FireRTC: Call Spoofing

FireRTC is a tool that can be used to spoof any phone number, and dial out to the designated phone number.

Published on Aug 09, 2020

Reading time: 2 minutes.


FireRTC

This tool was likely designed as a tool to prank call your friends and scammers, but it could have great potential in the Enterprise Penetration testing environment.

Configuration

Click on the settings tab, this will allow you to configure the phone number for the test.


The settings tab allows you to edit the caller ID. Whoever you dial out to will see this phone number.


Once you have the tool configured - which is extremely simple, you can begin your social engineering conquest. In the above photo, when you’re in the settings menu, you will click on the “Phone” tab and it will bring you to the dial-out menu.


As you can see, when connected to a call, there is a soundboard menu available as well as the option to record the entire conversation. This observation leads to an assumption that the tool was indeed designed to prank call people.

Enterprise use case:

Obviously, users reading this article are probably more concerned with the Enterprise use case. Well, imagine the following scenario:

You’ve been hired to do a Penetration Test on an Enterprise. During the recon stage of this engagement, you are able to find work numbers for many company employees. Let’s say this list has a couple of C-Level people. It’s likely that you could attempt to spoof one of the C-Level employees to use an Authoritative Social Engineering method to call lower-level security personnel and convince them to make a new admin user account for the domain or provide relevant security information. If the internal phone system has caller ID, and the employee has never talked to this C-Level person, there’s a good possibility that this could be a successful vector of attack.

What about non-security related personnel? In the last six months, there was a news article about a threat actor that used spoofing to convince someone in the financial department to transfer funds to an external bank account.

These stories keep popping up because employees are uneducated and can fall victim to Social Engineering attempts under the right circumstances.

Final Thoughts & Prevention

  1. If you’re an employee, think about the situation - if you haven’t been contacted by this employee before, don’t be afraid to verify their identity with other team members.
  2. Don’t trust caller ID or basic authentication questions. A malicious threat actor might have done their research on the individual.
  3. Offer to call the individual back, if it’s their legitimate work line that’s being spoofed, the phone number will be directed back to the person’s actual phone line. If the individual has no idea what you’re talking about, stay calm and contact your SOC. If you are in the SOC - collaborate with your teammates.
  4. Educate your organization. If they don’t know about these types of attacks, they can easily be the reason you get compromised.