Jump to content


Photo
- - - - -

Tapping a payphone by calling it (concept)


  • Please log in to reply
8 replies to this topic

#1 ansichart

ansichart

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 08 April 2008 - 04:57 PM

I was just thinking about this one day, and I was wondering if there was a name for this. I'm sure this has been done before.

If you call an ACTS payphone that has the ringer disabled, waiting for someone to answer. When someone answers you immediately play the dial-tone sound. The person doesn't know someone was trying to call the payphone (since the ringer is disabled) and is expecting to use the payphone to make a call. So, they dial a number and you play operator telling them that for a limited time only, all calls are free... or some bullshit like that.

Let's say you are using VoIP and you are using the DTMF tones they sent, you call whoever they were wanting to reach and you just act as a proxy. You can hear all of this from your end of course. This might not sound all that bad, but you could also use this to get credit card numbers when John Doe checks his balance on his TCF account.

If you are expecting someone to make a call on an ACTS payphone with a disabled ringer, you could essentially tap it. Of course this isn't really practical, but it's kind of a neat concept. What do you think?

#2 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,201 posts
  • Gender:Male

Posted 08 April 2008 - 11:01 PM

I'm confused, how does VoIP specifically come into the picture? In any event, I see some payphones around here get a fair amount of use, but you'd have to search a while to find an ACTS phone with the ringer off. Most COs just forward the calls to some announcement pretending the phone isn't in service. On top of all that, if you actually ring these phones back using the ringback program on the switch, the ringers will probably end up being active anyway!

#3 Beave

Beave

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 350 posts

Posted 09 April 2008 - 12:54 PM

I'm confused, how does VoIP specifically come into the picture? In any event, I see some payphones around here get a fair amount of use, but you'd have to search a while to find an ACTS phone with the ringer off. Most COs just forward the calls to some announcement pretending the phone isn't in service. On top of all that, if you actually ring these phones back using the ringback program on the switch, the ringers will probably end up being active anyway!


I think what he was saying that with VoIP/Asterisk when the user picks up and dials, have the Asterisk system complete the call. That way, you could record/monitor the traffic. I've seen similar VoIP scams with banks. For example, scammer sets up a 1-800 number into a Asterisk box. They then send out emails with the phone number explaining the mark needs to call in (of course, giving the scammer 1-800 number) and "check there account". When the mark calls the scammers 1-800 number, the system acts as a MITM and transfer the mark to the bank. They then enter there pin number and all that which the scammer can now harvest.

What he's saying is similar to that idea (I believe).

#4 Royal

Royal

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 431 posts
  • Country:
  • Gender:Male
  • Location:Massachusetts

Posted 09 April 2008 - 03:46 PM

That is definitely a plausible concept, although difficult. There are a surprising number of payphones with disabled/broken ringers that can be called repetitively until an answer supervision is detected. One problem you could run into is when a payphone's modem picks up after X amount of rings, in which you'd have to limit the number of rings before a disconnect and redial. There would be a lot of timing and trial and error, but you could theoretically pull it off. Also, it would be more realistic to completely automate the process, because no human can sit in front of their Asterisk box all day and night waiting to intercept a call. You'd need the simulated dialtone to also be waiting for DTMF input for a phone call.

I've been told of an alleged story of how the mafia used to use older hardware to pull off the same stunts for the purpose of acquiring calling card and credit card numbers that payphone users would dial on the payphone they were using. Not sure how true that is, but I found interesting, especially since the mob also used to use Gold Boxes (some referred to them as "Cheese Boxes") back in the day.

#5 Beave

Beave

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 350 posts

Posted 09 April 2008 - 05:38 PM

That is definitely a plausible concept, although difficult. There are a surprising number of payphones with disabled/broken ringers that can be called repetitively until an answer supervision is detected. One problem you could run into is when a payphone's modem picks up after X amount of rings, in which you'd have to limit the number of rings before a disconnect and redial. There would be a lot of timing and trial and error, but you could theoretically pull it off. Also, it would be more realistic to completely automate the process, because no human can sit in front of their Asterisk box all day and night waiting to intercept a call. You'd need the simulated dialtone to also be waiting for DTMF input for a phone call.

I've been told of an alleged story of how the mafia used to use older hardware to pull off the same stunts for the purpose of acquiring calling card and credit card numbers that payphone users would dial on the payphone they were using. Not sure how true that is, but I found interesting, especially since the mob also used to use Gold Boxes (some referred to them as "Cheese Boxes") back in the day.


Yes - automation would be a "must". Off the top of my head, you'd need to drop a outbound call file that'd ring for X number of seconds (before the modem picked up). Upon call supervision (non-modem), the call file would connect it to a extension (in your extensions.conf) and drop the user to DISA. This gives the user the "dial tone" they need. Any of the DMTF passed at that point could be/would be recorded. In conjunction with recording the call (monitor), you'd have to pull out any other DTMF used. Right off, I can't see it being that difficult to rip out such a routine. Of course, you connect the call via VoIP . Rinse, repeat..... multiple calls to the same payphone might raise some flags at the telco... hmmmmm

Another interesting idea you could add in and/or use.. If the call supervises, test for modem V.8 tones. If present, hang up - wait and recall. This way, even if your timing is off about the modem pickup, you'll detect it and handle it properly.

I'm not going to try it....I have no interest in defrauding people or snooping on them.... but it wouldn't be hard. Interesting to think about never the less.

Edited by Beave, 09 April 2008 - 05:42 PM.


#6 dmine45

dmine45

    Mack Daddy 31337

  • Members
  • 224 posts

Posted 09 April 2008 - 06:52 PM

Reminds me of the things I used to do 20 years ago....

Yeah, I'm showing my age, but it was the glory day of pay phones.

Bridging two lines together, or pretended to be the operator when they dialed "0". Yeah, you can figure it out from there! :D

#7 ansichart

ansichart

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 10 April 2008 - 05:55 AM

I think what he was saying that with VoIP/Asterisk when the user picks up and dials, have the Asterisk system complete the call. That way, you could record/monitor the traffic. I've seen similar VoIP scams with banks. For example, scammer sets up a 1-800 number into a Asterisk box. They then send out emails with the phone number explaining the mark needs to call in (of course, giving the scammer 1-800 number) and "check there account". When the mark calls the scammers 1-800 number, the system acts as a MITM and transfer the mark to the bank. They then enter there pin number and all that which the scammer can now harvest.

What he's saying is similar to that idea (I believe).


Yea, that's the general idea.

#8 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 10 April 2008 - 09:17 AM

Call it a monkey box. i.e. monkey in the middle ;)

#9 spyhunter

spyhunter

    DDP Fan club member

  • Members
  • 42 posts

Posted 12 April 2008 - 08:42 PM

Call it a monkey box. i.e. monkey in the middle ;)


ohhh i like it! we need more boxes.




BinRev is hosted by the great people at Lunarpages!