Skip to content
Naked Security Naked Security

Voice-scamming site “iSpoof” seized, 100s arrested in massive crackdown

Those numbers or names that pop up when a call comes up? They're OK as a hint of who's calling, but THEY PROVE NOTHING

These days, most of us have telephones that display the number that’s calling before we answer.

This “feature” actually goes right back to the 1960s, and it’s known in North American English as Caller ID, although it doesn’t actually identify the caller, just the caller’s number.

Elsewhere in the English-speaking world, you’ll see the name CLI used instead, short for Calling Line Identification, which seems at first glance to be a better, more precise term.

But here’s the thing: whether you call it Caller ID or CLI, it’s no more use in identifying the caller’s actual phone number than the From: header in an email is at identifying the sender of an email.

Show what you like

Loosely speaking, a scammer who knows what they’re doing can trick your phone into displaying almost any number they like as the source of their calls.

Let’s think through what that means.

If you get an incoming call from a number you don’t recognise, it almost certainly hasn’t been made from a phone that belongs to anyone you know well enough to have in your contact list.

Therefore, as a cybersecurity measure aimed at avoiding calls from people you don’t wish to hear from, or who could be scammers, you could use the jargon phrase low false positive rate to describe the effectiveness of CLI.

A false positive in this context represents a call from someone you do know, calling from a number it would be safe to trust, being misdetected and wrongly blocked because it’s a number you don’t recognise.

That sort of error is unlikely, because neither friends nor scammers are likely to pretend to be someone you don’t know.

But that usefulness only works in one direction.

As a cybersecurity measure to help you identify callers you do trust, CLI has an extreme false negative problem, meaning that if a call pops up from Dad, or Auntie Gladys, or perhaps more significantly, from Your Bank

…then there’s a significant risk that it’s a scam call that’s deliberately been manipulated to get past your “do I know the caller?” test.

No proof of anything

Simply put: the numbers that show up on your phone before you answer a call only ever suggest who’s calling, and should never be used as “proof” of the caller’s identity.

Indeed, until earlier this week, there was an online crimeware-as-a-service system available via the unapologetically named website ispoof.cc, where would-be vishing (voice phishing) criminals could buy over-the-internet phone services with number spoofing included.

In other words, for a modest initial outlay, scammers who weren’t themselves technical enough to set up their own fraudulent internet telephony servers, but who had the sort of social engineering skills that helped them to charm, or mislead, or intimidate victims over the phone…

…could nevertheless show up on your phone as the tax office, as your bank, as your insurance company, as your ISP, or even as the very telephone company you were buying your own service from.

We wrote “until earlier this week” above because the iSpoof site has now been seized, thanks to a global anti-cybercrime operation involving law enforcement teams in at least ten different countries (Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK and the USA):

Megabust conducted

Seizing a clearweb domain and taking its offerings offline often isn’t enough on its own, not least because the criminals, if they remain at large, will often still be able to operate on the dark web, where takedowns are much harder due to the difficulty of tracking down where the servers actually are.

Or the crooks will simply pop up again with a new domain, perhaps under a new “brand name”, serviced by an even less scrupulous hosting company.

But in this case, the domain seizure was shortly preceded by a large number of arrests – 142, in fact, according to Europol:

Judicial and law enforcement authorities in Europe, Australia, the United States, Ukraine, and Canada have taken down a website that allowed fraudsters to impersonate trusted corporations or contacts to access sensitive information from victims, a type of cybercrime known as ‘spoofing’. The website is believed to have caused an estimated worldwide loss in excess of £100 million (€115 million).

In a coordinated action led by the United Kingdom and supported by Europol and Eurojust, 142 suspects have been arrested, including the main administrator of the website.

More than 100 of those arrests were in the UK alone, according to London’s Metropolitan Police, with up to 200,000 UK victims getting ripped off for many millions of pounds:

iSpoof allowed users, who paid for the service in Bitcoin, to disguise their phone number so it appeared they were calling from a trusted source. This process is known as ‘spoofing’.

Criminals attempt to trick people into handing over money or providing sensitive information such as one-time passcodes to bank accounts.

The average loss from those who reported being targeted is believed to be £10,000.

In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.

Of those, 350,000 calls lasted more than one minute and were made to 200,000 individuals.

According to the BBC, the alleged ringleader was a 34-year-old by the name of Teejai Fletcher, who has been remanded in custody pending a court appearance in Southwark, London, on 2022-12-06.

What to do?

  • TIP 1. Treat caller ID as nothing more than a hint.

The most important thing to remember (and to explain to any friends and family you think might be vulnerable to this sort of scam) is this: THE CALLER’S NUMBER THAT SHOWS UP ON YOUR PHONE BEFORE YOU ANSWER PROVES NOTHING.

Those caller ID numbers are nothing better than a vague hint of the person or the company that seems to be calling you.

When your phone rings and names the call with the words Your Bank's Name Here, remember that the words that pop up come from your own contact list, meaning no more than that the number provided by the caller matches an entry you added to your contacts yourself.

Put another way, the number associated with an incoming call provides no more “proof of identity” than the text in the Subject: line of an email, which contains whatever the sender chose to type in.


  • TIP 2. Always initiate official calls yourself, using a number you can trust.

If you genuinely need to contact an organisation such as your bank by phone, make sure that you initiate the call, and use a number than you worked out for yourself.

For example, look at a recent official bank statement, check the back of your bank card, or even visit a branch and ask a staff member face-to-face for the official number that you should call in future emergencies.


  • TIP 3. Don’t let coincidence convince you a call is genuine.

Never use coincidence as “evidence” that the call must be genuine, such as assuming that the call “must surely” be from the bank simply because you had some annoying trouble with internet banking this very morning, or paid a new supplier for the first time just this afternoon.

Remember that the iSpoof scammers made at least 3,500,000 calls in the UK alone (and 6.5M calls elsewhere) over a 12-month period, with scammers placing an average of one call every three seconds at the most likely times of the day, so coincidences like this aren’t merely possible, they’re as good as inevitable.

These scammers aren’t aiming to scam 3,500,000 people out of £10 each… in fact, it’s much less work for them to scam £10,000 each out of a few thousand people, by getting lucky and making contact with those few thousand people at the very moment when they are at their most vulnerable.


  • TIP 4. Be there for vulnerable friends and family.

Make sure that friends and family whom you think could be vulnerable to being sweet-talked (or browbeaten, confused and intimidated) by scammers, no matter how they’re first contacted, know that they can and should turn to you for advice before agreeing to anything over the phone.

And if anyone asks them to do something that’s clearly an intrusion of their personal digital space, such as installing Teamviewer to let them onto the computer, reading out a secret access code off the screen, or telling them a personal identification number or password…

…make sure they know it’s OK simply to hang up without saying a single word further, and getting in touch with you to check the facts first.


Oh, one more thing: the London cops have said that in the course of this investigation, they acquired a database file (we’re guessing it’s from some sort of call logging system) containing 70,000,000 rows, and that they’ve identified a whopping 59,000 suspects, of whom somewhere north of 100 have already been arrested.

Clearly, those suspects aren’t as anonymous as they might have thought, so the cops are focusing first on “those who have spent at least £100 of Bitcoin to use the site.”

Scammers lower down the pecking order may not be getting a knock on the door just yet, but it might just be a matter of time…


LEARN MORE ABOUT THE DIVERSIFICATION OF CYBERCRIME, AND HOW TO FIGHT BACK EFFECTIVELY, IN OUR THREAT REPORT PODCAST

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

Full transcript for those who prefer reading to listening.

With Paul Ducklin and John Shier.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


5 Comments

I’m what is referred to as computer illiterate, but I can still pretty much understand the message Paul and John are intending. And for me this is probably one of the rare sites I can enjoy and understand!
Thanks to you both!!!!…………ht

The Telco’s should be getting a fair share of the blame, for allowing spoofing on their networks.

I think this article is incomplete insofar as the concept of verified caller ID was not mentioned. I know this blog likes to have fun and with acronyms such as STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) there is fun to be had. So when my office phone showed my the caller’s number with a V beside it, I believe it was using this new-ish protocol. But you guys are the experts and one of your explanatory articles for the masses is warranted concerning this promising develpoment in caller ID.

I didn’t mention STIR/SHAKEN (which is supposed to be a bit like HTTPS for websites applied to caller ID) because it still seems very experimental… I have no idea how reliable it is (and how well any reliability survives the transition between various telephone networks).

Stir/Shaken is new but hardly experimental. It has been mandatory for US telcos to use it in their production IP networks since August last year. Yes it hasn’t reached the average end user yet and I’m not sure it will, focus first is on companies that need verified caller ID such as financial institutions.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?