Spoofing Cellular Service

by Baxlyder

One day while sitting around the house being real bored, I came up with a novel idea.

What if you didn't have to clone cellular phones to phreak from them...  What if you could buy a used phone from say, a pawnshop or something, and within a couple of hours you could be sitting at the mall chatting with your friend in Australia?  Impossible you say?  Guess again...  I know of some instances where this has been done.

Most hackers I have spoken with think the only way to phreak cellular is to clone a phone.  Not true.  The easiest way next to cloning a phone is to spoof the celco.  To do the spoof the first thing you need to know is some history behind this method.

Now I'm sure just about everybody has gone to the Bell, NYNEX, AT&T Wireless, etc. cellular centers and placed calls on the phones in the store on display.  Well, this is a working cellular account that is very vulnerable to spoofing.  Catching on yet?  No?  O.K., since this is a working account, wouldn't one think that you could in theory use this account on any phone if the Electronic Serial Number (ESN) and mobile number matched what was in the account?  Well, there you go.

I know of this being done before.  And, as far as my source in the industry has told me, the culprit has yet to be caught.

Now that you know somewhat what I am getting at, let's get into how it was done and how some celcos have put an end to this method of unauthorized use of the cellular systems.

To do this, you would need some information first off, and that is as follows:

1.)  The cellular number of the demo phone, easily obtained.  Simply turn the phone on, and with most phones, hit RCL #.  Remember this number as it will be the new phone's number.

2.)  The ESN of the demo phone, usually found under the mobile's battery pack on the sticker with the manufacturer's info.

3.)  The store number and address - also a good idea to know the manager's name and the hours of operation.

Now that you are armed with this information, take the ESN off of your phone, and convert it to decimal if it is not already in that form.

Most cities have two celcos.  Call the celco that you intend to spoof, and tell them you are buying a used phone and would like to make sure it is not stolen or that it doesn't have an outstanding bill.  More times than not, the rep will be more than happy to do this for you.  He/she is just helping the customer out.  If the rep says it is in the bad list or more commonly referred to as the "Negative File," ask if it is because of a bill owed.  They will usually tell you if it is.  If the rep says he/she cannot tell you, then the phone is more than likely stolen, and cannot be used for spoofing.  Save it for later cloning and get another phone.

Once you have this information, if the phone is not stolen and doesn't have a bill with that celco, then skip the next step.

If it only has an outstanding bill, then wait about 10 or 15 minutes and call the celco you intend to spoof back, and tell them you are signing up with the other celco, and they said to call y'all and get the phone "cleared."  Most of the time the rep will tell you to hold, then after a minute or two come back and say, "Sir, you shouldn't have any problems hooking your phone up with blah blah celco, I had your phone removed from the negative file" or something to that effect.  If not, raise hell about it and ask to speak to the supervisor.  All you want to do is get legit service with the other celco, and the first celco can't stand in the way of the other's business.

Now the fun part where your social engineering skills come into play.  You can now call the celco up and say you are one of their employees from the phone center you visited, and need blah blah whatever done because your systems are down and you've had a bad day or whatever.

A possible scenario would be something like:

CELCO REP:  "Joe Blow Cellular.  My name is Jomama, may I help you?"

SPOOFER:  "Hi Jomama, this is Phred from the Anytown office.  Our system is down out here, and I need you to pull up mobile number NPA-XXX-XXXX for me."

CELCO REP:  "O.K. Phred, hold on a second while I get into the switch...  O.K., what can I do for you?"

SPOOFER:  "We had a customer's kid drop one of the demo phones and I need to verify ESN on that account.  It should be 12345678901."

CELCO REP:  "Yes Phred, that's correct."

SPOOFER:  "Looks like the kid broke it.  O.K., I'm gonna need you to change that to 12345678902."

CELCO REP:  "O.K. Phred, done.  Can I do anything else for you?"

SPOOFER:  "Nope, that was it.  Thanks, bye."

Don't be afraid to engage in idle chit-chat while the rep is working in the switch.  It makes you seem more believable, plus the rep is less likely to have a chance to question who you claim to be if you keep their mind occupied with other things.

What you have done in the above scenario is called the celco claiming to be one of their technicians, and, as far as the rep knows, you just replaced a damaged display phone.

The drawback of this method is that once the celco figures out what has happened, your phone is as hot as a stolen phone and is then worthless.  Second of all, this is considered fraud and is a federal crime.  But it is a cheap, easy method of getting cellular service, without having to buy a lot of expensive equipment to clone phones, which, by the way, is illegal (as if you didn't know).