One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm.

First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they “lost” their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

You might be thinking, ‘there is no way I would give out info over the phone’. You might be right but what if the caller-id displayed an internal telephone number or the number to headquarters? Would you be a bit more trusting about what information you would give out?

I have executed successful social engineering schemes completely over the telephone with the help of caller-id manipulation. This is a very important tool to use when working to increase security vigilance within your organization.

This article is a basic primer to introduce you to the basics of caller-id manipulation. Methods for pulling off a successful scheme will be discussed in future articles. Note that there are many ways to skin the proverbial cat and the methods described here are simply ones that work well for me.

Using any version of Apple’s iPhone install an application called iSpoofCard. This software is no longer available on iTunes so you’ll have to search around for it and get creative on how you will install it.

A solid alternative is to use the SpoofCard web application using the simple instructions here: http://www.spoofcard.com/mobile/ispoofcard. Be sure to read all the disclaimers and do your own research relative to state laws – there may be some caveats to consider.

Once the application is installed you’ll have to spend a few bucks to fuel the credits required to use the service (something this good cannot possibly be free). But its very inexpensive to use.

Launch the application and simply choose the number to call and the number to display on the recipients caller-id screen. Click to call and wait for the connection. You are ready to rock and roll.

Some further useful information:

- There is a time delay of about a second when using this service. Talk slow and be patient when waiting for a response.
- Talk loud. Often the recipient will have a bit of trouble hearing you.
- There is a setting to change your voice to be male or female. This does not work that well and the male voice can sound rather computer generated.
- There is a setting to have the entire conversation recorded which is great for training purposes. Just be aware of any state/federal laws governing the legality of recording a phone conversation.

When used correctly, manipulating the caller-id can be an easy way to generate instant trust. Several practice runs are necessary in order to avoid mistakes that will null and void the usefulness of this method.

In the end keep in mind that this type of social engineering is being used by the bad guys every day. It is imperative that organizations consider the bleeding edge of social engineering (emerging methods). Manipulating the caller-id falls squarely into this category.