across telecoms services, it also requires less knowledge of underlying specialised protocols to manipulate and there is less regulation of this protocol.
There is limited regulation of IP standards globally. While some standards such as GSMA IR65 exist, this protects only the tunnel. The interconnect section (arguably the weakest) is not fully protected by a standard, yet.
Globally there a number of fragmented solutions imposed by national telecommunication regulators. While regulatory involvement in this global issue, is of course welcome, this fragmentation can lead to a lack of uniformity and create gaps in mobile operator responses, which of course will be filled by fraudsters.
Country | DNO List | Roaming Status check | STIR/Shaken |
Germany | Yes(Emergency, high security numbers) | Yes(CAMEL used ) | No |
United Kingdom | Yes | Partially | No |
USA | Yes | Yes | Yes |
Canada | Yes | Yes | Yes(Similar philosophy to the US) |
Poland | Yes | Yes | |
France | Yes | No | Yes |
Ireland | Yes | Yes | No(Voice Firewalls will be required however) |
The value of these regulatory mitigation attempts of each of these approaches are explained below.
DNO List
DNO lists, or Do-Not-Originate lists, consist of numbers that should not be used to originate calls. These lists help detect and block calls where the caller ID has been falsified. The data for DNO lists can come from various sources, such as:
● Numbers that are invalid according to the national numbering plan.
● Numbers that have not been assigned to any user.
● Valid numbers specifically designated for receiving calls only.
● Numbers flagged as sources of fraudulent or nuisance activity.
● Disconnected numbers or numbers currently being reassigned.
STIR/Shaken
STIR/SHAKEN is a framework designed to combat caller ID spoofing and improve trust in voice communications. It consists of two components: Secure Telephone Identity Revisited (STIR), a set of technical standards, and Signature-based Handling of Asserted Information Using Tokens (SHAKEN), a framework for implementing these standards within service providers’ networks.
Together, STIR/SHAKEN uses digital certificates based on public key infrastructure (PKI) to verify the authenticity of a call’s origin. When a call is made, the originating service provider signs the caller ID information with a digital signature, which the terminating provider can validate to ensure the caller ID is not spoofed.
This system enhances call security by allowing service providers to attach trust levels to calls, indicating whether the caller ID can be authenticated. Calls that pass STIR/SHAKEN validation provide a higher level of confidence to users and can help filter out potentially fraudulent or spam calls. While it is primarily implemented in IP-based networks, efforts are ongoing to extend its benefits to legacy systems.
Roaming Status Check
Location Check is a telecom feature used to verify whether a number is registered in the home network or a visited (roaming) network. This involves sending location queries, such as MAP or Diameter requests, to the Home Location Register (HLR) to retrieve location data of the A-Party of the call. A key principle is that a local mobile number not indicating roaming should not appear on interconnect links; if it does, this may indicate a spoofed call. Location Check addresses scenarios such as roaming, call forwarding, freephone services, ported subscribers and call transfers, distinguishing legitimate calls from potentially fraudulent ones. In CAMEL networks, CAP signalling can be used to analyse call origins and detect anomalies in real time, with traffic captured using probes or monitoring systems.
While real-time implementation presents challenges, such as the need to instantly cache Initial Detection Points (IDPs), this approach provides a methodical way to identify spoofing and enhance call verification accuracy.
The Scale of the Issue
In 2021 and 2022, ispoof.cc was a freely available website used by many people to make unauthorised phone calls while displaying a CLI falsely indicating that they were legitimate callers. It was part of an investigation by numerous law enforcement agencies into frauds enabled by this CLI spoofing technique. It was shut down in November 2022 as the result of Operation Elaborate, a multi-agency investigation led by the Met Police in the UK, their Dutch counterparts, the FBI, Europol and others including the Gardai Siochana in Ireland.
At one point as many as 20 people every minute were being targeted by callers using technology bought from the site. In total, there were victims in 158 countries and fraudsters were tracked in 40 countries. The Dutch police managed to tap into the service’s servers and listen to calls, in doing so entrap those fraudsters responsible. All of this shows the gall and impudence of those running the service.
However, to use another Dutch example, the little boy with his finger in the dyke… the issue has not gone away; it has simply transmogrified and now appears in different locations under different guises.
This fact was outlined in the recent Cellusys Paper, Combatting International Voice Fraud , in one Eastern European country, a mobile network operator with 8 million subscribers experienced over 50 million instances of CLI spoofing last year. Additional resources on this issue can be found from both the GSMA here and the Global Cybersecurity Forum here.
Detection of Suspicious Calls
A large number of mobile networks already have a signalling firewall platform deployed to combat signalling security issues and fraud. Typically, these firewalls integrate into the core network and have the ability to process and decode the full signalling stack as well as communicate with external intelligence in order to analyse and detect threats.
Within the core network, calls can be routed via ISUP or SIP. Additionally, the CAMEL or INAP protocols can be utilised to intercept and control potentially fraudulent calls. Firewalls provide real-time visibility of calls and the capability for total control over these calls. This can add value in numerous areas, including combatting the frauds outlined earlier in this blog, billing verification and roaming experience.
Based on detection of fraudulent calls, the firewall allows for immediate automatic enforcement of protection policies against detected numbers and detected fraud cases. Detection of call spoofing in particular, local call spoofing is commonly used by fraudsters to lend credibility to an attack. The firewall application can mitigate against these types of attacks. Fraudsters may use constantly changing spoofed numbers to attempt to evade detection by anti-fraud systems, which is commonly seen in many robocalls and flash calls
Beyond internal analysis of calls, the Cellusys firewall can talk to other network nodes such as existing fraud management systems, either to ingest data to improve its own analysis or to output the results of its processing elsewhere. It functions already in a variety of national anti-fraud systems whereby local MNOs communicate with each other and / or with national regulars. This kind of cooperation can be hugely beneficial to detecting and stopping all kinds of voice fraud.
Informing Users of Suspicious Calls
The Cellusys firewall platform has an option to label calls as “Scam Likely” upon receipt. With this feature, operators don’t block calls outright, but instead allow subscribers to receive them, just in case they are legitimate. While it’s highly unlikely that a genuine call will be flagged as a scam, this feature ensures your subscribers are warned before answering a call from a known scammer’s number. This functions in the same way as the perhaps more familiar email spam filters and correspondingly, anti-scam features must provide accurate call filtering. This is to prevent legitimate calls from being mistakenly flagged as spam (false positives).
The Cellusys Firewall has a number of configurable actions when such a suspicious number enters the network:
- 1. Drop Call (configurable release code)
- 2. Continue Call
- 3. Redirect call (e.g. to an IVR)
- 4. Modify Caller ID (e.g. Scam Likely, as shown in the accompanying blog image)
Conclusion
● CLI spoofing is a serious issue in mobile networks, with implications for privacy, security, and trust not to mention revenue loss for operators and subscribers alike.
● It is widely exploited by scammers and fraudsters and has become an attack vector or way in for subsequent frauds.
● Mitigating its impact requires a combination of technology, regulation, and consumer education.
● Detection and prevention require sophisticated systems such as the Cellusys Voice Firewall that provides visibility and control, across all protocols, of voice traffic.
If you’re working in telecommunications, combating IRSF requires effective fraud management systems, continuous vigilance and collaboration with ecosystem partners.
Tags: AI, steering of roaming, UsabilityCategorised in: Blog